TikTok violates the GDPR in several ways with its way of tracking users and forwarding data. That is what the German newspaper Süddeutsche Zeitung claims. TikTok has also been charged in the US for tracking children.
TikTok has about 800 million users worldwide, Süddeutsche Zeitung reports based on an internal document. The author goes into a series of tweets on exactly how TikTok tracks users and where that data goes. Data on viewed videos and search terms goes to Facebook and AppsFlyer. The latter is a company that does business with 4500 advertising companies. TikTok owner ByteDance does not want to say which companies the data goes to. “We are not showing any contracts,” the company said.
Tracking is done via identifiers in URLs and via canvas and audio fingerprinting. In addition, the app draws a PNG in the background or makes the phone generate a sound without input from the microphone or output from the speakers. That combination of data is unique per phone, so TikTok can track individual phones. Because ByteDance and Facebook cannot show where the data is going or provide a way to delete it, the companies are violating the General Data Protection Regulation, according to the newspaper. The newspaper also says that TikTok uses various pieces of software without a license, including Zepto.js, FingerprintJS and Murmur Hash.
Some parents in the US have now sued TikTok for collecting data about their minor children without permission. In addition, the app, which was called Musical.ly until two years ago, did not say that it collected data and gave it to advertisers. TikTok says in a response to The Verge that a solution will soon be found for the objections of the parents.