Privacy policies of major platforms

Staying compliant starts with understanding the privacy rules of the platforms you rely on. This guide breaks down the key policies of major players — from Facebook and other social platforms to Zoom and ChatGPT. It provides clear information to help you align with platform-specific privacy requirements.

Chapter 3

Author

Celestine Bahr

Read time

16 mins

Published

Jun 26, 2025

TikTok privacy policy: Data sharing terms requirements for businesses

TikTok’s reach is wide. As of February 2025, the platform has nearly 1.6 billion users worldwide, with that number expected to grow to around 1.9 billion by 2029. Advertisers are following the crowd: projections put TikTok’s advertising revenue near USD 33 billion by the end of 2025.

Every interaction businesses have with TikTok’s business tools — from the TikTok Pixel to lead generation forms — means sharing user data with the platform. Once shared, that data falls under both the company’s own data sharing terms and several global data privacy laws.

TikTok maintains three separate privacy policies for data it collects directly from users, depending on where users are located:

United States (US)
European Union (EU), European Economic Area (EEA), United Kingdom (UK), and Switzerland
Rest of the world

If your business uses TikTok Business Products, a different set of terms apply. Data that flows to TikTok from businesses through pixels, SDKs, or other integrations is instead governed by the TikTok Business Products (Data) Terms.

TikTok also has additional terms that may apply depending on how your business uses its tools. These additional terms vary in scope, such as those that apply to data collected from users in different regions, data collected from lead gen forms on the platform, and custom audiences for targeted advertising.

This article explains how TikTok handles the data it receives from businesses, the obligations the platform places on businesses, and how your privacy policy must reflect those obligations under TikTok’s terms and relevant data privacy laws.

What data does TikTok collect from businesses?

TikTok, which is owned by China-based parent company ByteDance, offers a range of tools designed for business use, from ad targeting features to developer integrations. These tools channel user information back to the platform.

The Business Products (Data) Terms covers three key categories of data:

Contact Details
Developer Data
Event Data

Contact Details

TikTok defines Contact Details as information that “enables an individual to be directly identified,” such as a user’s name, email address, or phone number. Your business may collect and transmit this data to TikTok when using certain advertising features.

You share Contact Details with TikTok when you:

Upload customer lists that include email addresses or phone numbers to create custom audiences for ad targeting
Run lead generation campaigns where users submit their contact information directly through a TikTok form
Use platform integrations (like Shopify) to send Contact Details to TikTok for ad targeting

Event Data

Event Data refers to information about how people interact with your website or app.

TikTok defines events as “actions taken on your website, like adding an item to a cart or making a purchase, that can result from a paid TikTok ad or organically (unpaid).”

Event Data may include:

Technical details about a user’s device or browser, such as their language settings, IP address, country, and browser type
User actions on your site or app, such as visiting pages, installing apps, signing up for trials, downloading files, or adding items to a wishlist or cart

You share Event Data with TikTok when you use tools like the TikTok Pixel and the Events Application Programming Interface (API).

Developer Data

Developer Data is information TikTok collects when users interact with features on your website, app, or marketing platform that are powered by TikTok’s developer tools.

These tools include APIs and software development kits (SDKs) that enable you to integrate TikTok functionality into your digital products. For example, letting users log in with TikTok, share content, or publish videos directly from your platform.

Like Event Data, Developer Data typically includes technical information about users’ devices and browsers, including IP addresses, geographic location, language settings, and browser or app type.

You share this data with TikTok through tools such as:

Login Kit, which enables users to sign in to your app or website using their TikTok credentials
Share Kit, which enables users to share videos, captions, hashtags, and other content from your mobile app directly to their TikTok profiles via your app’s share button
Content Posting API, which enables users to post videos or upload drafts to TikTok from within your platform (commonly used by social media scheduling tools)
Other integrations, including options to embed TikTok videos and creator profiles on your site, use webhooks to automate processes, or send images and videos from your app to TikTok as green screen backgrounds

How does TikTok use data?

