The social network TikTok has increasingly come under the scrutiny of data privacy regulators. The European consumer protection association BEUC (Bureau Européen des Unions de Consommateurs) filed a complaint recently with the EU Commission. Among other issues, the complaint alleges that children – who make up the majority of users – lack sufficient protection from hidden advertising and harmful content. This was followed by a hefty 92 million dollar fine as a consequence of a class action lawsuit in the USA. The accusation: data collection and sharing without user consent.
According to media reports, the Chinese platform lacks the basic level of data protection standards as applied in the EU – and doesn’t seem to care. Is this another growing platform for advertisers that’s overriding the rules?
The US debate with TikTok
The battle between former US President Donald Trump and TikTok has been causing a stir since last year and has brought the app a considerable amount of media attention.
Here is the scoop: Trump wanted to prevent a new tech giant such as Facebook or Google from establishing itself in the USA, a company that has its roots in China and transfers sensitive user data to the Far East. During this period, several plans were drafted, one of which envisaged a newly founded company taking over the US business from the parent company Bytedance. But Trump encountered resistance from the courts and Bytedance also filed a lawsuit. Fast forward to today, current President of the United States, Joseph Biden has postponed the issue for the time being. What remains is a stale aftertaste – can TikTok and its data protection strategy be trusted?
At the moment, the app is taking off in Europe where European authorities and associations are voicing increasing concern. Yet, TikTok is using loopholes in order to stall any pending investigations. In addition, while procedures have been initiated to check the app’s data protection, there is disagreement on a legislative level about who is responsible to undertake this. Two years after the launch of the General Data Protection Regulation (GDPR), there is still no clarity. So far, organisations in France, the Netherlands, Denmark and the UK have launched investigations. Ireland has now followed suit after TikTok set up a data centre in Dublin in 2019 – which does not exactly reduce the complexity of the issue. In addition, the app has massively revised its privacy policy and the technological infrastructure behind it several times in a short period of time, presumably to stifle ongoing investigations.
Who is behind the platform and how does it work?
The lucrative side of TikTok
Tiktok was born out of the music platform musical.ly after the Chinese group Bytedance took over the service. Today, the social media platform centres around playback videos to which users deliver a small performance. Essentially, the idea is to create small videos and add effects and music to them. The clips are between three and sixty seconds long and usually show music or dance performances, small tricks and sketches.
Bytedance does not earn anything directly from the creation of these clips, but advertisers can place advertisements for companies via Tiktok. The self-booking platform offers various advertising formats in order to attract the attention of users. Advertisers choose from infeed ads or clips that appear when the app is opened, start branded hashtag challenges or produce self-sponsored video effects for users. Various tools are available to create and run the ads, as well as various dashboards and reports to monitor their performance. However, many advertisers resort to product placements or influencer marketing within the content.
In addition to revenue from advertising, TikTok is primarily funded through in-app purchases, where the platform charges fees when coins are transacted (a proprietary currency to reward creators) or offers smaller deals such as special effects for purchase. In the long term, however, the biggest source of revenue is likely to be the user data that the app collects.
Accusations of data protection violations levelled against TikTok
TikTok is facing strong criticism for its extensive, uninformed data collection and other GDPR violations. Consumer protectionists have particularly criticised the lack of adequate protection for children and young people against hidden advertising and harmful content.
A statement by BEUC specifically says:
“TikTok does not clearly inform its users, especially in a way that is understandable for children and young people, about what personal data is collected for what purpose and for what legal reason. However, this information is essential for consumers when using TikTok’s services.”
TikTok lacks an opt-out option when it comes to personal data being used for advertising, as well as the upfront, explicit opt-in required by the GDPR. In general, the design of the platform does not take data protection into account. Another point of criticism pertains to the fact that TikTok secures the rights to its users’ videos allowing full control to TikTok.
The company’s terms of use stipulate that TikTok may only be used from the age of 13 and that children under 18 need the consent of their parents – but TikTok allegedly does not obtain this. Various studies from European countries also illustrate that the app’s user base is extremely young and a large percentage is even under the age of 13. In France, for example, 45 per cent of children under the age of 13 reported using the app. In the Czech Republic, TikTok is particularly popular with 11- to 12-year-olds, and a report from Norway shows that 32 & of users are 10- to 11-year-old children.
In response, a spokeswoman for TikTok pointed out that the accounts of users under 16 have been set to private by default and that that even younger users can only upload videos to a limited extent. In addition, only a small number of people are allowed to comment on them. The company itself explains the following via an infosheet:
“Most of our users are between 16 and 25 years old. If we learn that a child under the age of 13 has registered for a TikTok account, we take immediate action. We are committed to continuously improving our safeguards to create a safe environment for our users to express their creativity and imagination.” And furthermore: “We comply with the applicable laws and regulations on data protection. We comply with the GDPR.”
Adhering to the GDPR requires informed user consent and explicit consent to the processing of personal data. In simple terms, this means that before data is collected, users must be informed about what data will be processed and for what purpose, actively giving their permission for this. The basic guideline for this is: explicit (opt-in instead of opt-out), informed, voluntary (not tied to a specific purpose, i.e. without coupling), understandable and easily revocable. For more information on the requirements for legally compliant consent, see our article “The 7 Criteria for GDPR-Compliant Consent“.
This process can be easily and simply implemented with a Consent Management Solution, such as Usercentrics. This is done by giving the user the opportunity to specify his or her data protection preferences via a pop-up banner – something, which isn’t found on TikTok though.
Opportunities as well as risks for advertisers
The advantages of TikTok for advertisers are obvious: it provides them with a large reach and granular targeting on user data among a young target group that is otherwise rather difficult to reach. In addition, there is a relatively simple handling when placing the commercials and detailed reporting options. So far, there has been no rush for advertisers to use this service, which has kept the purchase prices for media at a relatively low level.
TikTok does not directly hold more or less risks for advertisers compared to other social platforms such as Facebook. The main issue here is that brand safety is not given in the user-generated content environment. However, various adtech companies are integrated to ensure the corresponding control mechanisms. The accusations of a lack of data protection are directed at TikTok and not at the advertisers active there.
With time, the (EU) Council will counsel
As with the other major social platforms that have built their business around advertising, data protection will remain an issue with TikTok. Also, the concern that the jurisdiction for oversight in the EU is unclear, will not go away anytime soon. It remains to be seen whether and to what extent TikTok can – and will – make improvements and meet the requirements of the Consumer Protection Association.