TikTok is an immensely popular social media app with over 1 billion monthly active users, even more than Twitter and Instagram combined. This short-form video sharing platform allows users to create and share 15-60 second videos, often involving dancing, comedy, or lip-syncing. However, behind TikTok’s fun and trendy exterior are growing concerns about privacy and data collection practices.
Data Collection
TikTok collects a vast amount of personal user data, often without users’ explicit consent. This includes location data, messages, contacts, and browsing history. As reported by NPR, “TikTok collects a lot of data. Usernames, birthdays, browsing data and – crucially – the device’s identification codes and IP address.”
Specifically, TikTok accesses users’ location, messages, call log, contacts, and calendar. It can turn on the microphone and camera at any time to record users. TikTok also collects browsing history and data from linked social media accounts. According to the Cyber Independent Security Evaluation organization, “The data TikTok collects from users contains sensitive information and is often taken without the user’s explicit knowledge.”
Much of this data collection happens behind the scenes, without users realizing the extent of data access granted to TikTok. This massive amount of personal data collected poses significant privacy risks.
Data Sharing
TikTok has faced scrutiny over who it shares user data with. According to Norton, TikTok shares data with third-party trackers and partners, including large technology companies like Facebook and Google as well as Chinese firms like ByteDance (TikTok’s parent company) and Tencent [1]. There are concerns that TikTok may be required to share data with the Chinese government under Chinese law, although TikTok claims they store U.S. user data in the U.S. and Singapore. However, cybersecurity experts argue that even if the data is stored outside of China, the Chinese government could still potentially access it [2]. Overall, TikTok’s data sharing practices, particularly with Chinese entities, raise user privacy issues.
Lack of Transparency
TikTok has been criticized for having a vague privacy policy that lacks clarity around its data practices.[1] The company’s privacy policy spans thousands of words, but provides little insight into how much data is being collected and how it is used. As an example, the policy states that TikTok may collect information like search history and location data, but does not specify for what purposes this data is used.
In August 2020, President Trump issued an executive order stating that TikTok’s data collection “threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information.”[1] Part of the concern stems from the lack of transparency around what types of data TikTok collects and shares with its parent company ByteDance, which is based in China and subject to Chinese law.
TikTok claims that U.S. user data is stored separately from other ByteDance products and not subject to Chinese law. However, cybersecurity experts have questioned whether technical measures are in place to prevent access to U.S. data by ByteDance. Without more transparency from TikTok on its data practices, users cannot fully evaluate potential privacy risks.
Children’s Privacy
TikTok has faced scrutiny for violating privacy laws designed to protect children. Most notably, the app has been found to violate the U.S. Children’s Online Privacy Protection Act (COPPA) which prohibits websites and apps from collecting personal data on users under 13 without parental consent.
In January 2022, TikTok agreed to pay $92 million to settle accusations by the Federal Trade Commission that it had illegally collected personal information from children under the age of 13. The FTC found that TikTok had knowingly allowed kids under 13 to use the app and had failed to obtain parental consent before collecting names, email addresses, and other data.
The UK’s data protection watchdog issued a £5.7 million fine to TikTok in April 2023 for similar COPPA violations affecting millions of UK children. Investigators determined TikTok allowed kids under 13 to maintain live public accounts, despite age assurance mechanisms being in place.
In September 2022, EU regulators announced a €345 million fine against TikTok after finding the company had violated GDPR rules related to processing data of children. The regulators found TikTok made the accounts of children aged 13 and younger public by default, allowing anyone to view profile information and videos without consent.
Ad Targeting
TikTok targets users with personalized ads based on the extensive data it collects from user activity on its platform. The app doesn’t just benefit from its own data collection, but also shares data with parent company ByteDance to develop detailed user profiles for ad targeting. For example, TikTok can determine users’ interests and habits through their liked videos, followed accounts, comments, and more. TikTok then uses this data to serve users targeted ads that align with their inferred interests and demographics.
Advertisers on TikTok have access to an array of targeting options to reach their desired audience demographics and interests. TikTok provides options to target users by location, gender, age, interests, behaviors, and more. The platform’s advanced targeting capabilities allow brands to hone in on specific user segments and serve them tailored ads. This raises concerns about how much personal data TikTok collects and shares to enable its ad targeting.
