If this sounds familiar, it’s because it’s happened before. Meta’s near-omnipresence wherever you are online enabled it to gather data on users, even those who don’t have Facebook accounts—thanks, in part, to the Facebook “Like” button, a piece of code embedded on most websites. According to this Facebook Help Centre page, if a logged-in user visits a website with this button, the browser sends user data to Facebook so it can load content to that website.
Something similar happens to users who are either logged out of Facebook or don’t have an account. The only difference is that the browser sends a limited set of data. However you look at it, Facebook gets your data.
In TikTok’s case, the company embeds a tracker called a “pixel.” Pixel gathers user data from these websites to help companies target ads and measure how these work.
CR sought the aid of security firm Disconnect to scan for websites containing TikTok’s pixel, paying particular attention to sites that regularly deal with sensitive information, such as .gov, .org, and .edu sites. It turns out that pixels are already widespread.
“I think people are conditioned to think, ‘Facebook is everywhere, and whatever, they’re going to get my data.’,” said Disconnect Chief Technology Officer (CTO) Patrick Jackson. “I don’t think people connect that with TikTok yet.”
Among other data, TikTok collects the IP address; a unique number; the page a user is on; and what they’re clicking, typing, or searching for. While the data is used for targeted ads and ad effectiveness, TikTok spokesperson Melanie Bosselait said the data “is not used to group individuals into particular interest categories for other advertisers to target.” Data collected from non-TikTok users, however, are used in aggregated reports sent to advertisers.
CR also reported why websites use pixels (on top of other trackers). One school, Michigan State University, uses it to “help generate interest in applying to and enrolling courses at Michigan State”. Dan Olsen, the university spokesperson also said, “They help us target our advertising to relevant audiences. The most sensitive information this pixel captures is potential major interests of prospective students.”
Some sites like Mayo Clinic’s public-facing pages and RAINN, a leading anti-sexual-violence organization, have removed pixels, citing their presence was an oversight. Other businesses CR questioned either declined to comment or never responded.
Jackson said that most companies are unaware TikTok and other big brands gather data this way. “The only reason this works is because it’s a secret operation. Some people might not care, but people should have a choice. It shouldn’t be happening in the shadows.”
To prevent clandestine data collection, policymakers need to get involved. “Because of the way the web is structured, companies are able to watch what you do from site to site creating detailed dossiers about the most intimate parts of our lives,” said Director of Technology Policy for CR Justin Brookman. “In the US, the tech industry largely gets to decide what is and isn’t appropriate, and they don’t have our best interests front of mind.”
Consumer Reports recommends three guidelines to follow for users to protect their personal information online:
- Use privacy-protected browser extensions, such as uBlock Origin (or, we might add, Malwarebytes Browser Guard).
- Take advantage of your browser’s privacy settings.
- Use a privacy-focused browser, such as Brave or Firefox.
When it comes to tracker presence online, Google and Meta still lead. But TikTok’s advertising business is booming. And, with that, data collection is expected to grow, too.