- Joined
- Nov 30, 2016
- Posts
- 16,541
- Solutions
- 3
- Reaction
- 32,653
- Points
- 11,623
Consumer Reports found that the company uses some of the same techniques as Google, Meta, and other companies to collect personal data
By Thomas Germain
Illustration: Alberto Miranda
Almost every website you visit collects information about what you’re doing and sends it off into the tech industry’s data analyzing machinery, where it is used for online advertising. For years, Google and Facebook (now known as Meta) have dominated that advertising business, and conducted a lot of the data gathering. But lately, a new contender has entered the scene: TikTok.
A Consumer Reports investigation finds that TikTok, one of the country’s most popular apps, is partnering with a growing number of other companies to hoover up data about people as they travel across the internet. That includes people who don’t have TikTok accounts.
These companies embed tiny TikTok trackers called “pixels” in their websites. Then TikTok uses the information gathered by all those pixels to help the companies target ads at potential customers, and to measure how well their ads work.
To look into TikTok’s use of online tracking, CR asked the security firm Disconnect to scan about 20,000 websites for the company’s pixels. In our list, we included the 1,000 most popular websites overall, as well as some of the biggest sites with domains ending in “.org,” “.edu,” and “.gov.” We wanted to look at those sites because they often deal with sensitive subjects.
We found hundreds of organizations sharing data with TikTok.
If you go to the United Methodist Church’s main website, TikTok hears about it. Interested in joining Weight Watchers? TikTok finds that out, too. The Arizona Department of Economic Security tells TikTok when you view pages concerned with domestic violence or food assistance. Even Planned Parenthood uses the trackers, automatically notifying TikTok about every person who goes to its website, though it doesn’t share information from the pages where you can book an appointment. (None of those groups responded to requests for comment.)
“I was genuinely surprised that TikTok’s trackers are already this widespread,” says Patrick Jackson, the chief technology officer at Disconnect, who helped us conduct the research. “I think people are conditioned to think, ‘Facebook is everywhere, and whatever, they’re going to get my data.’ I don’t think people connect that with TikTok yet.”
The number of TikTok trackers we saw was just a fraction of those we observed from Google and Meta. However, TikTok’s advertising business is exploding, and experts say the data collection will probably grow along with it.
Disconnect found that data being transmitted to TikTok can include your IP address, a unique ID number, what page you’re on, and what you’re clicking, typing, or searching for, depending on how the website has been set up.
What does TikTok do with all that information?
“Like other platforms, the data we receive from advertisers is used to improve the effectiveness of our advertising services,” says Melanie Bosselait, a TikTok spokesperson. The data “is not used to group individuals into particular interest categories for other advertisers to target.” If TikTok receives data about someone who doesn’t have a TikTok account, the company only uses that data for aggregated reports that they send to advertisers about their websites, she says.
There’s no independent way for consumers or privacy researchers to verify such statements. But TikTok’s terms of service say its advertising customers aren’t allowed to send the company certain kinds of sensitive information, such as data about children, health conditions, or finances. “We continuously work with our partners to avoid inadvertent transmission of such data,” TikTok’s Bosselait says.
Google and Meta have similar policies barring websites from sending them sensitive information, but, as You do not have permission to view the full content of this post. Log in or register now., they frequently receive it anyway.
And we saw the same problem when we looked at TikTok trackers.
The national Girl Scouts website has a TikTok pixel on every page, which will transmit details about children if they use the site. TikTok gets medical information from WebMD, where a pixel reported that we’d searched for “erectile dysfunction.” And RiteAid told TikTok when we added Plan B emergency contraceptives to our cart. Recovery Centers of America, which operates addiction treatment facilities, notifies TikTok when a visitor views its locations or reads about insurance coverage.
We didn’t see specific financial details being transmitted, but information about your economic situation could come from pixels on the financial advice company SmartAsset, as well as Happy Money, a company that works with lenders to provide personal loans, including debt-consolidation loans. TikTok can glean clues about your student finances from the College Board, where families often go for information about scholarships and financial aid. (CR reported on You do not have permission to view the full content of this post. Log in or register now. in 2020).
