A Privacy Review: TikTok
You should stick to Instagram Reels and YouTube Shorts
This is part of my privacy review series. If you’d like to see reviews of more companies, check them out here.
I took a quick pass through TikTok’s privacy policy a month ago and didn’t think much of it. They collect a lot of data and are very transparent about it just like many other companies. But then I reread the privacy policy more slowly looking for possible privacy issues and I literally said, “Uh-oh” as I read it.
So many tech-savvy individuals are very outspoken about TikTok being a privacy nightmare, yet the app has over 3.5 billion downloads. Almost banned in the United States due to privacy practices, TikTok has been heavily critiqued not only for the data gathering and usage policies described in its privacy policy, but also for being under the thumb of the Chinese government. There are more than just privacy policy considerations in play here, but I’m going to start by walking through TikTok’s privacy policy. Let’s see if TikTok belongs on your phone.
What data does TikTok collect?
TikTok collects as much information about you as they can from your usage of their platform. This is pretty normal for a social media service. What isn’t normal is aggregating data from other sources as seen in the quotes below (styling added):
We may collect information from and about you, including information that you provide, information from other sources, and automatically collected information.
We may obtain information about you from certain affiliated entities within our corporate group, including about your activities on their platform.
We may collect information about you from other publicly available sources.
This is incredibly concerning. TikTok actively seeks information about you from your usage of their platform and from anywhere else they can find information about you. Think about this way: anything that can be Googled about you or that you’ve posted on social media may be stored and used by TikTok. Considering Chinese companies are forced to work with the Chinese government, there’s a very real possibility that TikTok is being used to gather information to help build China’s social credit system.
China associates their citizens with a social credit number the government can use to provide certain privileges. This social credit system gives the Chinese government immense power over individual citizens. With TikTok, the Chinese government can extend this system beyond just China.
“So what? I don’t live in China so their social credit score can’t affect me, right?” Not quite. There are studies showing that TikTok serves content differently depending on geographic location. For example, Chinese TikTok users are often fed more educational content than US counterparts. TikTok has even confirmed themselves that employees will hand-pick the content they want to go viral including suppressing certain subjects such as anti-China content. If you use TikTok, you’re already being influenced by the Chinese government.
Now think about the information TikTok can collect from a user: audio and video recordings, GPS location, interests, direct messages, and more. Is this something we want in the hands of the Chinese government?
Does TikTok sell user data?
Technically no. It isn’t selling if they give it away. TikTok gives user information to payment processors, customer support providers, researchers, advertising vendors, and anyone needed to “perform business operations”:
We share the categories of personal information listed above with service providers and business partners to help us perform business operations and for business purposes…
This may seem harmless, but the vague wording of this allows for a lot of freedom to share information as TikTok deems necessary and they state they “are not responsible for the privacy practices of [their] service providers and business partners”, so even TikTok claims not to know how your data is being used or sold.
How does TikTok use your data?
TikTok is transparent about using your data for anything they need it for. There’s a long list of these usages, all vaguely worded, but all pertaining to the platform in some way. The list ends with this usage, stating they use your data:
For any other purposes disclosed to you at the time we collect your information or pursuant to your consent.
This might not seem like a big deal, but they’re basically saying: We’ll use your data for only the things in this policy and anything else we feel like adding later. This is why it’s important to read popups on apps and webpages.
Does TikTok give me control over my data?
You may submit a request to know, access, correct or delete the information we have collected about you at https://www.tiktok.com/legal/report/privacy. You may appeal any decision we have made about your request by following the instructions in the communication you receive from us notifying you of our decision.
This seems like an avenue for users to delete their information from TikTok’s databases, but I’ve never seen a privacy policy mention this and immediately follow it up with information about an appeals process as if you’re expected to be denied your request to remove your data from the platform. Later in the privacy policy, it states:
Users of the Platform who are California residents and are under 18 years of age may request and obtain removal of User Content they posted by contacting us at: https://www.tiktok.com/legal/report/privacy.