Once TikTok receives personal information from businesses, it uses that data in several ways across its services. The platform’s terms outline several specific applications.

Measure performance and generate insights

TikTok uses Event Data to help your business evaluate how campaigns are performing and to provide context on how those results compare to other campaigns across the platform.

This data analysis serves two primary functions:

Campaign performance reports track the direct impact and reach of your advertisements and content across TikTok’s platform.
Industry benchmark reports, which are created by combining your anonymized Event Data with information from other businesses to provide market insights. These reports reveal trends across industries and regions but do not identify individual users or businesses.

Create and target custom audiences

On TikTok, you’re able to build audience segments based on how users interact with your website or app, such as visits, clicks, or conversions.

These segments, known as custom audiences, are created using data you provide and are for your exclusive use. TikTok prohibits selling or transferring these audiences to other businesses. The terms also state that the platform will not use these audiences for other advertisers unless you give explicit instructions to do so.

Optimize TikTok personalized ads and content

TikTok correlates your Event Data with its internal user data to personalize ads and improve how your campaigns are delivered.

The platform may also aggregate your Event Data with information from other advertisers to enhance its own advertising system. However, TikTok states that no other business can target ads based solely on your Event Data.

Match your customer contacts

You can reach your existing customers on TikTok by uploading their Contact Details, like email addresses or phone numbers. TikTok then matches this information against its user database to generate a list of Matched IDs. These matched records are then combined with Event Data to refine audience targeting and improve the accuracy of campaign performance metrics.

Improve platform safety and integrity

TikTok uses Event Data and Developer Data to maintain safety and security across its products and services, including in its efforts to detect and prevent fraud. The platform also applies this data to research and development, to help enhance its features and deliver a better experience for both users and advertisers.

Power developer tools

When your business uses TikTok’s developer tools — such as APIs or SDKs — TikTok uses Developer Data to support the specific functions those tools were designed to perform. That includes actions like logging users in, sharing content, or posting videos through your app.

Role of cookies and tracking technologies

The TikTok Pixel uses both first- and third-party cookies. These cookies connect user actions on your website to their activity on TikTok. They also support accurate performance measurement and help optimize how your ad campaigns are delivered.

Depending on your configuration settings and visitor preferences, these cookies can also support audience creation for retargeting and engagement purposes.

Some content management systems and tag or data management platforms have officially supported integrations with the TikTok Pixel. These include major platforms like Shopify, WooCommerce, WordPress, BigCommerce, Google Tag Manager, and Tealium.

If you’re using a platform that isn’t directly supported, you can still implement TikTok cookies by manually adding the Pixel base code to your website.

TikTok cookies remain active for 13 months, beginning when they are first placed on a user’s browser or from the cookies’ most recent use, whichever is later.

What does TikTok say about sensitive personal data?

TikTok prohibits businesses from sharing or providing access to any Business Products Data that they know — or should reasonably know — belongs or relates to minors, or that contains sensitive personal data.

“Sensitive” is a category of data under many privacy laws, and this information has greater security requirements and restrictions on collection and use.

This restriction applies regardless of whether the data has been collected intentionally or unintentionally, and includes data shared through tools like the Pixel, Events API, or uploaded contact lists.

TikTok defines children as:

Anyone under the age of 13
Anyone under the legal age of majority in their country or region who cannot legally consent to the processing of their Business Products Data under local law, where consent is required

Parental consent requirements may apply when collecting data from minors under relevant data privacy laws.

TikTok also prohibits businesses from sharing health, financial, or other sensitive categories of data. That includes anything defined as “sensitive” or “special category data” under applicable regional or federal privacy laws or industry standards.

Under the Lead Generation Terms, your business must not:

Collect Lead Generation Data from or about anyone under the age of 18 or the local age of legal majority, if higher
Target lead forms to anyone under the age of 18 or the local age of legal majority, if higher
Use Lead Generation Products to collect information that qualifies as sensitive or special category data under applicable regulations

Read more about sensitive data under global data protection regulations.

