PHConsumer Reports found that the company uses some of the same techniques as Google, Meta, and other companies to collect personal data
By Thomas Germain
Illustration: Alberto Miranda
Almost every website you visit collects information about what youâre doing and sends it off into the tech industryâs data analyzing machinery, where it is used for online advertising. For years, Google and Facebook (now known as Meta) have dominated that advertising business, and conducted a lot of the data gathering. But lately, a new contender has entered the scene: TikTok.
A Consumer Reports investigation finds that TikTok, one of the countryâs most popular apps, is partnering with a growing number of other companies to hoover up data about people as they travel across the internet. That includes people who donât have TikTok accounts.
These companies embed tiny TikTok trackers called âpixelsâ in their websites. Then TikTok uses the information gathered by all those pixels to help the companies target ads at potential customers, and to measure how well their ads work.
To look into TikTokâs use of online tracking, CR asked the security firm Disconnect to scan about 20,000 websites for the companyâs pixels. In our list, we included the 1,000 most popular websites overall, as well as some of the biggest sites with domains ending in â.org,â â.edu,â and â.gov.â We wanted to look at those sites because they often deal with sensitive subjects.
We found hundreds of organizations sharing data with TikTok.
If you go to the United Methodist Churchâs main website, TikTok hears about it. Interested in joining Weight Watchers? TikTok finds that out, too. The Arizona Department of Economic Security tells TikTok when you view pages concerned with domestic violence or food assistance. Even Planned Parenthood uses the trackers, automatically notifying TikTok about every person who goes to its website, though it doesnât share information from the pages where you can book an appointment. (None of those groups responded to requests for comment.)
âI was genuinely surprised that TikTokâs trackers are already this widespread,â says Patrick Jackson, the chief technology officer at Disconnect, who helped us conduct the research. âI think people are conditioned to think, âFacebook is everywhere, and whatever, theyâre going to get my data.â I donât think people connect that with TikTok yet.â
The number of TikTok trackers we saw was just a fraction of those we observed from Google and Meta. However, TikTokâs advertising business is exploding, and experts say the data collection will probably grow along with it.
Disconnect found that data being transmitted to TikTok can include your IP address, a unique ID number, what page youâre on, and what youâre clicking, typing, or searching for, depending on how the website has been set up.
What does TikTok do with all that information?
âLike other platforms, the data we receive from advertisers is used to improve the effectiveness of our advertising services,â says Melanie Bosselait, a TikTok spokesperson. The data âis not used to group individuals into particular interest categories for other advertisers to target.â If TikTok receives data about someone who doesnât have a TikTok account, the company only uses that data for aggregated reports that they send to advertisers about their websites, she says.
Thereâs no independent way for consumers or privacy researchers to verify such statements. But TikTokâs terms of service say its advertising customers arenât allowed to send the company certain kinds of sensitive information, such as data about children, health conditions, or finances. âWe continuously work with our partners to avoid inadvertent transmission of such data,â TikTokâs Bosselait says.
Google and Meta have similar policies barring websites from sending them sensitive information, but, as You do not have permission to view the full content of this post. Log in or register now., they frequently receive it anyway.
And we saw the same problem when we looked at TikTok trackers.
The national Girl Scouts website has a TikTok pixel on every page, which will transmit details about children if they use the site. TikTok gets medical information from WebMD, where a pixel reported that weâd searched for âerectile dysfunction.â And RiteAid told TikTok when we added Plan B emergency contraceptives to our cart. Recovery Centers of America, which operates addiction treatment facilities, notifies TikTok when a visitor views its locations or reads about insurance coverage.
We didnât see specific financial details being transmitted, but information about your economic situation could come from pixels on the financial advice company SmartAsset, as well as Happy Money, a company that works with lenders to provide personal loans, including debt-consolidation loans. TikTok can glean clues about your student finances from the College Board, where families often go for information about scholarships and financial aid. (CR reported on You do not have permission to view the full content of this post. Log in or register now. in 2020).
Pixels and other trackers (like online cookies) can be particularly useful for advertising. Letâs say you have a website, and you want to sell your products, or get people to donate to your nonprofit. You can use the trackers from a big tech company to keep tabs on who visits your site. Then you can ask the company to show those people ads on other parts of the internet. If someone clicks on one of those ads and ends up back on your website, the pixel will recognize them, and youâll know that your ad is working. (Consumer Reports uses tracking technology on its website, as outlined in our You do not have permission to view the full content of this post. Log in or register now..)
