Network 10, Bunnings, Vodafone, Mitre10, Total Tools and Nimble have ditched TikTok’s tracking pixel from their websites amid concerns it collects users’ personal information without consent.
Tourism NT, Tourism Tasmania and Tourism Queensland, as well as not-for-profits Headspace, Beyond Blue and Western Sydney University have also stopped using the TikTok for Business tool.
At the end of last year, the Office of the Australian Information Commissioner (OAIC) opened an inquiry into whether TikTok’s pixel breaches the Privacy Act.
Liberal senator and shadow cyber security minister James Paterson then asked 19 organisations’ website operators if they had disabled TikTok’s pixel.
“Regrettably, some organisations are persisting in their use of TikTok’s product despite the serious privacy risk to their website users,” he said in a statement that compiled a list of the organisations’ responses.
Last year, The Age tested which types of user engagements over third-party sites using TikTok’s pixel triggered information – such as the users’ location, the device they’re using or the items that they select for their shopping cart – to be sent to TikTok’s servers.
When registering accounts over some third-party sites, user information – including contact details – was sent before they clicked “I consent” to the site’s privacy terms.
“The email addresses and phone numbers are “hashed”, meaning they aren’t being stored in their original form, but are easily decrypted,” the masthead wrote.
Some of the organisations that told Paterson that they have not disabled the pixel said that they have manually configured it to restrict its ability to send their website visitors’ information to TikTok.
TikTok’s usage guidance suggests ensuring that Pixel “aligns with data-sharing policies and does not include data that may be deemed sensitive.”
Woolworths, the University of Wollongong, Kmart and Ladbrokes’ parent company Entain told The Age that they had opted for TikTok’s “manual advanced matching” rather than “automatic advanced matching”.
TikTok’s “automatic advanced matching” can scrape users’ information from search boxes and field forms; regardless of whether the user has a TikTok account.
Google and Meta also use pixels to enrich customer profiles with users’ browsing history and buying habits over third-party sites – improving targeted advertising – but make it clear that users have to consent before the information is collected.
According to TikTok’s marketing materials to its business partners: “with this option [automatic advanced matching], the pixel will scan your website for recognisable form fields containing customer information, like email and phone, which is then captured securely and safely via an industry-standard hashing algorithm (SHA-256).”
Paterson said on the day that the OAIC accepted his request to probe the shortform, video-sharing platform that “TikTok’s practices of harvesting the private contact information, browsing history and shopping habits of Australian internet users apparently without consent is deeply concerning and highly likely to be unlawful.”
“Especially troubling is that the data of non-TikTok users is allegedly being collected as part of this scheme.”
TikTok’s parent company and 20 percent owner Beijing-headquartered ByteDance could be compelled to hand Australian TikTok users’ data to the Chinese government by Article 7 of China’s National Intelligence Law [pdf], according to the senator.
The law requires businesses operating in China to “support, assist and co-operate with the state intelligence work”.
Concerns that TikTok could be obliged to hand user data to the Chinese government were also raised in the lead-up to the Attorney General’s Department issuing a mandatory direction [pdf] in April last year to deinstall the platform from government devices.
About Author
