It’s a brand-new era for TikTok in the US, where the Chinese parent company, ByteDance, spun off its US assets to comply with a 2024 foreign aid bill, just one day before the deadline. The app is now controlled by a new company called TikTok USDS Joint Venture LLC, jointly owned by Oracle (and backed by billionaire Larry Ellison), Silver Lake, a private equity firm, and MGX, a UAE state-owned AI investment firm based in Abu Dhabi.
You may be wondering, what does that mean for your privacy on the app?
Once the switch over took place, it shocked some users to find that your normal interactions with the app, such as answering demographic questions to complete your account profile, sending messages, uploading photos and videos, syncing your contacts, or interacting with AI, will reveal a lot about you to the company, including your citizenship status, your gender identity, and your sexuality. What’s worse, TikTok will happily hand over that information to advertisers, governments, and other third parties.
(Credit: TikTok/PCMag)
The alarm over the modified privacy policy isn’t without merit. You can get an idea of what TikTok’s old US privacy policy was like by looking at the current policy for users in Europe and the UK. Previously, TikTok’s US privacy policy stated that the company collected information you provide when engaging with the platform in many of the ways described above, though it was not as explicit about the exact actions that trigger data collection. The following paragraph is what generated the most discussion online:
“Information You Provide may include sensitive personal information, as defined under applicable state privacy laws, such as information from users under the relevant age threshold, information you disclose in survey responses or in your user content about your racial or ethnic origin, national origin, religious beliefs, mental or physical health diagnosis, sexual life or sexual orientation, status as transgender or nonbinary, citizenship or immigration status, or financial information. For example, we may process your financial information in order to provide you the goods or services you request from us or your driver’s license number in order to verify your identity. We may also collect precise location data, depending on your settings and as explained below. We process such sensitive personal information in accordance with applicable law, such as for permitted purposes under the California Consumer Privacy Act.”
I suspect that the final sentence in that very long and pretty concerning list of data points relays the reason for the policy update. California’s Consumer Privacy Act requires companies to be more transparent about the types of data they collect from customers, how they use that data, and who else may access it. In other words, it’s possible that, for quite some time now, TikTok has been collecting and sharing all of the information above about its users not only to comply with global and US government inquiries but also to share it with advertisers, service providers, and other third-party platforms.
So should you accept the terms of this policy and use the TikTok app? Personally, I wouldn’t, but I deleted my personal and professional accounts on that platform last year after reading the privacy policy and comparing TikTok with similar apps, like China’s RedNote and Lemon8.
That’s all the more reason to take the time to read privacy policies carefully before downloading apps, browser extensions, or any kind of software. I read a lot of privacy policies while reviewing authenticators, hardware security keys, password managers, and private messaging apps. As you can imagine, these documents aren’t exactly thrilling reads, so I came up with a few shortcuts to get through them quickly and efficiently. These tips could save you time and may even save your data from falling into the wrong hands. Keep reading for my policy-reading cheat sheet, followed by a few things you should always do before downloading a new app or other software.
What Does a Good Privacy Policy Look Like?
Each company’s privacy policy is different. Some companies offer easy-to-read, very transparent policies that clearly outline what kinds of data they collect, how they use that data, how they store it, and how long they keep it.
Take a look at the screenshot below for an example of a well-formatted, informative privacy policy from Proton, the company behind Editors’ Choice winners Proton Pass and Proton VPN.
Proton’s pithy, well-formatted privacy policy. (Credit: Proton/PCMag)
In 2025, I highlighted some of the most invasive mobile apps. Whether companies log your keystrokes, gather data about you from other sources without your permission, or monitor everything you do while you browse the web, these practices are outlined in the company’s privacy policy. When you agree to the terms, your data could become theirs.
Sometimes companies fill privacy policies with confusing legal jargon, likely in the hope that the average customer will close the tab after encountering the third instance of the word “heretofore.” It’s much easier to hide invasive data collection practices in these documents. The easiest way to uncover the truth is to search privacy policies for phrases or words that could be potential points of interest.
How to Spot Privacy Policy Red Flags
Below is a list of search terms I use when reading lengthy privacy policies. Not all privacy policies will contain these words or phrases, and this list is not exhaustive. If you read enough policy statements, you’ll come up with a list of your own in no time.