Jackson, at Disconnect, says many companies arenât careful enough when they use such trackers. In some cases, a companyâs executives might not even realize how much data their own websites are sharing.
That seemed to be true at RAINN, a leading anti-sexual-violence organization. We saw pixels contact TikTok when we visited the RAINN site, including a page with advice on what to do after a sexual assault. Errin Robinson, a spokesperson for the organization, told CR the use of pixels on its site was an error. âAfter investigation, it appears a contractor recently mistakenly enabled it while making another update to the site,â she said. âWe have removed it from RAINN.org.â
Robinson said the company is also looking at trackers from Google and other companies that remain on the site and âwill take appropriate action, including removing them, where applicable, as soon as possible.â
Similarly, the Mayo Clinic told us it removed âsocial mediaâ trackers from its site after we asked about TikTok trackers that were sharing data about medical conditions. (We found TikTok pixels on the organizationâs public-facing website, not in its patient portal.)
âMayo Clinic does not share patientsâ protected health information,â said spokesperson Ginger Plumbo. Disconnectâs Jackson later confirmed that the company had removed the TikTok trackers, but found that the website was still using a âconsiderable numberâ of trackers from Google, Microsoft, and other companies.
One of the sites we looked at, Michigan State University, defended its use of the trackers. The university uses âthis pixel tool to help generate interest in applying to and enrolling in courses at Michigan State,â says spokesperson Dan Olsen. âThey help us target our advertising to relevant audiences. The most sensitive information this pixel captures is potential major interests of prospective students.â
The other companies or organizations we examined didnât respond to our questions or declined to comment.
Most people have no idea that TikTok and other companies gather information about them in this way, Disconnectâs Patrick Jackson says. âThe only reason this works is because itâs a secret operation,â Jackson says. âSome people might not care, but people should have a choice. It shouldnât be happening in the shadows.â
However, policymakers have done little to stop this kind of hidden data collection, says Justin Brookman, director of technology policy for CR. âBecause of the way the web is structured, companies are able to watch what you do from site to site creating detailed dossiers about the most intimate parts of our lives,â he says. âIn the U.S., the tech industry largely gets to decide what is and isnât appropriate, and they donât have our best interests front of mind.â
In California, one of the only states with a comprehensive privacy law, the governmentâs solution is to give people the right to opt out of having their data sold and shared. But, You do not have permission to view the full content of this post. Log in or register now., opting out manually is hard, and a recent CR investigation found that the privacy You do not have permission to view the full content of this post. Log in or register now..
âThe real solution to this problem has to be legal,â Brookman says. âPolicymakers need to step in and say sharing this kind of information with third parties isnât allowed.â
The Markupâs You do not have permission to view the full content of this post. Log in or register now. reveals tracking technology being used on any website. And TikTok actually has a You do not have permission to view the full content of this post. Log in or register now., made for website developers, that will tell you if thereâs a TikTok pixel on any website. Neither tool is 100 percent accurate, and many trackers are used simply to help websites function, not to generate data for targeted ads.
You canât stop data collection from the tech industry altogether, but with a few simple steps you can make a dent in the amount of information thatâs being collected.
Use privacy-protecting browser extensions. You can add extensions to your browser that will do a lot to protect your privacy. One is Disconnect, made by the company that performed our TikTok investigation. The Disconnect extension shows you how websites are trying to track you and blocks a lot of that data collection. Privacy experts often recommend uBlock Origin, as well.
Change your browserâs privacy settings. A lot of browsers have built-in controls you can use to block trackers, including cookies, pixels, and other technologies. Open your browserâs preferences or settings, and youâll usually find the controls in the privacy section.
Try a more private browser. Google Chrome collects a lot of data on behalf of Google. The Consumer Reports You do not have permission to view the full content of this post. Log in or register now. recommends Firefox and Brave as more privacy-focused options.
By Thomas Germain
Illustration: Alberto Miranda
Almost every website you visit collects information about what youâre doing and sends it off into the tech industryâs data analyzing machinery, where it is used for online advertising. For years, Google and Facebook (now known as Meta) have dominated that advertising business, and conducted a lot of the data gathering. But lately, a new contender has entered the scene: TikTok.
