TikTok could face a fine of 27 million pounds – about $29 million — over allegations of violating the United Kingdom’s children’s data privacy protection standards, a U.K. agency said Monday.

The Information Commissioner’s Office (ICO) found the video-sharing platform may have processed the data of under-13s without appropriate parental consent, and failed to provide proper information to its users in a transparent way.

According to the watchdog, the breach happened over more than two years, until July 2020, but that it had not yet drawn final conclusions.

ICO has issued TikTok and TikTok Information Technologies UK Ltd with a “notice of intent”, the regulator said in a statement.

“Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement,” Information Commissioner John Edwards said.

“In addition to this, we are currently looking into how over 50 different online services are conforming with the Children’s Code, and have six ongoing investigations looking into companies providing digital services who haven’t, in our initial view, taken their responsibilities around child safety seriously enough,” he added.

Rolled out in September last year, the Children’s Code put in place new data protection codes of practice for online services likely to be accessed by children, built on existing data protection laws, with financial penalties a possibility for serious breaches.