TikTok

Overview

TikTok is a short-form video social media platform owned by ByteDance, a Chinese technology conglomerate valued at over $220 billion. The app has grown from its 2017 international launch to over 1.7 billion monthly active users worldwide, with approximately 170 million users in the United States alone. TikTok has become the dominant social media platform for users under 30 and one of the most downloaded apps in history.

ByteDance, founded by Zhang Yiming in 2012 in Beijing, operates TikTok's Chinese counterpart Douyin (which has a separate codebase and content ecosystem subject to Chinese content regulations) alongside news aggregator Toutiao and other products. ByteDance employs over 110,000 people globally and operates the recommendation algorithm that powers both TikTok and Douyin, the same core AI engine trained on data from both platforms.

The Jurisdiction Question

TikTok's central privacy concern is its ownership by a Chinese company subject to Chinese national security laws:

• China's National Intelligence Law (2017) requires organizations to "support, assist, and cooperate with national intelligence work" when requested by the state. Legal scholars debate the law's extraterritorial reach, but its existence creates a structural risk that Chinese intelligence services could compel ByteDance to share data or manipulate the platform's algorithm.
• China's Data Security Law (2021) and Personal Information Protection Law (2021) govern data handling within China but contain national security exceptions that could override user protections.
• China's Counter-Espionage Law (2023 amendment) broadened the definition of espionage to include data-related activities, further expanding the legal basis for government data access.

TikTok has attempted to address these concerns through "Project Texas," a $1.5 billion initiative to store U.S. user data exclusively on Oracle's cloud infrastructure with access controls managed by a dedicated entity, TikTok U.S. Data Security (USDS). However, critics argue this does not address algorithmic manipulation risks or fully sever data flows to ByteDance.

Data Collection Practices

TikTok collects an extensive range of user data comparable to other major social platforms, with additional concerns arising from the granularity of behavioral data captured by its algorithm and the opacity of data flows to ByteDance.

Content and Behavioral Data

TikTok's recommendation algorithm, widely regarded as the most sophisticated content recommendation system in consumer technology, requires granular behavioral inputs:

• Watch time and engagement patterns: How long users watch each video, whether they rewatch, when they scroll past, and what causes them to stop scrolling
• Content interaction: Likes, comments, shares, follows, and saves
• Content creation: Videos, audio, text, effects used, and editing patterns
• Search history and browsing patterns within the app
• Direct messages (not end-to-end encrypted by default)

The algorithm's effectiveness depends on building detailed psychographic profiles of users, mapping interests, emotional responses, and behavioral patterns with a precision that exceeds traditional social media platforms.

Device and Technical Data

TikTok collects extensive device information including:

• Device identifiers (IMEI, advertising ID, serial number)
• Operating system and version
• Keystroke patterns and rhythms (disclosed in privacy policy)
• Clipboard content (caught accessing clipboard data on iOS in 2020 after Apple's clipboard access notifications exposed the behavior)
• Network information including WiFi SSID and local IP addresses
• GPS location data, SIM card information, and carrier details
• Battery state, audio settings, and connected devices

Biometric Data

TikTok's privacy policy discloses collection of "faceprints and voiceprints" from user-generated content. In 2021, TikTok agreed to a $92 million class-action settlement in Illinois for collecting biometric data in violation of the Biometric Information Privacy Act (BIPA) without informed consent.

Children's Data

TikTok has faced persistent criticism and enforcement action regarding children's data:

• In 2019, Musical.ly (TikTok's predecessor, acquired by ByteDance in 2017) agreed to a $5.7 million FTC settlement, at the time the largest COPPA penalty, for illegally collecting personal information from children under 13.
• In 2023, the FTC referred an updated complaint alleging ongoing COPPA violations to the DOJ, claiming TikTok continued to collect children's data despite the prior settlement.
• The UK's ICO fined TikTok GBP 12.7 million in 2023 for processing children's data without appropriate consent.

Project Texas and Data Residency

TikTok launched "Project Texas" in 2022, partnering with Oracle to store U.S. user data on American soil. The initiative includes:

• Migration of U.S. user data to Oracle Cloud Infrastructure
• Establishment of USDS (U.S. Data Security), a separate entity with independent governance
• Third-party code auditing by Oracle

However, internal communications reported by Forbes revealed that ByteDance employees in China accessed U.S. user data on multiple occasions, including to track the locations of specific American journalists investigating TikTok. These revelations undermined confidence in the effectiveness of data segregation measures.