TikTok’s ad targeting practices have prompted criticism and investigations over privacy violations. Some argue its granular targeting based on extensive data collection creates a surveillance advertising system without users’ informed consent. TikTok discloses some ad targeting practices in its privacy policy but lacks transparency about the full extent of data it uses. Overall, TikTok’s ad targeting exemplifies how the platform can leverage user data in concerning ways.
Algorithm Manipulation
The TikTok algorithm decides which videos to show each user based on their interests and engagement. However, the algorithm can be manipulated in concerning ways:
Influencers and brands can pay TikTok to promote their content to more users through advertising. This allows them to artificially inflate engagement and views. TikTok has been criticized for not properly disclosing when views come from paid ads versus organic users (German Ocampo).
The algorithm often pushes content that is outrageous or emotionally manipulative, even if it’s misinformation. Sensationalist content generates more engagement, so the algorithm shows it more. This could skew a user’s worldview (Reddit).
TikTok employees in China have access to US user data and can manipulate what people see. There are concerns the platform could be used to spread political propaganda or influence elections (Crunchbase).
In summary, the opaque TikTok algorithm can be gamed to promote certain content, without users realizing why they’re seeing it. This raises concerns about how it could impact public discourse or be abused.
Security Issues
TikTok has faced criticism over vulnerabilities in its app that could expose user data. In 2022, cybersecurity researchers discovered bugs that allowed hackers to manipulate user accounts and expose personal information (Kaspersky). Another vulnerability discovered in early 2023 allowed attackers to retrieve private short videos stored on TikTok servers (Fordham University). These vulnerabilities demonstrate weaknesses in TikTok’s security protections and raise concerns about the privacy of user data. Poorly secured systems could enable malicious actors to gain access to sensitive information like users’ locations, emails, phone numbers and private videos.
Lack of Accountability
TikTok has faced criticism for its lack of accountability to users and regulations. Despite having over 1 billion monthly active users, TikTok provides limited transparency into its data practices and content moderation decisions (CNN, 2022).
TikTok does not disclose the full extent of user data it collects, raising concerns about profiling and surveillance (Gilliland, 2022). The company has failed to provide adequate notice and consent around data usage, violating privacy laws like the EU’s GDPR (Reuters, 2022).
The platform remains largely unaccountable for the content it promotes through its powerful recommendation algorithm (Newton, 2022). TikTok has been accused of amplifying dangerous challenges, misinformation, and other objectionable content (Paul, 2021). However, the company provides little visibility into how its algorithms actually work.
TikTok is not subject to the same content moderation transparency requirements as platforms like Facebook, Twitter and YouTube (FCC, 2022). The company does not provide detailed reports on removed content or allow independent auditing of its practices (Newton, 2022).
US lawmakers have repeatedly cited TikTok’s lack of accountability and potential national security risks in proposing restrictions on the app (BBC, 2022). However, TikTok maintains it stores US user data in the US and Singapore and does not share data with China (TikTok, 2020). The company opened a “Transparency Center” in early 2023 but critics say more oversight is still needed (Vox, 2023).
What Users Can Do
There are several steps TikTok users can take to better protect their privacy on the platform:
Review privacy settings. TikTok has privacy settings that allow users to make their account private, limit data sharing, and restrict comments. Adjust these settings to limit how much personal data is visible.
Be selective in sharing personal data. Avoid sharing private details like your real name, birthdate, location, and contact info. Also be cautious about showing identifiable locations, workplaces, or schools.
Limit access to phone contacts. TikTok may request access to your contacts to find friends. Deny access unless there is a strong reason to enable it.
Read privacy policies. Understand TikTok’s data practices by reading its privacy policy. Look for concerning practices like data retention, third-party sharing, and targeted advertising.
Be mindful of content. Consider the privacy risks before posting personal content, especially regarding minors. Recognize content once posted may be difficult to remove.
Use security features. Enable two-factor authentication and use strong passwords to secure your account. Be careful about clicking suspicious links which may compromise your account.
Monitor account activity. Periodically check privacy settings, connected apps, location tracking, and ad interests to watch for unauthorized changes.
Be cautious sharing with children. Closely supervise minors’ use of TikTok and utilize family safety modes like screen time limits and restricted mode.
Taking privacy precautions allows enjoying TikTok more responsibly and with greater peace of mind.