Consumer Privacy at Center of TikTok Investigation

Zeke Testa, Sr Director at Cytrio

Last week, California’s attorney general launched a nationwide investigation into the risks that the popular video app, TikTok may be posing to children. One question at the center is whether TikTok is violating consumer protection laws. Eight states leading the investigation, including California, Florida, Kentucky, Massachusetts, and others are shining a spotlight on the seriousness of protecting consumer data, not only for consumer privacy rights but for security purposes.

Many of us – not just teens – are not aware of just how vulnerable our information is or how exposed our data can be on these platforms and other websites. We freely sign up, many times not giving thought to the risks regarding our safety, privacy, and security when it comes to providing brands with our personal information such as name, date of birth, address, email, user names, passwords, and other information. Using simple and repetitive passwords is an open invitation for data breaches, account takeovers, and other cyberattacks – and it can ruin lives.

Hackers are in the business of stealing personal information for profit. And, they’re going after the easy targets, stealing 75 records every second while cybercrime has become more profitable than global illegal drug trade.

With modern data processing tools, it is very easy to correlate people’s personal identifiable information (PII), including personal health information (PHI). Even benign leaks like email addresses or phone numbers can lead to frightening scenarios when combined with data from earlier breaches: data available from social media sites and public agencies like the Department of Motor Vehicles (DMV). 

The same technologies – including data analytics, data warehouses and lakes, and machine learning – that enterprises use for mastering customer records can be used by hackers and state-sponsored actors to master breached data across multiple breaches and/or data from public agencies. And yes, DMVs in most U.S. states do sell your data. 

It’s safe to assume that there is a master record of your life being constructed by the underground web, and every time you give your personal information somewhere, you are helping hackers enrich that master record in that underground web. More precise that record is, the more valuable it is. In that regard, hackers and social media sites are the same: for both of them, you are the product, and the more they know about you, the more valuable you are to them.

Consumer data risk is at all-time high

While profits are top-of-mind for companies that collect data, they must not lose sight of the seriousness of consumer risk. With the explosion of social media platforms, digital transformation, and the emergence of the Metaverse, digital footprints are only getting larger. And the risk is intensifying. With Russia’s invasion of Ukraine last month, U.S. officials have put Americans on alert for increasing Russian cyberattacks as the war escalates. 

More than ever, there needs to be checks and balances in place at organizations so consumers are well aware of the risks and what can happen with their data. Do you intend to sell or share consumers’ data with another party, expanding their reach to other companies who may or may not have proper security practices in place? 

While this responsibility should be taken seriously by companies collecting data, they need to go beyond the “check the box” mentality just to ensure compliance, shifting to where integrity and securing consumers’ data takes center stage because it’s the right thing to do, especially  among increasing threats. Companies need to be on the side of the consumer, educating them on the importance of consumer privacy, fiercely protecting their personal information (PI), and being transparent with all data they’re collecting. 

Consumers shouldn’t have to go through four pages on a company’s privacy policy, read through fine print legal jargon to make sure they understand the full scope of what the company is doing with your data – all in an effort to make it difficult to opt out. It should be clearly outlined, highlighted, and accessible for anyone to understand. Clearly, with cyberattacks continuing to climb and our lives becoming increasingly digital, consumers need the help of brands to keep their personal data secure.

More state privacy laws are coming

State-level regulations like the California Consumer Privacy Act of 2018 (CCPA) took effect in 2020, with others taking effect in 2023, like the California Privacy Rights Act of 2020 (CPRA), Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA). 

Earlier this month, Utah passed the Utah Consumer Privacy Act, moving the state closer to becoming the fourth to enact privacy legislation in the US. And more are coming. Currently, 22 states, including Alaska, Hawaii, Massachusetts, New York, Pennsylvania, Washington, Wisconsin, and New Jersey, have multiple consumer privacy legislation pending. 

Regardless, the brands that consumers are interacting with on a daily basis should be holding consumer data with integrity while also providing easy access back to the consumer, not simply because it’s the law, but because the risk to consumers is great. 

With over 3 billion downloads and 1 billion monthly active users, TikTok is one of the fastest-growing apps since its launch in 2016. This investigation is a reminder than companies collecting data need to do right by consumers, particularly in these scary times.