A Consumer Reports investigation finds that TikTok, one of the countryâs most popular apps, is partnering with a growing number of other companies to hoover up data about people as they travel across the internet. That includes people who donât have TikTok accounts.
These companies embed tiny TikTok trackers called âpixelsâ in their websites. Then TikTok uses the information gathered by all those pixels to help the companies target ads at potential customers, and to measure how well their ads work.
To look into TikTokâs use of online tracking, CR asked the security firm Disconnect to scan about 20,000 websites for the companyâs pixels. In our list, we included the 1,000 most popular websites overall, as well as some of the biggest sites with domains ending in â.org,â â.edu,â and â.gov.â We wanted to look at those sites because they often deal with sensitive subjects.
We found hundreds of organizations sharing data with TikTok.
If you go to the United Methodist Churchâs main website, TikTok hears about it. Interested in joining Weight Watchers? TikTok finds that out, too. The Arizona Department of Economic Security tells TikTok when you view pages concerned with domestic violence or food assistance. Even Planned Parenthood uses the trackers, automatically notifying TikTok about every person who goes to its website, though it doesnât share information from the pages where you can book an appointment. (None of those groups responded to requests for comment.)
âI was genuinely surprised that TikTokâs trackers are already this widespread,â says Patrick Jackson, the chief technology officer at Disconnect, who helped us conduct the research. âI think people are conditioned to think, âFacebook is everywhere, and whatever, theyâre going to get my data.â I donât think people connect that with TikTok yet.â
The number of TikTok trackers we saw was just a fraction of those we observed from Google and Meta. However, TikTokâs advertising business is exploding, and experts say the data collection will probably grow along with it.
What Happens to Your Data?
After Disconnect researchers conducted a broad search for TikTok trackers, we asked them to take a close look at what kind of information was being shared by 15 specific websites. We focused on sites where we thought people would have a particular expectation of privacy, such as advocacy organizations and hospitals, along with retailers and other kinds of companies.Disconnect found that data being transmitted to TikTok can include your IP address, a unique ID number, what page youâre on, and what youâre clicking, typing, or searching for, depending on how the website has been set up.
What does TikTok do with all that information?
âLike other platforms, the data we receive from advertisers is used to improve the effectiveness of our advertising services,â says Melanie Bosselait, a TikTok spokesperson. The data âis not used to group individuals into particular interest categories for other advertisers to target.â If TikTok receives data about someone who doesnât have a TikTok account, the company only uses that data for aggregated reports that they send to advertisers about their websites, she says.
Thereâs no independent way for consumers or privacy researchers to verify such statements. But TikTokâs terms of service say its advertising customers arenât allowed to send the company certain kinds of sensitive information, such as data about children, health conditions, or finances. âWe continuously work with our partners to avoid inadvertent transmission of such data,â TikTokâs Bosselait says.
Google and Meta have similar policies barring websites from sending them sensitive information, but, as You do not have permission to view the full content of this post. Log in or register now., they frequently receive it anyway.
And we saw the same problem when we looked at TikTok trackers.
The national Girl Scouts website has a TikTok pixel on every page, which will transmit details about children if they use the site. TikTok gets medical information from WebMD, where a pixel reported that weâd searched for âerectile dysfunction.â And RiteAid told TikTok when we added Plan B emergency contraceptives to our cart. Recovery Centers of America, which operates addiction treatment facilities, notifies TikTok when a visitor views its locations or reads about insurance coverage.
We didnât see specific financial details being transmitted, but information about your economic situation could come from pixels on the financial advice company SmartAsset, as well as Happy Money, a company that works with lenders to provide personal loans, including debt-consolidation loans. TikTok can glean clues about your student finances from the College Board, where families often go for information about scholarships and financial aid. (CR reported on You do not have permission to view the full content of this post. Log in or register now. in 2020).
Why Websites Use TikTok Trackers
Website developers choose to use trackers from Google, Meta, TikTok and other companies to facilitate their own digital advertising, to analyze traffic, and to perform other services.Pixels and other trackers (like online cookies) can be particularly useful for advertising. Letâs say you have a website, and you want to sell your products, or get people to donate to your nonprofit. You can use the trackers from a big tech company to keep tabs on who visits your site. Then you can ask the company to show those people ads on other parts of the internet. If someone clicks on one of those ads and ends up back on your website, the pixel will recognize them, and youâll know that your ad is working. (Consumer Reports uses tracking technology on its website, as outlined in our You do not have permission to view the full content of this post. Log in or register now..)