Pixels and other trackers (like online cøøkíés) can be particularly useful for advertising. Let’s say you have a website, and you want to sell your products, or get people to donate to your nonprofit. You can use the trackers from a big tech company to keep tabs on who visits your site. Then you can ask the company to show those people ads on other parts of the internet. If someone clicks on one of those ads and ends up back on your website, the pixel will recognize them, and you’ll know that your ad is working. (Consumer Reports uses tracking technology on its website, as outlined in our You do not have permission to view the full content of this post. Log in or register now..)
Jackson, at Disconnect, says many companies aren’t careful enough when they use such trackers. In some cases, a company’s executives might not even realize how much data their own websites are sharing.
That seemed to be true at RAINN, a leading anti-sexual-violence organization. We saw pixels contact TikTok when we visited the RAINN site, including a page with advice on what to do after a sexual assault. Errin Robinson, a spokesperson for the organization, told CR the use of pixels on its site was an error. “After investigation, it appears a contractor recently mistakenly enabled it while making another update to the site,” she said. “We have removed it from RAINN.org.”
Robinson said the company is also looking at trackers from Google and other companies that remain on the site and “will take appropriate action, including removing them, where applicable, as soon as possible.”
Similarly, the Mayo Clinic told us it removed “social media” trackers from its site after we asked about TikTok trackers that were sharing data about medical conditions. (We found TikTok pixels on the organization’s public-facing website, not in its patient portal.)
“Mayo Clinic does not share patients’ protected health information,” said spokesperson Ginger Plumbo. Disconnect’s Jackson later confirmed that the company had removed the TikTok trackers, but found that the website was still using a “considerable number” of trackers from Google, Microsoft, and other companies.
One of the sites we looked at, Michigan State University, defended its use of the trackers. The university uses “this pixel tool to help generate interest in applying to and enrolling in courses at Michigan State,” says spokesperson Dan Olsen. “They help us target our advertising to relevant audiences. The most sensitive information this pixel captures is potential major interests of prospective students.”
The other companies or organizations we examined didn’t respond to our questions or declined to comment.
Most people have no idea that TikTok and other companies gather information about them in this way, Disconnect’s Patrick Jackson says. “The only reason this works is because it’s a secret operation,” Jackson says. “Some people might not care, but people should have a choice. It shouldn’t be happening in the shadows.”
However, policymakers have done little to stop this kind of hidden data collection, says Justin Brookman, director of technology policy for CR. “Because of the way the web is structured, companies are able to watch what you do from site to site creating detailed dossiers about the most intimate parts of our lives,” he says. “In the U.S., the tech industry largely gets to decide what is and isn’t appropriate, and they don’t have our best interests front of mind.”
In California, one of the only states with a comprehensive privacy law, the government’s solution is to give people the right to opt out of having their data sold and shared. But, You do not have permission to view the full content of this post. Log in or register now., opting out manually is hard, and a recent CR investigation found that the privacy controls companies give you often don’t work.
“The real solution to this problem has to be legal,” Brookman says. “Policymakers need to step in and say sharing this kind of information with third parties isn’t allowed.”
The Markup’s You do not have permission to view the full content of this post. Log in or register now. reveals tracking technology being used on any website. And TikTok actually has a You do not have permission to view the full content of this post. Log in or register now., made for website developers, that will tell you if there’s a TikTok pixel on any website. Neither tool is 100 percent accurate, and many trackers are used simply to help websites function, not to generate data for targeted ads.
You can’t stop data collection from the tech industry altogether, but with a few simple steps you can make a dent in the amount of information that’s being collected.
Use privacy-protecting browser extensions. You can add extensions to your browser that will do a lot to protect your privacy. One is Disconnect, made by the company that performed our TikTok investigation. The Disconnect extension shows you how websites are trying to track you and blocks a lot of that data collection. Privacy experts often recommend uBlock Origin, as well.
Change your browser’s privacy settings. A lot of browsers have built-in controls you can use to block trackers, including cøøkíés, pixels, and other technologies. Open your browser’s preferences or settings, and you’ll usually find the controls in the privacy section.
Try a more private browser. Google Chrome collects a lot of data on behalf of Google. The Consumer Reports You do not have permission to view the full content of this post. Log in or register now. recommends Firefox and Brave as more privacy-focused options.
By Thomas Germain
Illustration: Alberto Miranda
Almost every website you visit collects information about what you’re doing and sends it off into the tech industry’s data analyzing machinery, where it is used for online advertising. For years, Google and Facebook (now known as Meta) have dominated that advertising business, and conducted a lot of the data gathering. But lately, a new contender has entered the scene: TikTok.
