By Sumeyya Ilanbey and David Swan
Some of the country’s largest brands, along with government agencies, have removed TikTok’s data-tracking tool after the nation’s privacy commissioner launched an inquiry into the social media giant’s harvesting of Australians’ data without their knowledge or consent.
Network Ten, BeyondBlue, Western Sydney University, Bunnings and Vodafone are among the organisations to confirm they removed the TikTok pixel amid privacy concerns.
But the University of Wollongong, Woolworths, Sportsbet, Kmart and Ladbrokes will continue to use the tracking code, known as a pixel, because they believe they have put in place measures to restrict TikTok’s ability to scrape users’ personal information. The AFL did not respond to requests for comment on its policy.
The pixel is an invisible piece of code that tracks a user’s web history and personal information even if they do not have a TikTok account. It can then track a user across the internet and piece together their identity, including their email, phone number and buying habits.
While other technology companies such as Google and Meta (parent company of Facebook) have their own pixels, TikTok, owned by Beijing-based ByteDance, does not wait for user consent and is far more aggressive in the way it scrapes information, which could be made available for sharing with the Chinese government.
Senator James Paterson, the Coalition’s home affairs spokesman, wrote last week to 19 Australian companies that have used the pixel, asking whether they continued using it; if not, when they stopped using it; and whether they sought legal advice assuring them they were abiding by the nation’s privacy laws.
“I’m very pleased with the proactive steps taken to protect the privacy of their customers by major Australian companies,” Paterson said.
“Every Australian company is now on notice: follow the lead of organisations who respect the privacy of their website visitors and stop using TikTok’s pixel, or run the risk they are participating in an unlawful mass breach of Australians’ privacy in partnership with a company beholden to a foreign authoritarian government.”
In his letter to the companies that use the pixel, Paterson said ByteDance had admitted its China-based employees were subject to China’s national security and intelligence laws, which require them to co-operate with Chinese government intelligence agencies and to keep that co-operation secret.
“This comes at a time where Australia’s intelligence agencies assess that foreign interference, espionage, state-backed cyberattacks and intellectual property theft are at record highs,” Paterson’s letter stated. “The Chinese government is the principal source of those threats.”
After this masthead in December exposed privacy concerns over TikTok’s pixel, the Office of the Australian Information Commissioner announced it had launched an inquiry into the social media company’s handling of personal information. An inquiry is the step before a formal investigation is initiated.
Under the Privacy Act, organisations have obligations in relation to the personal information they handle, whether they collect this information directly or through third parties. The law requires organisations to take reasonable steps to provide individuals with notice their data is being collected.
Tests by this masthead revealed TikTok used a tool called “automatic advanced matching” that sees when a user enters text into a form field or a search box, and if it looks like an email address or phone number, it scrapes that data, often before the individual clicks “I consent” to the website’s privacy policy.
Network Ten, BeyondBlue, Western Sydney University, Bunnings, Tourism NT, Nimble, Tourism Tasmania, Vodafone, Mitre10, Total Tools, Headspace, Tourism Events Queensland and Sydney Opera House told Paterson, and confirmed to this masthead, they removed the TikTok pixel amid privacy concerns.
Tourism NT said it was also conducting an internal audit review of its use of the tracking tool.
The University of Wollongong said while it used the pixel, it did not activate the automatic advanced matching tool.
“As a priority we are closely reviewing the use of the pixel in line with our privacy policy and web collection statement and will take appropriate actions as required, including any recommendations from the regulator,” a spokesman said.
Woolworths said while it used a “version of the TikTok pixel”, it was manually configured by the organisation and subject to restrictions.
“This means no customer IDs are shared with TikTok via the pixel and is in line with our privacy practices, customers’ expectations and business requirements,” a Woolworths spokesman said.
Sportsbet said it would evaluate its advertising arrangement with TikTok if further information were made public after the commission’s inquiry.
“We are confident that Sportsbet’s use of pixel technology is compliant with our privacy policy,” a Sportsbet spokesman said.
Ladbrokes’ parent company, Entain, did not respond to this masthead’s inquiries, but its public affairs manager advised Paterson that while it continued to use the pixel, it did not use the automatic advanced matching tool.
Kmart told Paterson TikTok pixels were a standard function for many websites, and that the tool it used did not share any personal information with the social media giant.
The AFL did not respond to Paterson’s email, or this masthead’s request for comment.
TikTok blasted the Victorian senator for writing to the companies. “Threatening to name and shame businesses because they work with us and use our pixel, which is a lawful, industry-wide marketing tool, is quite shocking,” a spokeswoman said.
Civic Data managing director Chris Brinkworth said companies needed to remain on high alert for privacy concerns as Google joins Apple Safari and Mozilla Firefox to better protect the privacy of its users by blocking cookies.
“As the cookies disappear, there’s this void, where risks like we’ve seen with business not understanding the nuances of deploying pixels like TikTok will start to seep in because people are looking for ways to identify, match, target and measure [their marketing],” Brinkworth said.
“The tools left by cookies disappearing can be more dangerous: it’s like an untrained technician swapping a safe, universal power wall socket for dozens, even hundreds, of open live wires. This parallels websites with countless unregulated data practices, endangering both users and businesses by mishandling individual customer data if not understood nor governed properly. ”
The Office of the Australian Information Commissioner said its inquiries into TikTok were ongoing.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.