By Victoria Tinker
Over the past weekend, from September 18 to September 20, 2020, TikTok’s standoff with the Trump administration finally reached a negotiable solution. After much debate on the future of the app, President Trump gave his blessing on a business deal that distances TikTok from its Chinese roots. Oracle and Wal-Mart will take a minority stake in TikTok with the original owners, ByteDance, retaining the majority shares. TikTok also hired former Disney executive, Kevin Mayer, as the new CEO and made Los Angeles its principal office. Although TikTok will be more influenced by the United States under the deal, does that solve the original issue of TikTok’s data collection practices?
TikTok is a wildly popular social media app where users can post videos of dances, cooking tips, tie-dye how-tos, and much more. Beginning in 2018, TikTok was made available in more than 75 countries, which put the app on par with Facebook, Twitter, and Instagram. Like its fellow social media apps, TikTok is predominantly popular amongst Generation Z and Millennials. Earlier this year, TikTok surpassed two billion downloads which is attributed to the worldwide COVID-19 Quarantine. With billions of people bored in their homes, the app provided lighthearted content and the escapism needed in a time of crisis. Popular users receive brand sponsorships and built lucrative careers on posting 60-second video clips. Since the platform is free to download and use, it feels like stardom is only one post away. However, national security and information privacy officials have been sounding the alarm due to the app’s potential threats to users’ information.
TikTok was originally owned by ByteDance, a Beijing-based multinational Internet technology company. Despite the fact that the app’s data centers are all located outside of China and that United States user data is stored in the United States and not subject to Chinese laws, the app’s Chinese roots made information privacy analysts question whether users’ data was safe.
TikTok is not new to such controversy. The app was banned by the Indian government following violent clashes with China on the border between the two countries. The private sector has also shown concern about TikTok’s data collection and retention practices. In July 2020, Wells Fargo told employees who had installed TikTok to delete the app, and report if any content was associated with their positions at the company.
So, what kind of information is TikTok collecting from its users that is making both private and public sectors nervous?
The information that TikTok collects can be separated into three categories – information the user voluntarily provides, information collected from third parties like Facebook, and information that is collected automatically. Voluntary information includes age, email address, user-generated content, payment information, phone and social network contacts. TikTok can also collect information from a user’s other social media accounts if the user chooses to link the accounts. TikTok also requires user consent to collect Global Positioning System data (GPS). TikTok uses third-party advertisers to collect information about how users engage with ads within the app in order to create more targeted video content. These collection methods are consistent with other media companies like Facebook and Google.
Where users and data privacy advocates are most concerned is automatic data collection. TikTok automatically collects IP addresses, browsing and search history (within the app), model of device, mobile carrier, time zone setting, and metadata that is connected to the user content. Metadata can best be described as how, when, and by whom the piece of content was collected and how that content is formatted.
But is TikTok really collecting more data than any other media company? Facebook, which also owns Instagram, collects data in a very similar way. Facebook collects information voluntarily, through third parties, and automatically. Unlike TikTok, however, Facebook also collects information about the device that a user is opening the site on, GPS information about nearby Wi-Fi access points, and information about nearby devices like a TV.
This continuous debate over TikTok’s data privacy practices has predominately scrutinized China; as such, many believe that the Americanization of the app is a quick way to sever ties with China and protect the app’s users. However, how safe is user information in the United States?
There is no single comprehensive federal law that governs data privacy or cybersecurity. The United States Privacy Act of 1974 only pertains to the rights and restrictions on data held by government agencies, not private companies. The Gramm-Leach-Billey Act only protects financial nonpublic information. The Children’s Online Privacy Protection Act only protects the personal information of children twelve years old and younger. A few states have started to develop their own privacy regulations, but those protections only go so far. The confusing debate on TikTok’s future has highlighted the absence of federal regulations to prevent private companies from non-consensual data collection and what those companies do with the data. If the United States wants to get serious about data privacy and cybersecurity, now is the time.
One solution is to look to the California Consumer Privacy Act of 2018 (CCPA) for inspiration. This piece of legislation gives California residents the right to know what personal information a business collects about them, the right to opt-out of the sale of their personal information, and the right to demand that personal information collected from them by businesses be deleted. The CCPA has made California a pioneer of data privacy regulation and this legislation can be used as a model for a more secure future of the Internet.