As TikTok crosses 2 billion registered users globally, its approach to privacy and data security has drawn sharper scrutiny than ever before. The platform’s ties to ByteDance, its Chinese parent company, have pushed regulators in the United States and Europe to demand structural changes. In January 2025, the U.S. Supreme Court upheld legislation requiring ByteDance to divest TikTok or face a nationwide ban, a ruling that reframed the entire debate around data sovereignty and foreign access to user information.
Despite a proposed restructuring under a new entity called TikTok USDS Joint Venture, with Oracle holding majority oversight, security experts argue the arrangement still leaves core vulnerabilities unresolved. ByteDance retains a 19.9 percent stake and has reportedly retained control over the recommendation algorithm. For the platform’s predominantly young user base, the five concerns outlined below remain pressing, well-documented, and in several cases, actively worsening as TikTok’s data footprint continues to grow.
5 TikTok Privacy and Data Security Concerns
Addressing TikTok’s privacy and data security concerns requires looking closely at the platform’s most documented vulnerabilities. Opaque data collection, unchecked third-party sharing, inadequate age verification, algorithmic bias, and recurring data breaches each pose distinct risks. The platform’s rapid expansion and its growing role as a search engine and e-commerce hub have only increased the volume and sensitivity of the data it processes daily.
#1: Opaque Data Collection Practices
TikTok collects far more user data than most people realize, and its privacy policy does little to clarify the full scope. The app gathers location data, device identifiers, browsing patterns, keystroke rhythms, and biometric data, including facial geometry. Even users who never post a video are tracked. What TikTok does with that data downstream, particularly regarding storage in China and access by ByteDance engineers, remains inadequately disclosed to the average user.
Here are the core dimensions of TikTok’s data collection problem:
- Extent of Data Collected: TikTok collects location data, device identifiers, browsing history, keystroke patterns, and biometric signals, including facial recognition data, often without users being clearly informed of the full scope during onboarding.
- Purpose of Data Collection: The data feeds ad targeting and content recommendation systems, but TikTok’s privacy policy uses vague language around third-party sharing, leaving users unable to determine who ultimately accesses their information or for what purpose.
- Lack of User Control: Users have no straightforward mechanism to audit what data has been collected, limit collection in real time, or opt out of specific data uses without abandoning the platform altogether.
Real-Life Example: In December 2022, TikTok confirmed that ByteDance employees in China had accessed the data of U.S. journalists without authorization, using the platform to track their locations and identify their sources. The admission directly contradicted earlier assurances that U.S. user data was protected. This incident prompted Congressional hearings and accelerated legislation that ultimately resulted in the Supreme Court ruling of January 2025.
Resolution: TikTok should publish machine-readable data inventories showing exactly what is collected, stored, and shared. User dashboards with real opt-out controls, not buried settings, would mark a meaningful shift. Regulators should require independent third-party audits of data flows between TikTok’s U.S. operations and ByteDance infrastructure, with findings made publicly available on an annual basis.
#2: Third-Party Data Sharing
TikTok shares user data with a broad network of advertisers, measurement partners, and analytics providers, and the boundaries of those arrangements are poorly defined. The privacy policy acknowledges sharing data with service providers to help advertisers measure ad effectiveness, but stops short of specifying which companies receive that data, what they retain, or how long they hold it. This opacity creates compounding risk beyond TikTok’s own systems.
These are the key risks within TikTok’s third-party data relationships:
- Unclear Partnerships: TikTok’s published terms do not name which third parties receive user data, making it impossible for users or regulators to assess whether those partners apply adequate privacy protections of their own.
- Risk of Data Misuse: Once data leaves TikTok’s systems, the platform has limited enforcement capacity over how partners use it, opening the door to behavioral profiling, resale, or repurposing well beyond the original consent scope.
- Lack of Regulatory Compliance: The European Commission opened a formal investigation under the Digital Services Act in 2025, citing TikTok’s failure to give researchers adequate data access, which signals broader transparency deficits in its partner data flows.
Real-Life Example: At the end of 2025, a Vienna-based privacy advocacy group alleged that TikTok had tracked user activity on Grindr, a sensitive third-party platform, without consent via a marketing service integration. The claim suggests TikTok’s data collection extends beyond its own app through embedded SDKs and tracking pixels, capturing behavioral signals from users who may not even have a TikTok account, let alone have agreed to cross-platform tracking.
Resolution: TikTok should publish a named list of all data-sharing partners, updated quarterly, alongside the specific data categories each partner receives. Partnership contracts should include enforceable clauses requiring data minimization and prohibiting resale. Independent audits of third-party compliance, with results submitted to regulators in the U.S. and EU, would provide a meaningful accountability structure beyond self-reported assurances.
#3: Insufficient Age Verification
TikTok’s age verification process relies primarily on self-declaration, meaning a child can access the platform by entering a false birth year during signup. The company removes approximately 6 million underage accounts per month using behavioral detection tools, but that figure itself confirms the scale of the problem rather than the effectiveness of the fix. Millions of accounts likely go undetected, exposing children to data collection practices and content that violate their legal protections in most jurisdictions.
