TikTok’s future in the U.S. has been a rollercoaster of legal and political battles. In April 2024, President Biden signed the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA), requiring ByteDance, TikTok’s Chinese parent company, to sell its U.S. operations by January 19, 2025, or face a nationwide ban. As the deadline approached, the Supreme Court upheld the law’s constitutionality, reinforcing the divestiture requirement. When ByteDance failed to secure a buyer in time, TikTok was removed from app stores on January 18, 2025, and users across the country experienced service disruptions. However, on January 19, 2025, service was temporarily restored after President-elect Donald Trump announced plans to delay the ban via executive order, granting ByteDance an additional 90 days to negotiate a sale or restructure its ownership to include majority U.S. control.

 This back-and-forth has created immense uncertainty for businesses, marketers, and content creators who rely on TikTok. Even if the platform avoids a ban, its compliance with U.S. privacy laws remains under scrutiny, raising critical concerns for companies that engage with TikTok for advertising, data analytics, or consumer outreach.

 As a privacy and data security attorney, I help businesses navigate these complexities. Below, I break down TikTok’s privacy controversies, the global regulatory challenges it faces, and what businesses should do to stay ahead in 2025 and beyond.

 1. The Privacy Controversies Surrounding TikTok

 What Data Does TikTok Collect?

 TikTok’s privacy policy reveals that it collects a staggering amount of user data, including:

            •           Basic Identifiers: Name, phone number, email, and location.

            •           Device Information: IP addresses, browser fingerprints, and unique device IDs.

            •           Behavioral Data: Likes, comments, shares, and time spent on different types of content.

            •           Biometric Data: Facial recognition and voiceprint data (in some regions).

            •           Location Data: Precise GPS tracking, even when the app is not actively in use.

            •           Keystroke Patterns: Reports suggest TikTok may be monitoring typing activity, raising additional security concerns.

 This level of data collection is not unique among social media platforms, but the concern with TikTok stems from who has access to this data and how it is used.

 Chinese Ownership and Data Transfers

 A significant factor driving TikTok’s privacy concerns is its parent company, ByteDance, based in China. Critics, including U.S. lawmakers, fear that China’s data laws could compel ByteDance to share user data with the Chinese government. Although TikTok has repeatedly denied such claims, investigations into Project Texas (TikTok’s initiative to store U.S. user data on Oracle servers) suggest that Chinese engineers may have had access to this data.

 Government Bans and Investigations

            •           United States: In 2023, several U.S. states and federal agencies banned TikTok on government devices, citing national security concerns. The January 19, 2025, deadline for ByteDance to sell TikTok to a U.S. company is the most serious legal challenge the platform has faced to date.

            •           European Union: The Irish Data Protection Commission (DPC) fined TikTok €345 million in 2023 for mishandling children’s data. Additionally, the EU’s Digital Services Act (DSA) now requires TikTok to disclose how its algorithms operate and mitigate risks tied to misinformation.

            •           United Kingdom: The UK’s Information Commissioner’s Office (ICO) fined TikTok £12.7 million for unlawfully processing the data of children under 13.

 For businesses and individuals using TikTok, these investigations indicate heightened regulatory scrutiny and the potential for stricter compliance requirements in the future.

 2. TikTok and Privacy Laws: Key Compliance Issues

 A. GDPR Violations and European Investigations

 Under the EU’s General Data Protection Regulation (GDPR), companies processing personal data must comply with strict transparency, consent, and security requirements. TikTok has been found in violation of GDPR multiple times, primarily due to:

            •           Failure to obtain valid parental consent for minors.

            •           Opaque data-sharing practices.

            •           Concerns over cross-border data transfers to China.

 For businesses leveraging TikTok for marketing, compliance with GDPR means:

✔ Ensuring explicit consent for data collection in EU-based campaigns.

✔ Verifying whether user analytics involve personal data that falls under GDPR protections.

✔ Evaluating TikTok’s Data Processing Agreements (DPAs) and ensuring safeguards for international data transfers.

 B. CCPA & CPRA: How TikTok Fits into U.S. Privacy Laws

 In the U.S., the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), impose transparency and opt-out requirements on businesses handling California residents’ data. TikTok’s compliance challenges include:

            •           Failure to clearly disclose how user data is shared with advertisers and third parties.

            •           Lack of sufficient opt-out mechanisms for targeted advertising.

            •           Potential issues with data retention practices, especially regarding minors.

 Businesses advertising or running campaigns on TikTok should ensure they:

✔ Disclose the use of TikTok-related tracking technologies (e.g., pixels, cookies).

✔ Provide opt-out options for California consumers who do not want their data shared.

✔ Work with legal teams to determine whether TikTok’s data-sharing practices align with CCPA/CPRA regulations.

 C. FTC Enforcement: What’s Next?

 The Federal Trade Commission (FTC) has been aggressive in investigating social media platforms over deceptive practices and privacy violations. TikTok is likely to face:

            •           Stricter rules on how it handles children’s data under COPPA (Children’s Online Privacy Protection Act).

            •           Greater oversight of how its algorithms collect and process user preferences.

            •           Potential penalties if found misleading users about data-sharing practices.

 Companies relying on TikTok for marketing should monitor FTC guidance closely to avoid legal pitfalls.

 Final Thoughts: TikTok’s Privacy Future in 2025

 Regardless of whether TikTok avoids a ban, its privacy and compliance challenges are not going away. Even if ByteDance negotiates an alternative ownership structure, U.S. and international regulators will continue scrutinizing the platform’s data collection and security practices.

 For businesses, the key takeaway is clear: privacy compliance must be a priority. Companies that rely on TikTok should ensure they are following evolving laws, limiting data risks, and preparing for potential platform disruptions.

 As a privacy and data security attorney, I help businesses develop legal strategies that protect their interests while ensuring compliance with the latest regulations. If your company uses TikTok or other social media platforms, now is the time to assess your legal exposure and take action.

 📩 Let’s connect to discuss how your business can stay ahead in the evolving landscape of data privacy and social media regulation.

 About the Author: Seth Lubin, Esq.

Seth Lubin is a privacy and data security attorney with over 34 years of experience advising businesses on regulatory compliance, risk mitigation, and data protection. Certified in data privacy and security from Harvard Business School, he specializes in helping companies navigate complex laws such as GDPR, CCPA/CPRA, and FTC regulations. As General Counsel for Datasys, Seth provides strategic legal guidance on emerging technologies, AI, and global data governance.