Background: TikTok’s Assertions of Data Privacy and U.S. Skepticism
Since its meteoric rise in 2016, the social media platform known as ‘TikTok’ has gained popular appeal with its addictive algorithms and trends, garnering over 150 million American users since March 2023. However, behind the cute cat videos and choreographed dance routines, there’s quite a large elephant in the room: American consumer data privacy. TikTok, Ltd., based in Los Angeles and Singapore, is a subsidiary of ByteDance, a Beijing-based company with alleged ties to the Chinese Government. Like most private companies in the People’s Republic of China (PRC), ByteDance is subject to a myriad of data security and cybersecurity laws that allow the Chinese Communist Party (CCP) to compel these companies to turn over consumer data. Lawmakers’ core bipartisan concern is that TikTok amasses copious amounts of data from its American users from “user content and communications” to “location-related data, device identifiers, cookies, metadata, and other sensitive personal information” that the company likely shares with its governmental partner. Spurred by mounting concern from state legislators, the FBI, and Department of Defense, over 30 states have banned TikTok on state-issued devices.
TikTok has made repeated representations to the public that the copious amounts of consumer data it collects are not shared with ByteDance. The company has doubled down on its repeated assertions that TikTok is committed to protecting consumer data from foreign exposure and even launched its own U.S. data security website complete with an animated two-minute video claiming the company’s goal is to make TikTok “the most secure social media experience on the internet.” The website also outlines Project Texas, Tiktok’s $1.5 billion data security plan “dedicated to making every American on TikTok feel safe, with confidence that their data is secure and the platform is free from outside influence,” which Congress and former TikTok employees have criticized as not going far enough to fully insulate users’ data from China.
Despite repeated assertions by TikTok executives that its consumer data is not shared with ByteDance and therefore not at risk of being shared with the CCP, a June 2022 Buzzfeed report uncovered audio tapes from 80 internal TikTok meetings that corroborate public officials’ greatest fears: ByteDance employees “have repeatedly accessed [non-public data] about US TikTok Users” and “Everything is seen in China.”
On March 23, 2023, TikTok CEO Shou Zi Chew testified before the House Energy and Commerce Committee at a hearing to address TikTok’s potential threats to data privacy, national security, and online safety for children. While Chew again swore that “ByteDance is not owned or controlled by the Chinese government” and “is a private company,” his statements did not assuage lawmakers’ concerns of exposure of American consumer data to the Chinese government, given the CCP’s recent campaign to consolidate control over the Chinese technology industry and silence wealthy tech executives who criticize or defy the government. Most importantly, these statements did little to dispel any of the outstanding allegations that ByteDance employees can and have accessed American consumer data. The company’s subsequent admission that the data of TikTok content creators paid by the company is stored in China only leaves more unanswered questions regarding where the company keeps the remainder of its user data.
FTC Regulatory and Enforcement Solutions
Under § 5(a) of the Federal Trade Commission (FTC) Act, the Federal Trade Commission, a U.S. federal agency enforcing consumer protection laws, is charged with bringing enforcement actions against companies engaging in unfair or deceptive acts or practices “in or affecting commerce.” FTC has interpreted this explicit grant of congressional power quite broadly, bringing enforcement actions to combat many business practices, from deceptive advertising practices to poor data security frameworks that led to data breaches and the dissemination of consumers’ personally identifiable information.
The 2005 SAFE WEB Act vested the FTC with specific authority to supply evidence to foreign law enforcement actions in support of foreign investigations or enforcement actions into violations of foreign laws that prohibit unfair or deceptive practices. The FTC has shared “confidential and compelled information” with 43 foreign law enforcement agencies in 20 different countries as of 2023 to combat robocalls, text message spam, false advertising, data breaches, and sweepstake scams that all originate abroad.
TikTok’s efforts to secure user data are certainly concrete and, on their face, admirable—but is TikTok being entirely truthful? Even if American consumer data is protected now, what about users who signed up before Project Texas’ launch? A July 2022 Senate Intelligence Committee letter implored the FTC to launch a deception-based investigation based on TikTok’s lack of transparency and continuous misrepresentations regarding data privacy and the degree of access ByteDance employees have to personally identifiable information. Lawmakers expressed further concerns: according to TikTok’s privacy policy, users permit the company to collect consumers’ biometric data like “faceprints and voiceprints (i.e. individually-identifiable image and audio data),” access to which the CCP could easily compel pursuant to the Chinese National Intelligence and Counter-Espionage Laws. Moreover, Congress appears wholly unimpressed in TikTok’s current initiatives and is looking into other solutions.
While the FTC declined to comment on the letter, the FTC’s closer look at TikTok’s representations regarding its data privacy practices is warranted to protect consumers’ data from foreign access, particularly while Congress contemplates more long-term, statutory solutions. The FTC’s regulation of this short-video sharing mobile app is not unprecedented: In 2019, the FTC obtained its largest civil penalty in a children’s data privacy case against TikTok for Tiktok’s unlawful collection of personal information from children under 13 in violation of the Children’s Online Privacy Protection Act (COPPA). COPPA requires operators of websites geared towards children to obtain verifiable parental consent before collecting personal information from children under 13 years of age.
The FTC’s Deception Policy Statement outlines the elements that the FTC must prove in order to state a claim for deceptive practices. The Statement requires (1) a material misrepresentation or omission of information that is (2) likely to mislead consumers (3) acting reasonably under the circumstances to use a product or service. A misrepresentation is considered “material” if an entity’s act or practice is likely to affect the consumer’s conduct or decision regarding a product. Evidence presented by investigative journalists directly contradicts TikTok’s repeated representations to the public that the company safeguards its consumers’ personal data.
