Confusing by Design A Data Protection Law Analysis of TikTok’s Privacy Policy

Over the past few years TikTok has made an extraordinary number of changes to both its (EU) Privacy Policy as well as its data processing practices, most of which are not publicly documented. This makes hard for interested parties to investigate and bring action accordingly. Improved data protection now, does not excuse for past breaches. TikTok’s Privacy Policy fails to establish compliance with most data protection principles in Article 5 GDPR, significantly weakening data subject rights and invalidating its reliance on the lawful ground in Article 6(1)b GDPR for a number of processing purposes. TikTok’s reliance on consent for personalised advertisement raises significant concerns and fails to comply with the requirements in the GDPR (Articles 4(11), 6(1)a and 7) and ePrivacy Directive (Article 5(3). Neither does the company obtain explicit consent for its processing of special categories of personal data (cf. Article 9 GDPR) TikTok disclaims any responsibility over the security of personal data as it is transmitted on its platform, and anecdotal evidence suggests considerable disregard of the data protection by design requirement in the past, in violation of Articles 5(1)f, 24-25 and 32. When it comes to the actual processing of personal data, TikTok’s Privacy Policy does not appear to differentiate between children and adults. As such, TikTok fails to provide stronger safeguards for children (any person below the age of eighteen) as required by the GDPR (Recitals 38, 71 and Articles 8 and 25 GDPR).