TikTok Privacy News

Following the closure of the USDS (TikTok U.S. Data Security) Joint Venture structure, TikTok published a substantially revised privacy policy for US users. The new policy expanded geolocation data collection to include precise location tracking for content recommendations and advertising, broadened data sharing with advertising partners, and disclosed that user data may be transferred to additional international jurisdictions beyond those previously disclosed.

President Trump signed an executive order mandating a specific divestiture structure for TikTok's US operations, requiring ByteDance to reduce its ownership stake to no more than 20% of the new entity. The order set a framework for approved US investors to acquire a controlling interest while allowing ByteDance to retain a minority non-voting stake, and directed ongoing national security monitoring of data flows.

The Office of the Privacy Commissioner of Canada, together with provincial privacy commissioners of Quebec, British Columbia, and Alberta, concluded a joint investigation finding that TikTok violated Canadian privacy law by collecting, using, and disclosing children's personal information without meaningful parental consent. The commissioners found TikTok's age-gating mechanisms were inadequate to prevent children under 13 from creating accounts and being subject to algorithmic profiling.

The Irish DPC fined TikTok €530 million for unlawfully transferring EEA user data to China and failing to meet GDPR transparency requirements. During the inquiry, TikTok disclosed it had discovered in February 2025 that some EEA user data had been stored on Chinese servers — contradicting its own prior representations. TikTok was ordered to suspend data transfers to China within six months.

TikTok went dark in the United States for approximately 14 hours on the eve of the PAFACA ban's effective date, displaying a message that the app was unavailable. President-elect Trump intervened by announcing a 75-day executive pause on enforcement, and TikTok restored service. During the brief shutdown, an estimated 170 million US users lost access, and competitors like RedNote saw millions of downloads.

The US Supreme Court unanimously upheld the constitutionality of the PAFACA divest-or-ban law in TikTok Inc. v. Garland, ruling 9–0 that the national security interests in preventing a foreign adversary from collecting data on 170 million Americans outweighed First Amendment concerns. The Court found the law was not a content- based restriction on speech but a regulation of a foreign- controlled platform's data practices.

Attorneys general from 14 US states and the District of Columbia filed lawsuits against TikTok, alleging the platform was designed with addictive features that harmed children's mental health. The complaints cited infinite scroll, push notifications, beauty filters, and algorithmic amplification of harmful content as features that TikTok knew were damaging to young users but refused to change because they drove engagement and revenue.

The US Department of Justice and the FTC filed a federal lawsuit against TikTok and ByteDance alleging flagrant violations of the Children's Online Privacy Protection Act. The complaint accused TikTok of knowingly allowing children under 13 to create accounts without parental consent, collecting their personal data, and failing to honor deletion requests — in violation of TikTok's 2019 COPPA consent decree with the FTC.

TikTok updated its US privacy policy to include explicit disclosure that it may collect sensitive personal information including citizenship or immigration status. The language drew significant backlash when it resurfaced publicly in early 2026.

President Biden signed the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA) into law, requiring ByteDance to divest TikTok's US operations within approximately 270 days or face a nationwide ban. The law passed with overwhelming bipartisan support (352–65 in the House, 79–18 in the Senate) and represented the first federal legislation to mandate divestiture of a specific social media platform on national security grounds.

The Irish DPC fined TikTok €345 million for GDPR violations related to children's data (ages 13–17). Child accounts were set to public by default, the Family Pairing feature allowed unverified adults to weaken children's privacy settings, and TikTok employed dark patterns nudging children to post publicly. TikTok was ordered to bring processing into compliance within three months.

The UK Information Commissioner's Office (ICO) fined TikTok £12.7 million for failing to protect children's privacy. The ICO found that TikTok allowed approximately 1.4 million children under 13 to use the platform without parental consent between 2018 and 2020, and failed to use appropriate measures to identify and remove underage users. The fine was reduced from an initial £27 million proposed penalty.

TikTok announced 'Project Clover', a €12 billion European data security initiative to store EEA user data in dedicated data centers in Ireland and Norway. NCC Group was appointed as independent third-party auditor with strict access controls to prevent employees in China from accessing restricted European user data.

The European Commission banned TikTok from all corporate devices and personal devices enrolled in the Commission's mobile device management service, citing cybersecurity concerns. The European Parliament and the EU Council followed with similar bans within days. The decision reflected growing institutional distrust of TikTok's data handling and potential exposure to Chinese government data requests.

France's data protection authority (CNIL) fined TikTok €5 million for violating French cookie consent requirements. The CNIL found that TikTok did not allow users to refuse cookies as easily as accepting them and failed to adequately inform users about the purposes of different cookies. The fine was imposed under Article 82 of the French Data Protection Act following an investigation initiated in 2021.