Known Clients & Government Contracts

TikTok's primary commercial relationships are with advertisers, but the company's relationship with the Chinese government through ByteDance creates a unique category of concern.

ByteDance and the Chinese Communist Party

ByteDance maintains a Chinese Communist Party committee within the company, as is standard for large Chinese technology firms. The CCP committee's role includes ensuring the company's alignment with party objectives.

In 2018, ByteDance's Douyin and Toutiao platforms were publicly criticized by Chinese regulators for hosting content deemed inappropriate, leading to temporary shutdowns and an apology from CEO Zhang Yiming, who pledged to strengthen content aligned with "core socialist values." Zhang subsequently stepped down as CEO in 2021.

ByteDance complies with Chinese content moderation requirements on Douyin, including censorship of content related to Tiananmen Square, Tibet, Uyghur issues, and other politically sensitive topics. The question is whether this compliance culture and these technical capabilities could be applied to TikTok's international platform.

Advertising Platform

TikTok's advertising business generates an estimated $20+ billion in annual revenue globally. The platform offers sophisticated advertising targeting based on user behavior, interests, demographics, and device data. TikTok's advertising infrastructure collects data from third-party websites and apps through its tracking pixel, comparable to Meta's Pixel and Google's advertising tags.

Government Use and Bans

Multiple governments have taken action against TikTok:

• India banned TikTok and 58 other Chinese apps in June 2020 following border clashes with China, affecting approximately 200 million Indian TikTok users, the largest single-country ban.
• U.S. government devices were banned from running TikTok under the No TikTok on Government Devices Act (December 2022).
• European Commission, UK Parliament, Canadian government, and Australian government devices similarly banned TikTok in 2023.
• Montana passed the first U.S. state-level TikTok ban in 2023, later blocked by a federal judge on First Amendment grounds.

Privacy Incidents & Litigation

U.S. Ban Legislation (2024)

The Protecting Americans from Foreign Adversary Controlled Applications Act, signed into law in April 2024 as part of a foreign aid package, required ByteDance to divest TikTok's U.S. operations within 270 days or face a nationwide ban. The Supreme Court upheld the law in January 2025, finding that national security concerns justified the restriction on speech.

TikTok briefly went dark in the U.S. before a temporary executive order delayed enforcement, with ongoing negotiations over a potential sale to American buyers. The saga highlighted unprecedented tensions between free expression, national security, and foreign technology ownership.

Forbes Journalist Tracking (2022)

Forbes reported in December 2022 that ByteDance employees used TikTok data to track the physical locations of American journalists covering the company, including a Forbes reporter. ByteDance confirmed the surveillance occurred, terminated the employees involved, and acknowledged it was an abuse of data access. However, the incident demonstrated that despite Project Texas assurances, ByteDance employees in China had access to granular U.S. user location data.

Internal Audit Revelations

A 2022 series of leaked audio recordings from internal TikTok meetings, reported by BuzzFeed News, revealed that:

• U.S. user data was routinely accessed from China ("Everything is seen in China")
• Engineers in Beijing had access to U.S. user data through internal tools
• Data residency controls were incomplete and governance frameworks were still under development

These recordings contradicted TikTok's public statements to Congress that U.S. data was stored on American servers with strict access controls.

BIPA Settlement (2021)

TikTok agreed to a $92 million class-action settlement over allegations of collecting biometric facial and vocal data from Illinois users without the informed consent required by the Biometric Information Privacy Act.

Children's Privacy (Ongoing)

The FTC's 2023 referral of TikTok to the DOJ for ongoing COPPA violations alleged that TikTok continued to collect data from children under 13 despite the 2019 Musical.ly settlement. The complaint documented TikTok's failure to delete children's data as required and the persistence of underage users on the platform despite nominal age restrictions.

EU GDPR Enforcement

Ireland's Data Protection Commission (DPC), as TikTok's lead EU supervisory authority, opened multiple investigations:

• A 2023 fine of EUR 345 million for processing children's personal data, including default public account settings for minors
• Ongoing investigations into data transfers to China under GDPR's Chapter V restrictions
• Investigation into TikTok's compliance with GDPR transparency requirements

Threat Score Analysis

TikTok receives a composite threat score of 76/100, reflecting the combination of extensive data collection, Chinese jurisdiction risk, and documented data governance failures:

• Data Collection (88/100): TikTok collects data comparable in breadth to Meta and Google, behavioral patterns, device identifiers, biometric data, keystroke patterns, clipboard content, and location information. The platform's recommendation algorithm requires granular psychographic profiling that maps users' interests, emotional triggers, and behavioral patterns. The collection of "faceprints and voiceprints" adds a biometric surveillance dimension.

• Third-Party Sharing (78/100): TikTok's advertising platform monetizes user behavioral data at scale. The documented access to U.S. user data by ByteDance employees in China, including the tracking of journalists, demonstrates that data flows to the parent company despite public assurances. The structural risk of compelled data sharing under China's National Intelligence Law elevates this score beyond what the documented practices alone would warrant.

• Breach History (60/100): TikTok has not suffered a catastrophic data breach comparable to Meta's Cambridge Analytica or the 533 million user leak. However, the documented unauthorized access to journalist location data, the leaked internal audio revealing routine China-based access to U.S. data, and the persistent COPPA violations demonstrate systemic data governance failures.

• Government Contracts (65/100): TikTok does not function as a traditional government contractor. However, ByteDance's compliance with Chinese government content moderation requirements, the presence of a CCP committee within the company, and the structural obligations under China's National Intelligence Law create a de facto government relationship that distinguishes TikTok from Western social media companies. The Indian ban cited national security, and the U.S. ban legislation was upheld by the Supreme Court on national security grounds.

• Transparency (45/100): TikTok publishes transparency reports and has invested heavily in Project Texas and public-facing trust and safety communications. However, internal practices have repeatedly contradicted public statements, the "Everything is seen in China" recordings, the journalist tracking incident, and the persistent gap between stated data segregation policies and actual data access patterns undermine the credibility of transparency efforts.

Weighted calculation: (88 * 0.25) + (78 * 0.25) + (60 * 0.20) + (65 * 0.15) + (45 * 0.15) = 22 + 19.5 + 12 + 9.75 + 6.75 = 70, adjusted to 76 due to the unique structural risk of Chinese government data access under the National Intelligence Law and the Supreme Court's national security determination.

Transparency & Accountability

TikTok has invested more heavily in transparency infrastructure than most companies of comparable scrutiny, but these efforts have been repeatedly undermined by revelations that internal practices do not match public commitments.

Project Texas Limitations

The $1.5 billion Project Texas initiative represents the most expensive data residency project undertaken by any social media company. However, critics identify fundamental limitations:

• Data residency does not address algorithmic manipulation, the recommendation algorithm itself is a vector for influence, and its training on combined TikTok/Douyin data means Chinese-developed AI systems drive content delivery to American users
• Oracle's role as a "trusted technology provider" does not give Oracle access to the algorithm's logic
• Historical data that was accessed from China cannot be retroactively protected
• The USDS governance structure reports to TikTok's corporate hierarchy, which reports to ByteDance

Congressional Testimony

TikTok CEO Shou Zi Chew testified before Congress in March 2023, facing hostile questioning from both parties. Chew's repeated assurances about data security were directly contradicted by the leaked internal audio and the journalist tracking revelations that preceded and followed his testimony.

Transparency Reports

TikTok publishes semi-annual transparency reports detailing government data requests, content removal actions, and enforcement statistics. These reports are generally comparable in scope to those published by Western social media platforms. However, the reports do not address the core concern: the nature and extent of data flows to ByteDance and the potential for Chinese government access.

Structural Accountability Gap

The fundamental accountability challenge with TikTok is structural rather than behavioral. Even if TikTok operates with perfect data governance today, the legal framework of Chinese national security law creates a latent risk that cannot be mitigated through corporate policy alone. This structural concern, validated by the U.S. Supreme Court, distinguishes TikTok from Western social media companies that operate under legal systems with independent judicial oversight of government data requests.

The divestiture debate encapsulates this tension: the only way to fully address the jurisdictional risk is to sever TikTok from ByteDance, but such a separation would require transferring the recommendation algorithm, ByteDance's most valuable intellectual property, which China's export control laws may prohibit.