A Consumer Reports investigation finds that TikTok, one of the country’s most popular apps, is partnering with a growing number of other companies to hoover up data about people as they travel across the internet. That includes people who don’t have TikTok accounts.
These companies embed tiny TikTok trackers called “pixels” in their websites. Then TikTok uses the information gathered by all those pixels to help the companies target ads at potential customers, and to measure how well their ads work.
To look into TikTok’s use of online tracking, CR asked the security firm Disconnect to scan about 20,000 websites for the company’s pixels. In our list, we included the 1,000 most popular websites overall, as well as some of the biggest sites with domains ending in “.org,” “.edu,” and “.gov.” We wanted to look at those sites because they often deal with sensitive subjects.
We found hundreds of organizations sharing data with TikTok.
If you go to the United Methodist Church’s main website, TikTok hears about it. Interested in joining Weight Watchers? TikTok finds that out, too. The Arizona Department of Economic Security tells TikTok when you view pages concerned with domestic violence or food assistance. Even Planned Parenthood uses the trackers, automatically notifying TikTok about every person who goes to its website, though it doesn’t share information from the pages where you can book an appointment. (None of those groups responded to requests for comment.)
“I was genuinely surprised that TikTok’s trackers are already this widespread,” says Patrick Jackson, the chief technology officer at Disconnect, who helped us conduct the research. “I think people are conditioned to think, ‘Facebook is everywhere, and whatever, they’re going to get my data.’ I don’t think people connect that with TikTok yet.”
The number of TikTok trackers we saw was just a fraction of those we observed from Google and Meta. However, TikTok’s advertising business is exploding, and experts say the data collection will probably grow along with it.
What Happens to Your Data?
After Disconnect researchers conducted a broad search for TikTok trackers, we asked them to take a close look at what kind of information was being shared by 15 specific websites. We focused on sites where we thought people would have a particular expectation of privacy, such as advocacy organizations and hospitals, along with retailers and other kinds of companies.Disconnect found that data being transmitted to TikTok can include your IP address, a unique ID number, what page you’re on, and what you’re clicking, typing, or searching for, depending on how the website has been set up.
What does TikTok do with all that information?
“Like other platforms, the data we receive from advertisers is used to improve the effectiveness of our advertising services,” says Melanie Bosselait, a TikTok spokesperson. The data “is not used to group individuals into particular interest categories for other advertisers to target.” If TikTok receives data about someone who doesn’t have a TikTok account, the company only uses that data for aggregated reports that they send to advertisers about their websites, she says.
There’s no independent way for consumers or privacy researchers to verify such statements. But TikTok’s terms of service say its advertising customers aren’t allowed to send the company certain kinds of sensitive information, such as data about children, health conditions, or finances. “We continuously work with our partners to avoid inadvertent transmission of such data,” TikTok’s Bosselait says.
Google and Meta have similar policies barring websites from sending them sensitive information, but, as You do not have permission to view the full content of this post. Log in or register now., they frequently receive it anyway.
And we saw the same problem when we looked at TikTok trackers.
The national Girl Scouts website has a TikTok pixel on every page, which will transmit details about children if they use the site. TikTok gets medical information from WebMD, where a pixel reported that we’d searched for “erectile dysfunction.” And RiteAid told TikTok when we added Plan B emergency contraceptives to our cart. Recovery Centers of America, which operates addiction treatment facilities, notifies TikTok when a visitor views its locations or reads about insurance coverage.
We didn’t see specific financial details being transmitted, but information about your economic situation could come from pixels on the financial advice company SmartAsset, as well as Happy Money, a company that works with lenders to provide personal loans, including debt-consolidation loans. TikTok can glean clues about your student finances from the College Board, where families often go for information about scholarships and financial aid. (CR reported on You do not have permission to view the full content of this post. Log in or register now. in 2020).
