January 20, 2023 | By Avneet Nehel, Craig Zawada, Troy Baril

Artificial Intelligence (“AI”) has taken center stage of 2023. Most countries are preparing, or have already passed, legislation to regulate the use of AI. While recent in terms of regulation, AI technology has been in commercial use, particularly Data Mining, for at least 20 years. Today, AI is used in everything from military to healthcare but that is a topic for another day. You must be wondering why I am talking about AI when the article is about privacy and TikTok. TikTok is a mobile application (“App”) that relies on AI algorithms like all other social media platforms. Realizing the impact AI has on our day to day lives, lawmakers are starting to understand the need to regulate it. Privacy is one of the main concerns in AI technology, as personal data can always fall into the wrong hands or be misused to generate income. Privacy legislation has become the platform in 2023 through which AI will be regulated worldwide.

Coming back to TikTok, most users (“User”) of the App posted a video during covid when you had nothing to do. It might have been a short one-minute video in which you chose to lip sync your favorite song. More recently, the need to pass time has become a hobby and even a career for some, with TikTok Users increasing by 32% in 2022. According to Statistics Canada, there are around 36 million mobile Users in Canada. Of these, 61% of Users are on social media. TikTok was the most downloaded social media App for Android Users in 2022. Statistics indicate Users spend 22.6 hours on average per month on the App. Canada has grown to become one of the leading markets for TikTok, with Users generating more than $355,000 US in revenues. Though don’t be happy just yet.

Although it is common knowledge between young and old how to post content on TikTok, few know where TikTok came from and how it makes money. TikTok was first launched in May of 2017 by the Chinese company Bytedance as a mobile application. By 2021, the App had more than 1 billion Users and revenue of over $4 billion. The App quickly became popular in Canada as well. Every month, around 3.2 million new Canadian Users joined TikTok. At present, there are 32 million TikTok Users in Canada with 41% of TikTok Users between the ages of 16 and 24.

Unlike YouTube, which allows short and longer duration content, TikTok only allows Users to create short audio-video content. The business model of TikTok caters to demand of short content and generating enough new content to keep viewers hooked. Users can make videos with or without background music. The music can either be chosen from the music catalogue provided by TikTok or Users can add their own track. Once a person has over 1000 followers, and provided they are over 16 years of age, they have the option to do live videos. Often on these “live videos” viewers send gifts to the User which can be exchanged for actual, real world, dollars.

The aim of TikTok is to generate content that is followed by viewers, motivating them to spend money on “gifts” which generates income for the User who posted the content. The more followers you have the more money you can make. Users above 18 years with 100,000 followers or more can activate a “tip” feature on their profile, allowing others to tip the User with minimum amount of $1. If that User’s content reaches top 4%, they receive 50% of the revenue from the ads displayed on the video. You also generate income through likes and comments on posts. Despite this, most income of TikTok comes from advertisements.

It is all bright and shiny until you start seeing the issues with a large platform having more than 1.5 billion Users and the concerns of privacy and misuse of data come up. A major privacy concern when TikTok started was that anyone over the age of 13 could use the App. This meant a child was able to use a platform where all kinds of content was easily accessible to them without filter.

In 2020, TikTok introduced a family safety mode and advanced privacy setting. However, TikTok had allowed individuals aged 13  and up to make an account, with the majority of TikTok viewers being children. This was a problem. First, TikTok’s algorithm could easily recommend inappropriate content, including that of a sexual nature, to Users of all ages. User did not only see content from accounts they follow, but the algorithm also suggested content from creators they may have never seen before, making it difficult to guarantee children would only see age-appropriate content. In Canada, this was a cause of concern because the majority of Users are teens and young adults in their 20s, who may not think of privacy as an issue. These Users may be subject to scams, identity theft, or malicious content shared on the platform, which appear as a harmless link. It wasn’t until 2022 that TikTok introduced the Family Pairing mode. This let parents link their accounts to their children’s account, enabling parents to monitor their child’s use of the App by setting time limits, content limits, and the ability to send direct messages.

Another issue with TikTok is its algorithm that collects User data. TikTok’s privacy policy states it collects User information, IP addresses, User’s mobile carrier, unique device identifiers, keystroke pattern, and location data among other data. If you authorize your TikTok account from third party social media accounts like Facebook or Instagram, they collect third party data as well. In addition to this, the third parties also collect User data from TikTok. The policy likewise states TikTok will share data within their “Corporate Group” but there is no definition of what this group stands for or who is included in such group. TikTok updated its privacy policy to include collection of biometric data, including “faceprints and voiceprints”.

TikTok’s privacy policy also states User information will be shared “with law enforcement agencies, public authorities or other organizations, if legally required to do so, or if such use is reasonably necessary”. This means TikTok will share User data with the Government of China if required to do so since their main servers are located in China. Even though TikTok claims their servers are in Singapore and USA, several studies have shown data transfer to China, and has been the center point of litigation against TikTok which we will discuss later. In fact, a recent article by CBC claims TikTok tracks User’s likes, dislikes, and personal information including email addresses, phone numbers, and WiFi networks. Since this discovery, various governments have questioned TikTok about transfer of data to China, but TikTok would not commit that this would never happen.

In addition to the above, third party partners of TikTok, like its advertising partners, may also collect information from Users. This means User habits are tracked from their mobile phone. For example, TikTok will gather information from other Apps used on that User’s device and analyze User’s content-consuming behavior. They start collecting User information as soon as the User joins TikTok and, in the long run, they learn more and more about the User and their pattern of living. This will allow them to predict User behavior in future. This concept is known as “Data Mining.”