The specific weaknesses in TikTok’s age verification system include the following:
- Easy to Circumvent: Entering a false birth year during signup is all it takes to bypass TikTok’s age gate, with no document check, device-level verification, or parental consent process required at the point of account creation.
- Exposure to Harmful Content: A 2025 investigation by Global Witness found that accounts set up as 13-year-olds were directed toward sexually explicit content through TikTok’s own search suggestion feature, pointing to an algorithmic failure as much as an access control one.
- Data Collection Concerns: Collecting behavioral, biometric, and location data from users who are actually minors, regardless of the age entered at signup, likely violates COPPA in the United States and the DSA’s Article 28 protections for minors in the EU.
Real-Life Example: In October 2025, Global Witness published findings from an investigation using seven fresh TikTok accounts configured as 13-year-olds on factory-reset devices. Within a short period, TikTok’s search auto-suggestion feature began directing those accounts toward explicit content. The report concluded that the algorithm actively pushed minors toward material that violated TikTok’s own community guidelines, raising serious questions about whether content controls and age protections are technically enforced or merely stated in policy documents.
Resolution: TikTok should implement device-level age estimation using AI, combined with a verifiable parental consent step for any account detected as potentially underage. Real-time algorithmic filtering must apply as a default for all accounts registered as minors, not as an optional restricted mode. Regulators should require proof of compliance through technical audits rather than accepting platform self-reporting on underage account removal rates.
#4: Algorithmic Bias
TikTok’s recommendation algorithm shapes what hundreds of millions of people see every day, yet the system operates with almost no external oversight or published methodology. The algorithm has been found to disadvantage content from users based on race, gender, and other protected characteristics, sometimes through direct suppression and sometimes through amplification patterns that structurally favor certain demographics. As TikTok increasingly functions as a discovery engine for news, products, and ideas, these biases carry consequences well beyond entertainment.
The algorithmic bias concern breaks down into three distinct but related problems:
- Content Visibility: Research published in 2024 found that TikTok’s algorithm systematically reduces the reach of content from Black creators and users with disabilities, regardless of engagement rates, raising clear questions about whether suppression is intentional or a product of biased training data.
- Data Misinterpretation: When algorithms infer preferences from skewed behavioral data, they encode existing social biases into their outputs. Users then receive a distorted content environment, and their interaction data further reinforces the same flawed assumptions in subsequent model updates.
- Reinforcement of Stereotypes: Studies from 2024 confirmed that TikTok’s recommendation system surfaces content aligned with gender and racial stereotypes to new users before any personal preference signals are established, suggesting the algorithm applies demographic defaults rather than neutral discovery logic.
Real-Life Example: In early 2026, the European Commission issued preliminary findings that TikTok had failed to comply with its Digital Services Act obligations on risk assessment and mitigation for minors and marginalized groups. The Commission’s investigation, covering content recommendation and algorithmic amplification, found that TikTok did not adequately assess how its systems could expose vulnerable users to harmful content, a failure that extends directly to how algorithmic bias operates at scale across different demographic groups.
Resolution: TikTok should publish annual algorithmic transparency reports detailing how content is ranked, which signals are weighted, and how protected characteristics are handled. Independent fairness audits, conducted by researchers with full data access under the DSA framework, should assess both disparity in visibility outcomes and root causes in training data. Diverse model evaluation teams must be embedded in the development cycle, not brought in after deployment.
#5: Data Breaches
TikTok’s size makes it a persistent target for cybercriminals, and the platform’s track record on data breach disclosure has been inconsistent. The combination of a massive user base, extensive personal data collection, and a complex multinational infrastructure creates an unusually wide attack surface. Each breach not only exposes users to identity theft and phishing but also raises deeper questions about whether TikTok’s security architecture is built to match the scale of data it holds.
The breach risk profile for TikTok users involves several compounding factors:
- Frequency of Breaches: In June 2024, hackers used malicious private messages to hijack notable accounts, including CNN’s, exploiting a zero-day vulnerability. In May 2025, a threat actor claimed to have exfiltrated 428 million user records, including email addresses, phone numbers, and internal account flags not typically accessible through public scraping.
- Impact on Users: Exposed contact details, account metadata, and behavioral flags can be combined by bad actors to run targeted phishing campaigns, account takeovers, and identity fraud, particularly for verified or high-follower accounts with visible public profiles and influence.
- Reputational Damage: ByteDance has repeatedly been slow to confirm breaches and has contested the authenticity of leaked datasets rather than disclosing what occurred. This pattern of delayed or incomplete disclosure compounds user harm by delaying protective action.
Real-Life Example: On May 29, 2025, cybersecurity monitoring group Kaduu identified a darknet listing claiming to contain 428 million unique TikTok user records, including email addresses, mobile numbers, and non-public account flags. The dataset was posted by a threat actor known as Often9 and distributed by a second party. TikTok disputed the breach but did not provide a technical refutation of how non-public fields appeared in the dataset, leaving millions of users without clear guidance on whether their accounts were at risk.