“Incorporated”
It’s a good idea to find out where a company is located. Different countries have different approaches to data protection. For example, a company incorporated in Panama City adheres to Panama’s Personal Data Protection Law (PPDPL), while a German company would follow the rules set by the European Union’s General Data Protection Regulation (GDPR). A company’s country of incorporation isn’t an instant red flag for me, but knowing the guidelines the company operates under is a good starting point. For example, countries in the European Union must comply with GDPR, as do companies that do business in EU countries. If you’re unfamiliar with a country’s privacy laws, do a quick search to see what privacy protections are in that jurisdiction. If you can’t find anything, that may be a warning sign.
“Customer Data”
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Search for this phrase, and you’ll find out what types of data companies collect from you. Most policies mention that the company stores the name, email address, and phone number you provide when you sign up for the service. Data collection veers into the invasive when the app or software automatically collects your keystrokes, clipboard data, photos, videos, notes, calendar entries, emails, SMS messages, or biometric data. That said, sometimes this information is necessary for an app to function. For example, if you’re downloading a photo editing app, the company needs to access your photo folder.
“Retention”
A good privacy policy will explain how long the company retains customers’ data after they cancel service or delete their account. Most of the policies I’ve read state that the company will delete customer data after a reasonable period, typically six months to one year. If a company is holding onto your private data for more than two years after you delete your account, that’s not good. If the company does not specify how long it retains your private information, that’s a red flag. Time to try a different app!
“Log Data”
Some proxy services or VPN companies keep customer activity logs. Since these companies have the ability to see all of your online activity—including websites you visit and webform text like bank account and credit card numbers—while you’re connecting to or through their service, there’s potential for invasive data collection. Most companies don’t log all of your actions, but some do. I recommend searching for the term “log data,” then scanning the following paragraphs to see what kinds of data the company logs. If it’s traffic data or detailed device usage data, steer clear.
Recommended by Our Editors
“Sell”
DNA testing company 23 and Me recently went bankrupt, and potential buyers are circling to acquire what’s left of it. If you’ve ever used one of their kits, that includes your genetic data. What happens to your private information if a company is dissolved or sold? What happens if another company acquires the app? Find out by searching for the words “sell” or “transfer” within the privacy policy. Most reputable companies will tell you what happens to your data if they change ownership. If a company doesn’t mention it in the privacy policy, check the terms of service document, too. If it isn’t there, stay away. You don’t want your private information to be sold or given to another company or a data broker without your consent.
“Third Party”
Search for the words “third party” or “advertisers” to make sure a company doesn’t share your information with anyone you don’t know. Some companies share customer data with third parties that handle payment processing or other in-app operations, which is normal and fine. However, it’s concerning when the primary company shares or sells your data for reasons unrelated to the app’s functionality. This is where the old adage “If a service is free, you’re the product” comes from.
Do This Before Downloading a New App
Be honest: When was the last time you read a privacy policy? If you do it every time you download an app, excellent work. If you don’t download many apps anyway, even better. You can’t inadvertently give away information if you don’t download apps in the first place.
Make sure to complete these three steps before downloading an app:
-
Check for a link to a privacy policy page. If you can’t find one, or if you don’t understand what you are reading, stay away. Do not download the app or grant it any permissions on your device.
-
Read the privacy policy and look closely at what information the app collects. If, for example, a simple calculator app’s policy mentions it collects your health and location information, dump the app and find an alternative.
-
Find out if the app shares your data with third parties. While reading the privacy policy, ask yourself the following questions: Under what circumstances does the company comply with law enforcement requests? Will the company inform you when it sells or transfers your data? Does it give or sell your information to advertisers?
The app’s privacy policy should contain all of this information. If the answers you find raise red flags, don’t download the app.
Don’t Give Away Your Data
Want to find out how the apps on your phone handle your private data? I wrote about how to check app privacy stats on Android and iOS devices.
After locking down your phone, check out this list of essential privacy apps from my colleague Neil Rubenking. If you’re hoping to take online security to the next level, read our suggestions for easy things to do to improve your online privacy and security.
About Our Expert
Kim Key
Senior Writer, Security
Experience
I review privacy tools like hardware security keys, password managers, private messaging apps, and ad-blocking software. I also report on online scams and offer advice to families and individuals about staying safe on the internet. Before joining PCMag, I wrote about tech and video games for CNN, Fanbyte, Mashable, The New York Times, and TechRadar. I also worked at CNN International, where I did field producing and reporting on sports that are popular with worldwide audiences.
In addition to the categories below, I exclusively cover ad blockers, authenticator apps, hardware security keys, and private messaging apps.
Read Full Bio
