TikTok is a privacy nightmare that I won’t touch - and at work, we are strongly recommended to not install the app on any personal devices. Some of the wording is a little vague, but technically statutorily compliant (especially in the EU).
The disclaimer about data deletion, rectification and disclosure “approvals” isn’t actually quite as nefarious as it seems. GDPR has stipulations that data subjects can only exercise their rights insofar as doing so doesn’t violate someone else’s rights. So it’s conceivable that a data deletion request could result in the unintentional deletion of another users data. But it’s actually more common that access or rectification have potential privacy rights violations and have to be adjudicated to some extent before responding.
NOW, as to whether TikTok abuses that adjudication process outside of CA and EU I can’t say. But if they did and were caught doing so, they could be sued by the FTC under Section 5 - unfair and deceptive business practices.
What’s an example of deleting personal user data that would result in the deletion of another user’s data? In my mind, storage should be set up so this is never the case.
I don't think its super common, but the places it would happen would be like where Data Subject A puts out a deletion request, and they have content specifically about Data Subject B that is associated to Data Subject B.
For example: I, as a parent, have an account on a website that allows my children to also have an account as long as they are associated to me. Time passes, and I, the parent want to delete my account but doing so would delete also delete my child's account, and my child is now 18 and may or may not want their account to be deleted. In this case, the deletion of the parent's account always means the deletion of the child's account. In most cases, where the child is below 18, no consent is required because the contract/agreement lies with the parent. However, once the child turn's 18 and can legally be bound themselves, the parent could be blocked from deleting the account because it would delete the now 18year old child's account.
It's somewhat of a contrived example, I grant and requires some poor architectural choices to end up in that state, but it's at least *feasible* if not especially plausible.
TikTok is a privacy nightmare that I won’t touch - and at work, we are strongly recommended to not install the app on any personal devices. Some of the wording is a little vague, but technically statutorily compliant (especially in the EU).
The disclaimer about data deletion, rectification and disclosure “approvals” isn’t actually quite as nefarious as it seems. GDPR has stipulations that data subjects can only exercise their rights insofar as doing so doesn’t violate someone else’s rights. So it’s conceivable that a data deletion request could result in the unintentional deletion of another users data. But it’s actually more common that access or rectification have potential privacy rights violations and have to be adjudicated to some extent before responding.
NOW, as to whether TikTok abuses that adjudication process outside of CA and EU I can’t say. But if they did and were caught doing so, they could be sued by the FTC under Section 5 - unfair and deceptive business practices.
What’s an example of deleting personal user data that would result in the deletion of another user’s data? In my mind, storage should be set up so this is never the case.
I don't think its super common, but the places it would happen would be like where Data Subject A puts out a deletion request, and they have content specifically about Data Subject B that is associated to Data Subject B.
For example: I, as a parent, have an account on a website that allows my children to also have an account as long as they are associated to me. Time passes, and I, the parent want to delete my account but doing so would delete also delete my child's account, and my child is now 18 and may or may not want their account to be deleted. In this case, the deletion of the parent's account always means the deletion of the child's account. In most cases, where the child is below 18, no consent is required because the contract/agreement lies with the parent. However, once the child turn's 18 and can legally be bound themselves, the parent could be blocked from deleting the account because it would delete the now 18year old child's account.
It's somewhat of a contrived example, I grant and requires some poor architectural choices to end up in that state, but it's at least *feasible* if not especially plausible.