President Biden signed the No TikTok on Government Devices Act as part of the omnibus spending bill, prohibiting TikTok from being installed on federal government devices. The law directed the Office of Management and Budget to develop standards for executive agencies to remove TikTok within 60 days, with limited exceptions for law enforcement and national security research purposes.

ByteDance confirmed that employees in its Internal Audit team had improperly accessed the TikTok data of multiple journalists, including reporters from BuzzFeed News and the Financial Times, in an attempt to track down the sources of leaked information about the company. The employees used TikTok account data including IP addresses to monitor journalists' physical locations. ByteDance fired the employees involved and the revelation intensified calls for a US ban.

A federal judge granted final approval to a $92 million class-action settlement resolving claims that TikTok violated the Illinois Biometric Information Privacy Act (BIPA) and the federal Video Privacy Protection Act (VPPA). The lawsuit alleged TikTok collected facial geometry and other biometric data from approximately 89 million US users without informed consent, and shared users' viewing histories with third parties.

TikTok launched 'Project Texas', incorporating TikTok U.S. Data Security Inc. and routing all new US user data to Oracle's cloud infrastructure. The $2+ billion initiative was negotiated with CFIUS to address national security concerns about Chinese access to American user data. Oracle was given access to audit source code and algorithms.

BuzzFeed News published leaked audio from more than 80 internal TikTok meetings revealing that China-based ByteDance employees had repeatedly accessed US user data between September 2021 and January 2022, despite public assurances that American data was stored in the US. One member of TikTok's Trust and Safety team stated that 'everything is seen in China.' The revelations contradicted TikTok's congressional testimony and accelerated the push for Project Texas and legislative action.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) fined TikTok €750,000 for providing its privacy policy only in English, making it inaccessible to young Dutch users who did not speak the language. The DPA found that TikTok violated GDPR transparency requirements by failing to provide privacy information in Dutch, particularly given the app's large base of child users in the Netherlands.

TikTok updated its US privacy policy to disclose the collection of biometric data, including 'faceprints and voiceprints,' from user- generated content. The policy stated TikTok may collect biometric identifiers and biometric information as defined under US state laws, without specifying exactly how the data would be used or retained. The change drew immediate scrutiny from privacy advocates and formed the basis for subsequent BIPA class action litigation.

Italy's data protection authority (Garante) ordered TikTok to immediately block all users whose age could not be verified, following the death of a 10-year-old girl in Palermo during a 'blackout challenge' promoted on the platform. TikTok was forced to re-verify the age of all Italian users and removed over 500,000 accounts belonging to users under 13. The Garante found TikTok had failed to enforce its own minimum age requirement.

President Trump signed executive orders under the International Emergency Economic Powers Act (IEEPA) directing ByteDance to either divest TikTok's US operations within 90 days or face an effective ban. The orders cited national security concerns that TikTok's data collection posed a risk of Chinese government surveillance of American citizens. The orders triggered negotiations with Microsoft, Oracle, and Walmart as potential acquirers.

South Korea's Korea Communications Commission fined TikTok 186 million won (approximately $155,000) for collecting personal data from children under 14 without parental consent and transferring South Korean user data to servers in the United States and Singapore without proper notification. TikTok was ordered to strengthen its age verification processes and improve transparency about international data transfers.

India's Ministry of Electronics and Information Technology banned TikTok along with 58 other Chinese apps under Section 69A of the IT Act, citing threats to sovereignty, defense, and public order. The ban affected approximately 200 million TikTok users in India, making it the platform's largest market at the time. The ban was made permanent in January 2021, and TikTok has not returned to the Indian market.

Apple's iOS 14 beta exposed that TikTok was reading users' clipboard contents every few keystrokes, capturing any text copied to the clipboard including passwords, cryptocurrency wallet addresses, and private messages from other apps. TikTok initially attributed the behavior to an 'anti-spam' feature and issued an update removing the clipboard access, but the disclosure undermined trust in the app's data collection practices.

The Committee on Foreign Investment in the United States (CFIUS) opened a retroactive national security review of ByteDance's 2017 acquisition of Musical.ly, examining whether the merger posed risks related to Chinese government access to US user data. The review, reported by Reuters, marked a rare retroactive investigation of a completed deal and signaled growing US government concern about TikTok's data practices.

The FTC fined Musical.ly/TikTok $5.7 million for collecting personal information from children under 13 without parental consent, the largest COPPA penalty at the time. The complaint alleged that TikTok had actual knowledge that children were using the app and collected names, email addresses, and other personal data in violation of COPPA. TikTok was required to delete all data collected from children and implement a COPPA compliance program.

ByteDance completed its $1 billion acquisition of Musical.ly and merged the platform into TikTok, consolidating over 100 million users under a single app and privacy policy. The merger unified two distinct data collection regimes, with ByteDance gaining access to all Musical.ly user data including that of a predominantly young US user base.