Data Mining is common on social media platforms. It becomes an issue of concern when you are not sure how the information is being used, more so when there is a data leak in the organization and all user data becomes public knowledge. For example, in December 2022, PayPal’s server was hacked, and thousands of users were impacted. Information like usernames, addresses, Social Security numbers, individual tax identification numbers, and birth dates were all stolen.

There have been other concerns, as well, suggesting TikTok is trying to influence User thinking. The TikTok algorithm controls which data is widely available to the audience, and which data is being shadowed and suppressed due to its political sensitivity. Users complain TikTok controls the content from reaching a larger audience even if Users have many followers. Media articles claim data mining is being used to recognize and distinguish Users based on their races, colors, disparities, and to determine what they can post.

While all this information may still seem non-threatening to an individual, it is a cause of concern for businesses using TikTok. In September 2022, Microsoft announced TikTok had at least one “high-severity vulnerability” in their Android App which would allow attackers to compromise Users’ accounts with a single click. As a business, it is a cause of great concern what data is being collected and where it is going, more so if the data is being sold without consent. Information from businesses is even more valuable than individuals and all it will need is a data breach of TikTok servers. Sharing your email on the TikTok platform could grant access to your business email and the ability for hackers to get into your system.

TikTok claims their data is stored only on servers in the US and Singapore; this has been disputed in several legal actions filed against TikTok. Interestingly, claims were made in these lawsuits including allegations TikTok uses device location at least once an hour and has codes for collecting serial numbers for both the User’s device and SIM card. In other words, even if a User changes their device, TikTok can follow them through the SIM card.

Privacy concerns over the use of TikTok is nothing new and first came to light in 2019. TikTok’s owner Bytedance paid $5.7 million to the US Federal Trade Commission to resolve claims it illegally gathered information from underage Users, infringing upon the Children’s Online Privacy Protection Act.

In November 2019, Misty Hong filed a lawsuit against Bytedance in USA, alleging TikTok gathered her personal information like phone numbers and emails, without consent, harvested videos she never posted, but had saved on her profile, and transferred those videos to Bytedance servers which are all based in China. Interestingly, there were several plaintiffs who filed lawsuits against TikTok based on the same issue. Hence, it was made a class action suit by the Court In re: TikTok, Inc. Privacy Litigation. The lawsuit was recently finalized on August 22, 2022 for 92 million US dollars. The court also ordered that unless provided in the privacy policy, TikTok will not transmit or store US citizen data outside of the US, collect or store biometrics or GPS data, delete content that was pre-uploaded but never saved or posted on TikTok, and educate all its employees on compliance with data privacy laws. The court order does not seem to change much since, as discussed above, TikTok privacy policy already covers a wide range of data collection.

In Canada, relief has been at a much smaller scale with a settlement of $2 million for a TikTok Data Collection class action lawsuit in February 2022. In this action, plaintiffs argued TikTok collected the data of minors without consent, including collecting the MAC address from devices.

These concerns have led many to call for a ban of TikTok. To date, TikTok has been banned permanently only in India. Countries like Bangladesh, Pakistan, Indonesia, and the USA have temporary banned TikTok in the past, but these bans have largely been removed. Interestingly, TikTok does not operate in China. The parent company, Bytedance, has an alternative App for China called “Douyin” which operates only in China and is not available outside that country. Which begs the question whether the Government of China, too, did not want the data to leave China. The US military has also banned the App on all government issued devices. But is banning the App an effective solution? There are many such social media and international Apps in Canada, banning one App is not likely to solve the larger privacy issues.

This raises an obvious point: how can I be safe?

All social media Apps collect information which is sensitive and prone to be misused. What can Canadians do? For starters, Users can simply delete the App and stop using it. It is unlikely the majority of Users will do this, though. Which brings us to privacy settings. There are privacy settings on all social media Apps where a user can limit the information the App can collect. Users can use these security features to limit the information they agree to share. Apple users can also use the “Hide my email” feature to limit content available to other Apps. Android Users can use third party Apps or plugins to block privacy App tracking.

Obviously, privacy options are limited if you become famous on TikTok because you will have to keep your account public to monetize your account. But a few minor tweaks will make you better prepared to protect your privacy. You can make sure the account is set to private, as all accounts by default are public on TikTok as soon as you make them. A private profile limits who can contact the User and save them from potential scammers and identity theft through direct messages and links. As discussed above, TikTok has special safety features you can use for your child’s account to limit the content they see.

You also need to be wary of links. Before you click on any link, try to confirm they are genuine. If someone you don’t know contacts you, look at their User profile and make sure they have content. Is the User using an old profile or is it a profile made two days ago with comments turned off? That is a red flag. Hackers usually have a new profile with comments turned off to avoid negative feedback.

Lastly, it is a personal choice, but it is always advisable to not post content which is personally identifiable. Make sure the images you post or video you post does not show your house, your address, your car license plate, or your neighborhood. The more you share about your family and work, the easier it is for hackers to gain information about you.

Countries worldwide have passed, or are in process of passing, new legislation to provide more protection of privacy over social media, with the US passing its own consumer protection laws. Soon after, the State of Indiana filed a lawsuit against TikTok in December 2022, claiming TikTok policies still target young teens with adult content and violates the provisions of consumer protection law. In France, TikTok has been fined Euro 5 million for not allowing Users to reject the collection of cookies. In Canada, the Digital Charter Implementation Act, 2020, intends to bring transparency to AI systems and accountability through consent. Though we will have to see how the regulations implement privacy on the online platform, this Act does intend to allow a User to withdraw consent and request deletion of their data.

Stay posted as we share in our next issue the impact of social media on your intellectual property.


This publication is provided as an information service and may include items reported from other sources. We do not warrant its accuracy. This information is not meant as legal opinion or advice. Contact Procido LLP (www.procido.com) if you require legal advice on the topic discussed in this article.

%d bloggers like this: