7 March 2024

TikTok goes the regulatory clock

Ashleigh Smith

elevenM’s Ashleigh Smith brings us up to date on TikTok’s history with privacy regulatory action and looks at some of the new and recurring issues that are currently unfolding.

It seems that TikTok (maybe you’ve heard of it) is constantly in the news. The social media platform (which allows users to post, share and comment on short videos) launched internationally in 2017, and since then has seen explosive growth and is now the 6th largest social media platform in the world (by active monthly users).

TikTok is no stranger to controversy — it has repeatedly caught the attention of regulators around the world in relation to (among other things) how it collects, uses and shares personal information about its users. And of course, the regulatory issues surrounding TikTok are made more complex by the fact that it is owned by a Chinese company (ByteDance), which has been accused of having connections to the Chinese Government and which may be required to share information with Chinese government intelligence agencies. Previous concerns about connections to Chinese intelligence agencies have led some governments to ban the app on official devices, with those fears feeding into an increasingly tense US-China relationship.

Most recently, the Office of the Australian Information Commissioner has launched an inquiry into whether TikTok has harvested the private contact information, browsing history and shopping habits of Australian internet users without consent. In late December 2023, the OAIC opened an inquiry into the usage of marketing pixels that scrape information about people who do not have the app installed.

How social media platforms collect and use personal information is, and will continue to be, both contentious and important in the international regulatory space, so it’s worth taking the time to understand TikTok’s impact in this regard.

How does TikTok track users and why?

TikTok’s “Pixel” is a marketing tool website owners can use to understand more about visitors to their website – it also allows TikTok to track individuals’ web browsing and collect their personal information in a similar manner to a web cookie, even if those individuals don’t have a TikTok account. It is worth noting that the TikTok pixel is not unique – Google, Meta and other companies use the same or similar technologies to build up a picture of individuals’ browsing habits to, generally to re-target campaigns and deliver more relevant advertising.

A recent audit revealed that many major Australian companies and organisations have deleted TikTok’s tracking pixel to proactively protect the privacy of their customers. These include Network 10, Bunnings, Vodafone, Mitre10, Total Tools and Nimble.

…So, what’s the problem?

As we can see from the regulatory timeline below, TikTok’s practice appears to be broader in how they scrape data and they seem to do so without obtaining user consent. Additionally, TikTok’s Beijing-based parent company ByteDance may be sharing this information with other Chinese corporations and the Chinese government.

TikTok have stated that the use of marketing pixels is compliant with all current Australian privacy laws and regulations and have dismissed any suggestions of wrongdoing. They have branded the accusations as an attempt to mislead or scare companies without regard to current law or the information available.

A timeline of regulatory scrutiny

TikTok has been under scrutiny in the privacy space more-or-less since inception. As well as data breaches (and data breach scares), the company has repeatedly been accused of harvesting or inappropriately collecting personal information.

A few examples: In February 2019, TikTok settled with the FTC on allegations that Musical.ly illegally collected the names, email addresses, pictures and locations of children under 13, and was fined an (at the time) record-breaking USD $5.7million. In August 2020 was sued under the Illinois Biometric Information Privacy Act for collecting users’ biometric identifiers (including children) without first obtaining consent. It settled the litigation for $92 million. In November 2022, an action was commenced against TikTok, alleging that the company surreptitiously collected data of user activity on non-TikTok websites. And in April 2023 the UK ICO fined TikTok £12.7million for failing to adequately verify the age of users on their platform (and thus collecting and processing children’s personal information unlawfully).

What happens next for Australians?

The OAIC has not provided any updates since announcing the inquiry, but TikTok has stated it will cooperate.

With regulatory change on hand in Australia, this inquiry is worth watching — there are a range of proposed changes to the Privacy Act aimed at the information collection and handling of social media platforms (including the development of the Children’s Online Privacy code).

Notwithstanding this, the complexities of regulating data collection and handling on the international stage is very much on the agenda of regulators worldwide, and we should expect to see more of this kind of action, and an increase in the development of codes and legislation aimed at controlling the data harvesting of cross-jurisdictional digital platforms.

What can you do?

If you are an organisation looking to make use of analytics and marketing technology, consider the tools which you are planning to use and whether they may carry additional risks to your website visitors as well as to your reputation. Whatever tools you deploy, make sure that you handle personal information transparently and that that you are obtaining consent where appropriate.

Contact us

If you’re interested in learning more about privacy compliance, contact us at hello@elevenM.com.au or on 1300 003 922.