TikTok could face a £27m fine for failing to protect children's privacy when they're using the platform.
The UK's Information Commissioner's Office (ICO) found the video-sharing platform may have processed the data of under-13s without appropriate consent.
The watchdog said the breach happened over more than two years - until July 2020 - but that it had not yet drawn final conclusions.
TikTok says it disputes the findings, noting that they are "provisional".
The ICO has issued TikTok Inc and TikTok Information Technologies UK Limited with a "notice of intent" - a legal document which precedes a potential fine.
The notice sets out the ICO's provisional view that TikTok breached UK data protection law between May 2018 and July 2020.
The ICO investigation found the social platform may have:
- processed the data of children under the age of 13 without appropriate parental consent
- failed to provide proper information to its users in a concise, transparent and easily understood way
- processed special category data, without legal grounds to do so
According to Ofcom, 44% of eight to 12-year-olds in the UK use TikTok, despite its policies forbidding under-13s on the platform.
Information Commissioner John Edwards said: "We all want children to be able to learn and experience the digital world, but with proper data privacy protections.
"Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement."
TikTok has rolled out a number of features to strengthen the privacy and safety on the site - including allowing parents to link their accounts to their children's, and disabling direct messaging for under-16s.
But Mr Edwards continued: "I've been clear that our work to better protect children online involves working with organisations, but will also involve enforcement action where necessary.
"In addition to this, we are currently looking into how over 50 different online services are conforming with the Children's Code, and have six ongoing investigations looking into companies providing digital services who haven't, in our initial view, taken their responsibilities around child safety seriously enough."
Rolled out in September last year, the Children's Code put in place new data protection codes of practice for online services likely to be accessed by children, built on existing data protection laws, with financial penalties a possibility for serious breaches.
The ICO said its findings in the notice were provisional, with no conclusion to be drawn at this stage that there had been any breach of data protection law.
It added: "We will carefully consider any representations from TikTok before taking a final decision."
A TikTok spokesperson said: "This notice of intent, covering the period May 2018-July 2020, is provisional and as the ICO itself has stated, no final conclusions can be drawn at this time.
"While we respect the ICO's role in safeguarding privacy in the UK, we disagree with the preliminary views expressed and intend to formally respond to the ICO in due course."
In 2019, the firm was given a record $5.7m fine by the Federal Trade Commission, for mishandling children's data.
It has also been fined in South Korea for similar reasons.
In July, the US Senate Commerce Committee voted to approve a measure that would raise the age that children were given special online privacy protections to 16, and prohibit targeted advertising to children without consent.
Follow Shiona McCallum on Twitter @shionamc