Resolution: TikTok should adopt mandatory breach notification within 72 hours of confirmed incidents, aligned with GDPR standards globally rather than only in the EU. End-to-end encryption for private messages and stored account metadata would limit the value of any exfiltrated dataset. Quarterly third-party penetration testing, with findings disclosed to regulators, would provide a baseline of accountability that current internal security practices do not.
Other Notable TikTok Privacy Concerns
Beyond the five primary concerns, several additional privacy issues deserve attention from users and regulators:
- Government Data Access: TikTok’s privacy policy does not definitively prevent Chinese government authorities from requesting access to ByteDance-held data under Chinese national security laws, and the new USDS joint venture structure does not fully resolve this risk, according to Atlantic Council analysts.
- TV App Tracking: TikTok’s Android TV application, with an estimated 10 million downloads, likely collects viewing history in ways that are even less transparent than the mobile app, and users on connected TV devices have fewer privacy controls available.
- Misinformation Amplification: TikTok’s algorithm has been shown to amplify misinformation and disinformation at scale, particularly around health topics and elections, with the platform’s engagement-first ranking logic rewarding sensational content regardless of accuracy.
- E-Commerce Data Collection: TikTok Shop’s expansion has added a new layer of financial and purchasing behavior data to the platform’s existing profile on users, with limited clarity on how transaction data is stored, shared with sellers, or used for algorithmic targeting.
- Cross-App Tracking: Reports indicate TikTok uses embedded SDKs in third-party apps to track user behavior outside the platform, building behavioral profiles on individuals who may have never opened TikTok itself.
Video: Why This Data Expert Says TikTok Isnโt Safe
Conclusion
TikTok’s privacy and data security problems are not hypothetical risks buried in a terms-of-service document. They are documented, recurring, and in several cases actively worsening as the platform grows. The five concerns covered here reflect a consistent pattern of insufficient transparency, weak technical controls, and a disclosure culture that prioritizes reputation management over user protection. Structural changes like the USDS joint venture arrangement have not resolved the underlying issues that regulators in the U.S. and EU have spent years identifying.
The responsibility for improvement is shared. TikTok must move beyond policy language and implement verifiable technical protections. Regulators need enforcement tools with real financial consequences, not just preliminary findings. Users, particularly parents, need clearer information about what the platform collects and how to limit it. Until independent audits, enforceable breach disclosure standards, and genuine age verification are in place, the privacy risks of using TikTok remain significant and largely unmitigated.
Frequently Asked Questions About TikTok Privacy
Does TikTok sell user data to the Chinese government?
TikTok has not confirmed selling user data to the Chinese government, but the risk is structural rather than contractual. Under Chinese national security law, ByteDance can be compelled to provide data access to government authorities. The proposed USDS joint venture places U.S. data under Oracle’s oversight, but ByteDance retains a shareholding and reportedly retains control over the core algorithm, which means full separation has not occurred.
Is TikTok safe to use if I do not post any content?
Passive users are still subject to TikTok’s full data collection regime. The app collects device identifiers, location signals, browsing behavior within the app, and behavioral patterns regardless of whether a user ever posts a video. In some configurations, TikTok has been found to collect clipboard data and app activity in the background. Not posting content does not meaningfully reduce the data profile TikTok builds on an individual user over time.
What happened in the June 2024 TikTok security breach?
In June 2024, hackers exploited a zero-day vulnerability to compromise high-profile TikTok accounts, including CNN’s verified account, by sending malicious links through TikTok’s private messaging system. Clicking the link triggered an account takeover without requiring the target to enter credentials. TikTok confirmed the incident and said it worked to stop the attack, but the breach raised concerns about the security of direct messaging infrastructure across the platform.
How does TikTok’s algorithm create privacy risks beyond content recommendations?
TikTok’s algorithm infers sensitive personal attributes, including political views, health concerns, and sexual orientation, from behavioral signals like watch time, scroll speed, and interaction patterns. These inferences are used to build targeting profiles that are then made available to advertisers. Users do not consent to this inference process explicitly, and TikTok’s privacy policy does not clearly disclose the degree to which behavioral data is used to conclude sensitive characteristics beyond stated content preferences.
What can parents do right now to protect children using TikTok?
Parents can enable Family Pairing, which links a parent’s TikTok account to a child’s and allows controls over screen time, direct messages, and content filters. Setting the account to private limits who can comment or interact with the child’s content. Turning off personalized ads in the app’s settings reduces behavioral targeting. Reviewing the account’s privacy settings directly with the child, rather than relying on default configurations at signup, provides the most meaningful protection currently available.
Suggested articles:
- Top 10 Pros & Advantages of Using TikTok
- Top 10 Cons & Disadvantages of TikTok
- Running Multiple Meta, Google, and TikTok Ad Accounts Safely with VMLogin
Daniel Raymond, a project manager with over 20 years of experience, is the former CEO of a successful software company called Websystems. With a strong background in managing complex projects, he applied his expertise to develop AceProject.com and Bridge24.com, innovative project management tools designed to streamline processes and improve productivity. Throughout his career, Daniel has consistently demonstrated a commitment to excellence and a passion for empowering teams to achieve their goals.