I know this is specifically added to the policy due to California laws, but it shouldn’t be necessary because everyone should be able to do this. The wording of the entire “Rights” section of the privacy policy makes me feel like it’s there because it has to be—not because you have any rights at all.
Does TikTok store your data safely?
Another section of the privacy policy that seems like it’s there only because it has to be is the “Data Security” section. Here’s the first paragraph of the section:
We use reasonable measures to help protect information from loss, theft, misuse, unauthorized access, disclosure, alteration, or destruction. You should understand that no data storage system or transmission of data over the Internet or any other public network can be guaranteed to be 100 percent secure.
“Reasonable” security measures aren’t it. The second sentence of the security section even claims data isn’t safe. I’ve never seen a privacy policy so blatant about user data not being in good hands.
Does TikTok handle data according to privacy laws?
Their privacy policy makes it seem like they do; however, there isn’t a section of the privacy policy dedicated to local laws and regulations like I’ve seen in other privacy policies so it’s a bit difficult to tell. My guess is they do the bare minimum local regulations require to mitigate the risk of being sued or banned in certain regions.
Their history, however, tells a different story. TikTok got fined $370 million by the European Union recently for not properly safeguarding children and their data. They were fined for:
Defaulting the profiles of children under the age of 18 to “public” causing their data to be automatically shared with other users.
Not taking proper precautions to keep children from bypassing age restrictions.
Using “dark patterns” to push users toward more privacy-intrusive options when setting up their account and posting videos.
This fine follows two previous fines TikTok has faced related to protecting children on social media platforms:
A $15.8 million fine for allowing children under the age of 13 to sign up for the platform.
A $5.7 million fine by the United States Federal Trade Commission for violating US data protection rules for children.
Is TikTok trustworthy?
No. I don’t usually answer this question definitively because I try to be objective, but in this case I think this answer is objective.
If the information above regarding TikTok’s privacy policy or the information above about sharing data with the Chinese government aren’t convincing, here are a few more reasons you might not want to trust TikTok on your phone:
TikTok collects data on people even if they haven’t signed up for an account and link it to their other social profiles so they know who’s watching videos. This means all of the information mentioned above may apply to you even if you’ve only opened a TikTok link.
The TikTok app was reverse engineered and it was determined TikTok’s data gathering goes as far as attempting to figure out what other apps are installed on a user’s phone. The app was created to make reverse engineering difficult and analytics requests are encrypted to make it difficult to know exactly what information TikTok is collecting about users.
This reverse engineering also showed that TikTok collects mountains of data compared to other social media apps. It blows my mind that people delete Facebook because they feel it violates their privacy but leave TikTok installed.
The person who reverse engineered TikTok described TikTok really well: TikTok is malware targeted primarily toward children. TikTok isn’t a social media app—it’s a data collection app.
I’m assuming most people don’t fully understand what it means to have TikTok downloaded on their phone, so I’m hoping this overview helps. If I missed anything or something is misstated, let me know.
Support me for pennies
100 of them to be exact. Support independent writing and let me know you enjoy my articles for just $1 a month.
Connect with me
I love writing, but I love conversing about these topics even more! Connect with me on LinkedIn, X, and YouTube. And, of course, subscribe for more articles like this.
TikTok is a privacy nightmare that I won’t touch - and at work, we are strongly recommended to not install the app on any personal devices. Some of the wording is a little vague, but technically statutorily compliant (especially in the EU).
The disclaimer about data deletion, rectification and disclosure “approvals” isn’t actually quite as nefarious as it seems. GDPR has stipulations that data subjects can only exercise their rights insofar as doing so doesn’t violate someone else’s rights. So it’s conceivable that a data deletion request could result in the unintentional deletion of another users data. But it’s actually more common that access or rectification have potential privacy rights violations and have to be adjudicated to some extent before responding.
NOW, as to whether TikTok abuses that adjudication process outside of CA and EU I can’t say. But if they did and were caught doing so, they could be sued by the FTC under Section 5 - unfair and deceptive business practices.