Getting personal with ByteDance

Alongside a renewed surge of interest in Huawei, some major English-language media outlets are raising the alarm about a seemingly much more frivolous offering: the ByteDance short-video app TikTok.

We’ve covered how the company’s platforms spread misinformation and put minors at risk in important international markets. But the connection between TikTok, which is operated separately from domestic counterpart Douyin, and the Chinese government’s invasive approach towards data is much less clear.

To begin to tackle the issue, we compare the app’s privacy policies at home and abroad. Then we review the most important highlights from recent headlines.

TikTok (US)

TikTok has six different privacy policies based on user location: Germany, the rest of the EU, India, Russia, the US, and other countries. Within the US, privacy policies are further divided up between 13 years and older users and those under 13.

The variation among policies reflects the varied implementation of data protection regulations across the world, including the US Federal Trade Commission’s (FTC) historic $5.7 million legal victory against TikTok for violating child privacy protections.

To reflect this new reality, the US version of TikTok’s privacy policy was split and updated this past February. The new US privacy policy states: “If we become aware that personal information has been collected on the Platform from a person under the age of 13 we will delete this information and terminate the person’s account.”

Videos and user profiles of under-13 users can no longer be viewed publicly; nor are those users allowed to message others in-app, although some personal, geographic, and “general user data” is collected by TikTok. Minors in the state of California can request to have all their personal content removed from the platform.

As we’ve pointed out before, however, there are no binding in-app measures to prevent underage users from simply lying about their age.

Due in part to these reasons, TikTok scored only 35 points out of 100 (“use with caution”) on the evaluation of its privacy performance by the nonprofit Common Sense Media. In the “Compliance: following statutory laws and regulations” category of the report, TikTok rated only 17. By comparison, Instagram scored an all-around 39, and also received a 39 for compliance with regulations.

“It is no secret that tech companies are illegally and knowingly collecting personal information from children,” said Common Sense Media CEO Jim Steyer in a February statement shared with TechNode.

Referring to the popular video app that Bytedance acquired in November 2017 and merged with TikTok last August, Steyer said: “Musical.ly wasn’t the first company and they won’t be the last, which is why we need the FTC to continue to regularly enforce the Children’s Online Privacy Protection Act and hold companies accountable in a big way.”

In a May editorial on Quartz, media design professor and data privacy activist David Carroll points out another major issue with the US version of TikTok. Before the February update, an older edition of its privacy policy stated that data belonging to international users could be shared with “any member of affiliate of our group, in China.”

The new version doesn’t clarify whether this is still the case; in response to Carroll’s inquiry, Bytedance representatives said that US user data is not stored in China and cannot currently be accessed by the Chinese government, but didn’t confirm the same for data collected before February 2019.

Douyin (China)

Douyin’s privacy policy is similar to TikTok’s US edition in many respects. For instance, the app states that with user consent, it may collect personal information, contacts, video content, and information from connected third-party social network accounts.

Regarding young users, however, the policy, which hasn’t been updated since October, has much less clearly delineated regulations.

Some 8,900 Chinese characters into the text of the terms, the platform states that users under 18 “should read and agree to this privacy policy” under the guidance of their parents or guardians.

The policy then states it will protect underage user information in accordance with domestic law, and will share and use their data only as permitted by regulations, parents, or guardians, seemingly placing all three on the same level. The platform continues by saying that “if we find” that minors’ data has been collected without parental/guardian consent, they will try to delete the information as soon as possible.

The rest of the policy also contains repeated mentions of “relevant laws and regulations.”

• Douyin has a live-streaming component, and live-streamers are required by Chinese law to authenticate their identities. The app’s privacy policy states that Douyin may collect users’ real names, ID card numbers, and phone numbers. Later on, the policy clarifies that users can have most of their data deleted with the possible exception of real-name information; users can, however, still email feedback@douyin.com to request to have it modified.
• Similarly: “When you use the identity authentication feature provided by ‘Douyin’ software and related services, we will protect your sensitive personal information in accordance with the relevant laws and regulations and/or the requirements of the identity authentication feature (for example: Sesame authentication).”
• Personal information will not be shared without consent except in some cases. These exceptions include national security, national defense, public safety and health, the “greater public interest,” criminal cases, and the broad category of “other circumstances prescribed by laws and regulations.”
• Under the “canceling your account” section, the policy states that “we will delete all of your account information or anonymize relevant information, except as otherwise stipulated by laws and regulations.”

In case it wasn’t abundantly clear that user data is subject to China law alone, the terms also stipulate: “We will store personal information collected and created in the course of domestic operations in the People’s Republic of China, and will not transfer the above information abroad.”

The upbeat

Highlights from recent headlines

Strategic moves

• Beijing News: Bytedance’s aggregator Jinri Toutiao has set up a 200-person gaming unit that focuses on advertising, publishing, and developing mini-games.

While Tencent’s games rely on in-app purchases for revenue, Bytedance’s mini-games on Jinri Toutiao and Douyin are essentially ad distributors—users can acquire special items or rewards by watching short ads. However, Bytedance’s current emphasis on mini-games is likely to change as it further integrates personnel and technologies from Mokun Technology, the game company it acquired in March.

• TMTPost: Bytedance is making a foray into consumer hardware by developing educational gadgets that will be released in 2019.

The Financial Times reported on May 27 that Bytedance is developing a smartphone with its apps pre-installed, sparking speculations about the company’s strategy in the hardware market. But according to a Bytedance spokesperson, the company’s first consumer hardware product will be an educational device. Bytedance also said that the alleged smartphone is a continuation of a project from Smartisan, a phone maker from which Bytedance acquired a number of patents, and that it will retain the Smartisan brand.

• Quartz: Bytedance has hired Sameer Singh, former CEO of Asian operations of media investment firm GroupM, to be its vice-president of monetization for India.

Indian users account for almost 40% of TikTok’s 500 million users, making the country one of Bytedance’s largest markets. TikTok’s monetization strategy revolves around advertising but has been making far less progress than its Chinese version Douyin. A hire with close knowledge of India’s marketing landscape could speed up Bytedance’s monetization process in the country.

Ongoing legal disputes

• 36Kr: Tencent filed two lawsuits against Bytedance, demanding the company stop users from live-streaming or uploading videos containing Tencent games “CrossFire” and “Honour of Kings” on its apps.

Bytedance is likely to face more pushback from Tencent as it attempts to secure a larger piece of the video game pie. Including the two most recent cases, Tencent has filed eight lawsuits against Bytedance in less than seven months for live-streaming and creating videos using Tencent hit titles. As of right now, circumstances appear to be in Tencent’s favor—a court in Guangzhou ruled in February that a Bytedance short-video app, Xigua Video, must remove all “Honour of Kings” content.

Conforming to regulations

• TechNode: “Bytedance’s Douyin has on Thursday updated its existing anti-addiction system to give parents more control over their children’s use of the app, further complying with regulatory requirements to limit youth access to short videos.”

Douyin’s new anti-addiction feature is similar to Tencent’s “super-parent” and NetEase’s “Child Guardian” measures, both of which allow parents to control the time and money their children can spend in-game. While the Cyberspace Administration of China (CAC) did not explicitly require Douyin to implement the parent control functionality, the fact that it’s in line with the CAC’s guidelines suggest that it could potentially become an industry standard.