Why Websites Use TikTok Trackers
Website developers choose to use trackers from Google, Meta, TikTok and other companies to facilitate their own digital advertising, to analyze traffic, and to perform other services.Pixels and other trackers (like online cøøkíés) can be particularly useful for advertising. Let’s say you have a website, and you want to sell your products, or get people to donate to your nonprofit. You can use the trackers from a big tech company to keep tabs on who visits your site. Then you can ask the company to show those people ads on other parts of the internet. If someone clicks on one of those ads and ends up back on your website, the pixel will recognize them, and you’ll know that your ad is working. (Consumer Reports uses tracking technology on its website, as outlined in our You do not have permission to view the full content of this post. Log in or register now..)
Jackson, at Disconnect, says many companies aren’t careful enough when they use such trackers. In some cases, a company’s executives might not even realize how much data their own websites are sharing.
That seemed to be true at RAINN, a leading anti-sexual-violence organization. We saw pixels contact TikTok when we visited the RAINN site, including a page with advice on what to do after a sexual assault. Errin Robinson, a spokesperson for the organization, told CR the use of pixels on its site was an error. “After investigation, it appears a contractor recently mistakenly enabled it while making another update to the site,” she said. “We have removed it from RAINN.org.”
Robinson said the company is also looking at trackers from Google and other companies that remain on the site and “will take appropriate action, including removing them, where applicable, as soon as possible.”
Similarly, the Mayo Clinic told us it removed “social media” trackers from its site after we asked about TikTok trackers that were sharing data about medical conditions. (We found TikTok pixels on the organization’s public-facing website, not in its patient portal.)
“Mayo Clinic does not share patients’ protected health information,” said spokesperson Ginger Plumbo. Disconnect’s Jackson later confirmed that the company had removed the TikTok trackers, but found that the website was still using a “considerable number” of trackers from Google, Microsoft, and other companies.
One of the sites we looked at, Michigan State University, defended its use of the trackers. The university uses “this pixel tool to help generate interest in applying to and enrolling in courses at Michigan State,” says spokesperson Dan Olsen. “They help us target our advertising to relevant audiences. The most sensitive information this pixel captures is potential major interests of prospective students.”
The other companies or organizations we examined didn’t respond to our questions or declined to comment.
Most people have no idea that TikTok and other companies gather information about them in this way, Disconnect’s Patrick Jackson says. “The only reason this works is because it’s a secret operation,” Jackson says. “Some people might not care, but people should have a choice. It shouldn’t be happening in the shadows.”
However, policymakers have done little to stop this kind of hidden data collection, says Justin Brookman, director of technology policy for CR. “Because of the way the web is structured, companies are able to watch what you do from site to site creating detailed dossiers about the most intimate parts of our lives,” he says. “In the U.S., the tech industry largely gets to decide what is and isn’t appropriate, and they don’t have our best interests front of mind.”
In California, one of the only states with a comprehensive privacy law, the government’s solution is to give people the right to opt out of having their data sold and shared. But, You do not have permission to view the full content of this post. Log in or register now., opting out manually is hard, and a recent CR investigation found that the privacy controls companies give you often don’t work.
“The real solution to this problem has to be legal,” Brookman says. “Policymakers need to step in and say sharing this kind of information with third parties isn’t allowed.”
How to Protect Your Personal Information
It takes some technical skill to find out exactly what personal data is being transmitted from a website, and where it’s going. But it’s easy to get some insight into what’s going on.The Markup’s You do not have permission to view the full content of this post. Log in or register now. reveals tracking technology being used on any website. And TikTok actually has a You do not have permission to view the full content of this post. Log in or register now., made for website developers, that will tell you if there’s a TikTok pixel on any website. Neither tool is 100 percent accurate, and many trackers are used simply to help websites function, not to generate data for targeted ads.
You can’t stop data collection from the tech industry altogether, but with a few simple steps you can make a dent in the amount of information that’s being collected.
Use privacy-protecting browser extensions. You can add extensions to your browser that will do a lot to protect your privacy. One is Disconnect, made by the company that performed our TikTok investigation. The Disconnect extension shows you how websites are trying to track you and blocks a lot of that data collection. Privacy experts often recommend uBlock Origin, as well.
Change your browser’s privacy settings. A lot of browsers have built-in controls you can use to block trackers, including cøøkíés, pixels, and other technologies. Open your browser’s preferences or settings, and you’ll usually find the controls in the privacy section.
Try a more private browser. Google Chrome collects a lot of data on behalf of Google. The Consumer Reports You do not have permission to view the full content of this post. Log in or register now. recommends Firefox and Brave as more privacy-focused options.