TikTok privacy policy requirements for businesses

TikTok’s Business Products (Data) Terms require any account that shares Business Products Data with the platform, or enables its access, to provide all transparency notices required by applicable laws.

This obligation applies whether you share Business Products Data:

Directly, such as if your business uses tools that access or store information on users’ devices through tracking technologies. These could include the TikTok Pixel, cookies, APIs, or SDKs, collectively known as Device Data Collection Tools (DDCTs).

Indirectly, such as by authorizing TikTok to integrate with your data provider, measurement partner, or data management platform.

TikTok also establishes specific privacy policy requirements when it comes to data shared through DDCTs.

If your business uses DDCTs, you must provide clear, accessible, and prominent notices to users regarding these tools about how data is collected and used. This notice must include:

A statement that your website or app uses DDCTs operated by third parties, including TikTok, to collect information about how users interact with your site or app
An explanation that the data collected is used to provide measurement services and/or for ad targeting
Information on how users can opt out of this data collection and its use for ad targeting
A description of where users can find the mechanism to exercise these choices
Any additional information laid out in the Jurisdiction Specific Terms

For websites, TikTok requires that this privacy notice appears prominently on every page where DDCTs are active. For apps, the notice must be easy to find within your app settings and any on store or website where your app is distributed.

Other data terms for businesses

In addition to the Business Products (Data) Terms, TikTok has additional terms that address specific data collection and usage scenarios. They apply in specific situations and may introduce additional responsibilities depending on how your business uses TikTok’s tools.

Here is a look at some of the terms that may apply.

Jurisdiction Specific Terms

TikTok’s Jurisdiction Specific Terms apply when your use of TikTok Business Products involves data collected from users in certain regions.

These supplemental terms reflect local data privacy laws and may require your business to take additional steps, such as establishing a legal basis for processing, obtaining explicit consent, and enabling data subject rights.

The terms cover the following regions:

United States, which includes a number of state-level data privacy laws.
The European Union (EU)/European Economic Area (EEA), United Kingdom, and Switzerland, which are governed by the following regional laws:
Brazil, which has the Lei Geral de Proteção de Dados (LGPD)

The terms also include Japan. But unlike the other regions, where the applicable laws are specifically mentioned, the jurisdiction specific terms here apply when “using our TikTok Business Products in Japan.”

For the European region, the terms require you to establish a legal basis for processing personal data using DDCTs and to obtain all necessary and verifiable consents in accordance with the relevant laws.

Read more about the GDPR’s 7 conditions for valid consent.

The Jurisdiction Specific Terms require you to publish a privacy notice describing your processing activities, including any joint processing.

These terms also contain specific information that must be included in your privacy notice — in addition to the requirements in the Business Products (Data) Terms and any other clauses you include — in accordance with the relevant regional laws.

Lead Generation Terms

TikTok’s Lead Generation Terms apply when your business uses the platform’s lead generation products or services via TikTok for Business or TikTok Ads Manager. These products and services enable users to voluntarily submit their information to your business through customizable forms.

Under these terms, your business assumes full responsibility for processing all Lead Generation Data that users submit. You must provide required transparency notices and confirm that you have all necessary rights, permissions, and lawful bases — including consent where applicable — under relevant laws.

Each lead generation form must include:

A link to your legally compliant privacy policy and a clear statement that your privacy policy governs lead generation data collection and processing
All required consent or choice mechanisms, such as opt-outs, unsubscribe options, or consent withdrawal
All necessary disclosures about offers, including qualification criteria, expiration dates, and redemption limits

TikTok places additional obligations on your business if you share Lead Generation Data with a vendor, such as a customer relationship management (CRM) provider:

You acknowledge that the vendor is receiving data on your behalf
You must ensure that data sharing complies with applicable laws and establish proper contracts where required
Vendors may use the data only for the purposes you’ve authorized, and they must follow both TikTok’s requirements and your instructions
In the US, vendors must be designated as your service provider or processor under applicable privacy laws

TikTok may process Lead Generation Data in accordance with the TikTok Privacy Policy for purposes such as autofilling future forms for users.

Custom Audiences (Customer File) Terms

TikTok’s Custom Audiences (Customer File) Terms apply if your business uploads Contact Details to TikTok, such as email addresses or phone numbers. Custom audiences can be used for ad targeting, excluding users from ads, or creating lookalike audiences of TikTok ad users, among other things.

To upload and use the Contact Details for custom audience creation under these terms, you must have:

All necessary rights, permissions, and lawful bases required by applicable laws
Provided all legally required notices to the individuals whose data you are uploading

If you use TikTok’s Custom Audiences product for ad targeting, you must also:

Provide the ability to opt out of ad targeting to individuals included in your Contact Details
Remove any Contact Details belonging to users who have opted out, either before or after the data is uploaded
Refrain from using any individual’s contact details for ad targeting if they opt out after their data has been uploaded to the Custom Audiences product

How to align your business with privacy laws and TikTok privacy requirements

Businesses using TikTok’s advertising and marketing tools must develop comprehensive data handling practices that meet both requirements of relevant global privacy regulations and TikTok’s specific requirements.

Read more about social media compliance for businesses.

Update your privacy policy to meet TikTok’s disclosure requirements

Your privacy policy must clearly explain how your business uses TikTok’s tools and what that use means for your users’ personal data. Here is a non-exhaustive checklist of the required privacy policy disclosures for your TikTok business relationship:

Describe how your business collects, uses, and shares personal data in connection with TikTok Business Products
If you use tools that access or store data on user devices — such as the TikTok Pixel or SDKs — include:
- A disclosure that your website or app uses third-party tracking technologies, including TikTok
- A description of the types of data collected and how they are used, such as for measurement or ad targeting
- Opt-out mechanisms where required by law
- Clear, accessible links that enable users to exercise those choices
Link to your privacy policy prominently on every webpage where you use tracking tools, and make it easily accessible within your app through settings or the app store listing
Include direct links to TikTok’s privacy policy and cookie policy
Explain user rights under relevant data privacy laws, such as the right to object under the GDPR and the right to opt out under the CCPA/CPRA
If you use TikTok ads for behavioral targeting, provide a “Do Not Sell Or Share My Personal Information” link for California users, as required by state law
Explain how you obtain and use minors’ personal data and the requirements for valid parental or guardian’s consent, where required
If you are a joint controller with TikTok under the GDPR, describe your responsibilities regarding users’ personal data
Any additional information required by the Jurisdiction Specific Terms

Before implementing tracking tools like the TikTok Pixel, your business must obtain all necessary and verifiable prior consents from users, particularly where required by laws like the GDPR and LGPD or other platform standards (such as Apple or Google platform terms).

Your consent banner via your consent management platform (CMP) must clearly explain how data will be used and give users the option to opt in or out, depending on jurisdiction.

You must also provide a clear way for users to opt out of data collection for ad targeting. If someone opts out, you must honor their choice, and avoid using their data for that purpose.

Where laws like the GDPR apply, your business is responsible for identifying a legal basis for every instance of personal data processing and sharing involving TikTok tools.

Clarify your role as a data controller

Your legal relationship with TikTok depends on which tools you use and how you use them.

In some cases, your business may act as an independent controller of personal data. In others, you may be considered a joint controller with TikTok, such as when using the TikTok Business Products for measurement and insight reporting in the EU/EEA or UK.

You are responsible for determining which role applies to each data processing activity, and your privacy policy must accurately reflect this relationship. If you act as a joint controller with TikTok, the GDPR requires you to inform users of this arrangement and explain each party’s responsibilities for protecting personal data.

Respect data prohibitions for minors and sensitive information

TikTok prohibits businesses from sharing or providing access to any Business Products Data that is either:

Known to be from or about children under 13 (or the local age of majority)

Considered sensitive personal data

Further, you may not use lead generation products to collect data from or target individuals under 18 or the local age of majority.

If your business operates a website or app that could attract minors, or collects data that could reasonably relate to individuals under 18, you may face additional legal requirements. These will depend on the data collected and user location and may include:

Obtaining verifiable parental/guardian consent under laws like the Children’s Online Privacy Protection Act (COPPA) in the US, which must be separately obtained for collecting and sharing data
Obtaining explicit consent from a parent or legal guardian for users under 16 in the EU/EEA. EU member states can lower this to age 13
Clearly describing in your privacy policy how data from minors is collected and used
Using age verification methods when age affects eligibility or the type of data collected

When collecting personal data, practice data minimization by collecting only the data necessary for your intended purpose. Doing so reduces the risk of handling prohibited or unnecessary data and helps support compliance with global privacy laws.

Require vendors to meet TikTok’s requirements

If you share TikTok Lead Generation Data with vendors, such as customer relationship management (CRM) providers, you are responsible for setting clear obligations around how that data is handled. TikTok’s terms require that you:

Confirm the vendor is acting on your behalf and using the data only for the purpose(s) you’ve authorized.
In the US, designate vendors as your service providers or processors under applicable state privacy laws. This clarifies their role in your data processing activities and helps establish the legal framework for data sharing.
Put appropriate contracts in place where required, such as a Data Processing Agreement (DPA).
Hold vendors to the same compliance obligations that apply to your own business under TikTok’s terms. (Many data privacy laws require privacy compliance and data processing requirements to be contractually agreed upon.)

Implement appropriate data security measures

TikTok requires your business to protect Lead Generation Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. You must implement appropriate technical and organizational safeguards to secure any data you collect and share through lead generation forms.

Beyond TikTok’s requirements, most major data privacy laws make your business responsible for protecting any personal data it collects, processes, or shares, even after you’ve shared it with third parties like TikTok. These laws require reasonable security measures to be applied throughout the data lifecycle.

Any DPA you enter into with TikTok should require TikTok to apply the same security standards you use as a data controller.

Respect purpose limitations

TikTok requires that your business use lead generation data only for the purposes specified at the time of collection. That use must also align with your privacy policy, the user’s consent, and any terms that applied when the data was collected. If you want to use the data for new purposes, you must obtain additional consent as per TikTok’s Lead Generation Terms.

–

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Generate a TikTok-ready privacy policy

Create a privacy policy that addresses TikTok’s unique data sharing requirements, including Device Data Collection Tools, lead generation forms, and custom audiences, while meeting global data privacy law obligations.

Generate privacy policy

Frequently asked questions

What is the privacy policy for TikTok?

TikTok maintains three separate privacy policies for data it collects directly from users, based on user location:

United States
EU/EEA, UK, and Switzerland
Rest of the world

For businesses, data shared with the platform through TikTok tools is governed by the TikTok Business Products (Data) Terms, along with other terms depending on the tools and regions involved.

What types of data does TikTok collect from businesses?

TikTok collects three main types of data from businesses:

Contact Details, such as email addresses and phone numbers
Event Data, which includes technical information (like IP address, country, or browser type) and user actions on your site or app (such as app installs or cart additions)
Developer Data, which is collected when users interact with TikTok-powered features on your platform

What should businesses include in their TikTok privacy policy?

Your privacy policy must disclose what TikTok tools you use, what data is collected, how you use it, and how users can opt out. It should also include links to TikTok’s privacy and cookie policies, explain relevant user rights, and reflect your controller relationship with TikTok, among other things. Additional regional disclosures may be required under the Jurisdiction Specific Terms.

Where should businesses display their TikTok privacy policy notices?

Notices must appear prominently on every web page where tracking tools like the TikTok Pixel are used. For apps, the notice should be accessible in settings and on app store listings. Lead generation forms must link directly to your privacy policy.

How long do TikTok cookies remain active?

TikTok cookies remain active for 13 months from when they were first set or last used, whichever is later.

What are the TikTok privacy policy requirements for younger users?

TikTok prohibits sharing data from anyone under 13 or the local age of majority, and lead forms cannot collect or target users under 18 (or the local age of majority.) Your TikTok privacy policy should also explain how data from minors is collected, used, and protected. Businesses must address parental consent requirements and may need age verification if they could attract minors.