Complaint Blasts TikTok’s ‘Misleading’ Privacy Policies

tiktok logo on phone

TikTok is again in hot water for how the popular video-sharing app collects and shares data – particularly from its underage userbase.

An umbrella group comprising 44 consumer-privacy watchdog organizations have filed a complaint against TikTok, saying the wildly-popular video-sharing platform has “misleading” data-collection policies.

ByteDance-owned TikTok has skyrocketed in popularity, with more than 2 billion downloads on the Google Play and Apple App Store marketplaces. The complaint was filed by the European Consumer Organisation (BEUC), made up of consumer-privacy watchdog groups from 32 countries. The BEUC says, its goal is to ensure the European Union makes policy decisions to “improve the lives of consumers.”

According to the complaint, TikTok’s lack of data-collection transparency — particularly as it affects the platform’s large juvenile userbase — is potentially in violation of the EU’s General Data Protection Regulation (GDPR) data privacy regulations. The complaint was filed with the European Commission (the executive branch of the European Union, responsible for proposing legislation and implementing decisions) and a “network of consumer protection authorities.”

“TikTok does not clearly inform its users, especially children and teenagers, about what personal data is collected, for what purpose and for what legal reason,” said the BEUC, in a report released Tuesday, along with the complaint. “These practices are problematic inter alia as they do not allow consumers to make a fully informed decision about whether to register to the app and/or to exercise their rights under the GDPR.”

A TikTok spokesperson told Threatpost that an in-app summary of TikTok’s Privacy Policy has been developed “with vocabulary and a tone of voice that makes it easier for teens to understand our approach to privacy.”

“We’re always open to hearing how we can improve, and we have contacted BEUC as we would welcome a meeting to listen to their concerns,” the TikTok spokesperson told Threatpost.

TikTok: ‘Unclear’ Data-Collection Policy

The complaint claims that TikTok’s terms of use and privacy policies provide unclear privacy statements about how it collects and shares data. For instance, TikTok’s privacy policy does not provide an “exact list” of companies who receive the data that TikTok collects and shares (beyond indicating data is shared with broad categories of cloud storage providers, business partners, content moderation services and such).

Other details are not specified in TikTok’s privacy policy, said the BEUC – for instance, it does not provide information regarding the countries to which data is transferred (other than stating that data will be stored at a destination outside of the “European Economic Area”); and under which legal basis that location data is processed.

The BEUC also alleged that TikTok’s privacy policy (particularly for users aged 13 to 18) is difficult to access. For example, in order to access the privacy policy, users must have an existing account – meaning “the essential information is therefore not given to children and teenagers upon registration and at the pre-contractual stage,” said the BEUC.

The Impact on TikTok’s Young User Base

The report highlighted that a large part of TikTok’s userbase is made up of children. For instance, in the United States, a report found that more than one-third of daily TikTok users are 14 or younger – with many videos seeming to come from children who are below 13.

As such, TikTok needs to “clearly inform its users, especially in a way comprehensible to children and teenagers, about what personal data is collected, for what purpose and for what legal reason,” according to the BEUC.

“We consider that some of these, as well as other…practices are potentially in breach of the General Data Protection Regulation and have brought them to the attention of Data Protection Authorities in the context of their ongoing investigations into the company,” said the BEUC.

TikTok has previously found itself in hot water when it comes to its younger user base. In May, a group of privacy advocates filed a complaint with the Federal Trade Commission (FTC) alleging the platform failed to adequately protect children’s privacy.

But the social-media platform has also sought to improve privacy for its teen users by changing the privacy settings for all registered accounts under the ages of 16, so that they are private by default. A limited TikTok app for users under 13 was also launched last year and is partnering with parent watchdog group Common Sense in an effort to deliver appropriate videos for younger TikTok-ers.

“Keeping our community safe, especially our younger users, and complying with the laws where we operate are responsibilities we take incredibly seriously,” the TikTok spokesperson told Threatpost. “Every day we work hard to protect our community which is why we have taken a range of major steps, including making all accounts belonging to users under 16 private by default.”

Other TikTok Toils Outlined by Privacy Watchdogs

The complaint outlined an array of other issues with the TikTok app beyond its privacy policy. For instance, the BEUC claims that TikTok does not do a good job making marketing efforts obvious to its younger userbase. And, it is potentially failing to conduct due diligence when it comes to protecting children from inappropriate content – such as videos showing suggestive content, argued the BEUC.

The BEUC also took issue with TikTok’s “virtual item policy,” where users can purchase coins that they can use as virtual gifts for TikTok celebrities whose performances they like. TikTok claims an “absolute right” to modify the exchange rate between the coins and gifts – which the BEUC said is “misleading” and could potentially allow the company to skew financial transactions in its own favor.

Finally, TikTok’s terms of service are “unclear, ambiguous and favor TikTok to the detriment of its users,” said the BEUC. “Its copyright terms are equally unfair as they give TikTok an irrevocable right to use, distribute and reproduce the videos published by users, without remuneration,” according to the BEUC.

What’s Next for TikTok

As part of its complaint, the BEUC wants authorities to launch a comprehensive investigation into TikTok’s policies and practices.

“Together with our members — consumer groups from across Europe — we urge authorities to take swift action,” Monique Goyens, director general at the BEUC, said in a statement. “They must act now to make sure TikTok is a place where consumers, especially children, can enjoy themselves without being deprived of their rights.”

TikTok has previously come under fire for various security and privacy problems – even last year facing a threat of a ban in the United States out of fear that the app was surreptitiously collecting data on U.S. government employees and contractors to use in China’s cyber-activities against the United States.

A vulnerability in TikTok, disclosed in January, could have allowed attackers to easily compile users’ phone numbers, unique user IDs and other data ripe for phishing attacks. Researchers in September disclosed four high-severity flaws in the Android version of TikTok that could have easily been exploited by a seemingly benign third-party Android app.

On the privacy front, in August TikTok was found to be collecting unique identifiers from millions of Android devices without their users’ knowledge using a tactic previously prohibited by Google because it violated people’s privacy.

“TikTok is walking the well-trodden path of other social media products that have access to huge swathes of personal information and have limited justifications other than the legitimate interests which is often cited as a response to GDPR but gets more complicated when the data doesn’t relate to adults,” Andrew Barratt, managing principal of Solutions and Investigations at Coalfire, told Threatpost. “Ultimately it would be beneficially to see regulators take a standards based approach to privacy rather than complex contractual and legal position,” he added.

Is your small- to medium-sized business an easy mark for attackers?

Threatpost WEBINAR:  Save your spot for 15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.

Suggested articles