On March 23, TikTok CEO Shou Chew testified in front of Congress where lawmakers grilled him on concerns that American user data may be at risk of being accessed by the Chinese government and the implications it poses for both national security and data privacy at large.
Overview of the current US data privacy landscape
Data privacy is a complex issue that affects individuals and businesses worldwide. In the United States, the landscape of data privacy laws is constantly evolving, with both federal and state laws regulating the collection, storage, and use of personal data.
Data privacy laws in the United States have been slower to develop than in other parts of the world, such as Europe where the General Data Protection Regulation (GDPR) has been in effect since 2018. While the US has taken some steps to address data privacy concerns, it is widely recognized that the country is lagging behind in terms of comprehensive federal data privacy legislation.
Current federal and state data privacy laws include:
- California Consumer Privacy Act (CCPA): In 2018, California became the first state to pass a data privacy law. The CCPA grants California residents the right to know what personal information businesses collect about them, the right to request that their information be deleted, and the right to opt-out of the sale of their personal information
- The Children’s Online Privacy Protection Act (COPPA): This law governs the collection of information about minors, requiring websites and online services directed towards children under 13 to obtain parental consent
- Virginia Consumer Data Protection Act (CDPA): This state law establishes data protection rights for Virginia residents, including the right to access, correct, and delete their personal information, and the right to opt out of the sale or processing of their personal information.
- Health Insurance Portability and Accountability Act (HIPAA): This law regulates the collection of health information and applies to healthcare providers, health plans, and other entities handling protected health information.
- New York State Stop Hacks and Improve Electronic Data Security (SHIELD) Act: This state law requires businesses to implement reasonable data security measures to protect the personal information of New York residents, and to notify affected individuals in the event of a data breach.
- Gramm Leach Bliley Act (GLBA): This law governs personal information collected by banks and financial institutions, requiring them to provide customers with notice of their privacy practices and safeguard their personal information.
Despite these state-level efforts, there is a growing recognition that a comprehensive federal data privacy law is needed to create a unified standard across the country. The lack of a federal law has created a patchwork of varying state laws that can be difficult for businesses to navigate.
TikTok data collection practices
TikTok collects a wide range of user data, including their location, browsing history, search queries, and device information. This data is used to personalize users’ feeds and to serve them targeted content. However, concerns have been raised that TikTok may be sharing this data with the Chinese government, which has been accused of using data to spy on foreign governments and citizens.
TikTok has denied these allegations and said that it stores American user data in the US and Singapore, and that its data centers are located outside of China. The company has also said that it has a team of US-based moderators reviewing content to ensure it complies with US laws and regulations.
TikTok’s regulatory history
This isn’t the US government’s first attempted regulatory action against TikTok over data privacy concerns. In August 2020, President Trump issued an executive order that would have banned TikTok in the US unless it was sold to a US-based company. However, the ban was later blocked by the courts.
In June 2021, President Biden revoked the Trump-era executive order but replaced it with a new one that called for a review of TikTok’s data collection practices. The order instructed the US Department of Commerce to conduct a review of any apps with ties to foreign adversaries that could pose a national security risk.
Earlier this month, the US Congress data security concerns culminated in officially banning the app on all federal government devices in December. The Biden Administration then gave all government employees 30 days to delete TikTok from federal devices and systems.
Takeaways from the congressional hearing
In the opening remarks of his testimony, TikTok CEO Shou Chew stressed the app’s more favorable relations to the US stating, “TikTok itself is not available in mainland China, we’re headquartered in Los Angeles and Singapore, and we have 7,000 employees in the U.S. today.”
When pressed on the potential use of TikTok for surveillance by the Chinese government Chew asserted that while the concerns were not to be trivialized, they had already been addressed with real action.
That action came in the form of a massive corporate restructuring that will relocate all U.S. user data to U.S. servers in hopes of building trust with the American government and its users. In addition, the 1.5 billion dollar initiative called the Texas Project will enlist multiple federal agencies, multiple outside consultants, security vendors, and auditors to provide oversight.
Despite Chew’s efforts to assure lawmakers that TikTok’s data collection practices are consistent with other tech giants in the industry, representatives remained unconvinced and firm in their position of the app’s dangerous nature. The current proposed bill— Restricting the Emergence of Security Threats that Risk Information and Communications Technology Act or the RESTRICT Act (S.686) has already received backing from 22 bipartisan members of Congress.
The TikTok controversy raises important questions about data privacy in the US. As social media becomes an increasingly important part of people’s lives, it’s paramount to ensure that users’ data is protected and that companies are transparent about their data collection practices.
The TikTok controversy also highlights the challenges of regulating global technology companies. With companies like TikTok operating across multiple jurisdictions, it can be difficult to establish clear rules and regulations that protect users’ data while also allowing for innovation and growth.
In a video posted to his official TikTok account, North Carolina congressman Jeff Jackson updated his constituents on the results of the recent hearing and expressed his personal thoughts on the current data privacy climate saying:
“It’s been Congress’s failure to pass a data privacy law— which it should have passed years ago— that’s gotten us into this situation. This week TikTok became the symbol for a lot of general concern. I think we can use this moment to produce at least one clear point of consensus moving forward. We need a data privacy law that will protect us from all internet companies and all social media platforms, not just the ones that are owned by foreign governments. None of these social media companies have an incentive to stop vacuuming up all of our data because for them we’re talking about a lot of money.”
These sentiments have been echoed by several representatives and senators, many of which have introduced various bills of their own since 2019. Both government officials and consumers alike are more conscious of data privacy than ever before. One thing is clear, as technologies and social media apps like TikTok continue to emerge and advance, the need for comprehensive protection of personal data at the federal level will likely be unavoidable.
To learn how BigID can help your organization stay up to date with the changing data privacy landscape— get a free 1:1 demo today.