Jackson, at Disconnect, says many companies arenât careful enough when they use such trackers. In some cases, a companyâs executives might not even realize how much data their own websites are sharing.
That seemed to be true at RAINN, a leading anti-sexual-violence organization. We saw pixels contact TikTok when we visited the RAINN site, including a page with advice on what to do after a sexual assault. Errin Robinson, a spokesperson for the organization, told CR the use of pixels on its site was an error. âAfter investigation, it appears a contractor recently mistakenly enabled it while making another update to the site,â she said. âWe have removed it from RAINN.org.â
Robinson said the company is also looking at trackers from Google and other companies that remain on the site and âwill take appropriate action, including removing them, where applicable, as soon as possible.â
Similarly, the Mayo Clinic told us it removed âsocial mediaâ trackers from its site after we asked about TikTok trackers that were sharing data about medical conditions. (We found TikTok pixels on the organizationâs public-facing website, not in its patient portal.)
âMayo Clinic does not share patientsâ protected health information,â said spokesperson Ginger Plumbo. Disconnectâs Jackson later confirmed that the company had removed the TikTok trackers, but found that the website was still using a âconsiderable numberâ of trackers from Google, Microsoft, and other companies.
One of the sites we looked at, Michigan State University, defended its use of the trackers. The university uses âthis pixel tool to help generate interest in applying to and enrolling in courses at Michigan State,â says spokesperson Dan Olsen. âThey help us target our advertising to relevant audiences. The most sensitive information this pixel captures is potential major interests of prospective students.â
The other companies or organizations we examined didnât respond to our questions or declined to comment.
Most people have no idea that TikTok and other companies gather information about them in this way, Disconnectâs Patrick Jackson says. âThe only reason this works is because itâs a secret operation,â Jackson says. âSome people might not care, but people should have a choice. It shouldnât be happening in the shadows.â
However, policymakers have done little to stop this kind of hidden data collection, says Justin Brookman, director of technology policy for CR. âBecause of the way the web is structured, companies are able to watch what you do from site to site creating detailed dossiers about the most intimate parts of our lives,â he says. âIn the U.S., the tech industry largely gets to decide what is and isnât appropriate, and they donât have our best interests front of mind.â
In California, one of the only states with a comprehensive privacy law, the governmentâs solution is to give people the right to opt out of having their data sold and shared. But, You do not have permission to view the full content of this post. Log in or register now., opting out manually is hard, and a recent CR investigation found that the privacy You do not have permission to view the full content of this post. Log in or register now..
âThe real solution to this problem has to be legal,â Brookman says. âPolicymakers need to step in and say sharing this kind of information with third parties isnât allowed.â
How to Protect Your Personal Information
It takes some technical skill to find out exactly what personal data is being transmitted from a website, and where itâs going. But itâs easy to get some insight into whatâs going on.The Markupâs You do not have permission to view the full content of this post. Log in or register now. reveals tracking technology being used on any website. And TikTok actually has a You do not have permission to view the full content of this post. Log in or register now., made for website developers, that will tell you if thereâs a TikTok pixel on any website. Neither tool is 100 percent accurate, and many trackers are used simply to help websites function, not to generate data for targeted ads.
You canât stop data collection from the tech industry altogether, but with a few simple steps you can make a dent in the amount of information thatâs being collected.
Use privacy-protecting browser extensions. You can add extensions to your browser that will do a lot to protect your privacy. One is Disconnect, made by the company that performed our TikTok investigation. The Disconnect extension shows you how websites are trying to track you and blocks a lot of that data collection. Privacy experts often recommend uBlock Origin, as well.
Change your browserâs privacy settings. A lot of browsers have built-in controls you can use to block trackers, including cookies, pixels, and other technologies. Open your browserâs preferences or settings, and youâll usually find the controls in the privacy section.
Try a more private browser. Google Chrome collects a lot of data on behalf of Google. The Consumer Reports You do not have permission to view the full content of this post. Log in or register now. recommends Firefox and Brave as more privacy-focused options.