If an FTC investigation uncovered TikTok was actively misleading consumers about its handling of consumer data vis-a-vis the Chinese Government, TikTok’s prior representations to the public about its purportedly safe protection practices would be considered misleading and deceptive. Further, TikTok’s false and misleading claims would significantly affect American consumers’ choice to use the product if they were informed that a Chinese company—and by extension the CCP—could access their personal information.
If the FTC were to identify material misrepresentations, the FTC also could likely initiate a similar civil enforcement action against TikTok under the Unfairness Standard. The Unfairness Standard outlines that an act or practice is unfair if it (1) causes substantial consumer injury that (2) is not reasonably avoidable by consumers and (3) is not outweighed by countervailing benefits to consumers or competition. American consumers would certainly view both a domestic subsidiary’s disclosure of their personally identifiable information to its foreign parent company and the CCP’s usage of this information against consumers as unfair. Nearly 60% of Americans see TikTok as a minor or major threat to national security and 64% of Americans are currently “very or somewhat concerned” about TikTok’s usage of data collection. Further, American attitudes towards the CCP have only worsened since 2018, as two thirds of Americans have expressed intensified negative and cold feelings towards China’s authoritarian political structure and human rights violations. Given current American sentiment towards TikTok and the CCP, the revelation that TikTok shares consumer personal information outside the United States would cause unavoidable, substantial injury to American consumers—and the CCP’s usage of users’ data would not even marginally benefit them.
FTC’s prior rules in consumer privacy and security, including its Health Breach Notification Rule, Red Flags Rule, Gramm-Leach-Bliley (GLB) Safeguards Rule, Telemarketing Sales Rule, and the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) Rule, all indicate how the FTC has exercised its rulemaking authority to protect consumers’ personal health records and financial information as well as safeguard consumers against deceptive commercial email, inadequate information security, and identity theft. In relying on its data privacy expertise, the FTC could promulgate a rule that clarifies its enforcement standards regarding a social media mobile app’s usage and sharing of consumer personal information with domestic and international entities. In fact, the FTC published an advance notice of proposed rulemaking on August 10, 2022 to seek public comment on the “prevalence of commercial surveillance and data security practices that harm consumers.” This notice of proposed rulemaking, which concluded in November 21, 2022 after the FTC’s extension of the comment deadline, has not resulted in the promulgation of a final rule targeting commercial surveillance and lax data security practices. However, this Notice does indicate that the FTC is seriously contemplating tackling this very problem and the agency may promulgate a final data privacy rule in the near future.
Complicating Factors for FTC Enforcement and Rulemaking: Supreme Court Administrative State Skepticism
A recent line of decisions by the Supreme Court has left the FTC and other agencies’ ability to regulate company practices on a broad scale in doubt, however. The Supreme Court’s decision in AMG Capital Management LLC v. Federal Trade Commission in 2021 established that § 13(b) of the FTC Act did not give the FTC the authority to seek equitable monetary relief, including disgorgement or restitution, effectively restricting its enforcement powers to obtaining injunctions. FTC’s inability to effect consumer redress, except through the more limited § 19(b) of the Act, makes it exceedingly difficult to deter TikTok and other companies from engaging in similar deceptive and unfair practices in the future. This ruling is not entirely surprising, as commentators agree the current Supreme Court is targeting agency deference and independence and believes Congress, not the administrative state, is the branch most constitutionally suited to tackle the most complex issues of our time through lawmaking.
In Axon Enterprise, Inc. v. Federal Trade Commission, the Supreme Court held in 2023 that the statutory review scheme established in the FTC Act does not bar federal district courts’ jurisdiction over constitutional challenges of FTC enforcement actions, opening the door to challenges to an FTC investigation’s constitutionality by subjects of that very same investigation. This decision will inevitably result in FTC administrative law judges being subject to a flood of due process and other collateral constitutional challenges, ultimately distracting from the FTC’s ability to bring enforcement actions against companies through the adjudicatory process effectively and efficiently. Furthermore, the Supreme Court has opened the door to further constitutional challenges of the structure of the FTC’s enforcement scheme itself, severely limiting the agency’s enforcement mechanisms.
Moreover, FTC’s contemplation of a Data Security Rulemaking without clear congressional authorization could run afoul of the Supreme Court’s Major Questions Doctrine, which presumes Congress does not implicitly delegate issues of major economic or political significance to agencies and therefore Congress must do so explicitly. The FTC could be especially susceptible to a Major Questions challenge if the Supreme Court overturns Chevron deference,the deferential notion that Courts should defer to an agency’s interpretation of an ambiguity within its organic statute as long as that interpretation is reasonable. Without Chevron’s protections, the Supreme Court will examine any rule the FTC promulgates with a high degree of scrutiny. Consequently, a rule that regulates consumer data privacy, an issue with major economic significance, without any clear congressional authorization, is at risk of Supreme Court invalidation.
Conclusion: A Call for Congressional Action
TikTok’s data privacy practices drastically affect American consumers’ data and TikTok’s misrepresentations warrant the FTC investigating further. While the FTC has continually relied on § 5(a)’s unfair or deceptive acts or practices standard to target these cybersecurity and data privacy violations, the Supreme Court’s recent decisions indicate skepticism of the broad extensions of agency authority. With the Supreme Court poised to evaluate the constitutionality of the Consumer Financial Protection Bureau (CFPB)’s funding mechanism this term, FTC enforcement actions may be subject to similar challenges, complicating its ability to formally challenge TikTok and its Chinese parent company.
There’s no question that the FTC and other federal agencies will continue to face similar challenges to their authority in light of the Court’s willingness to skirt Chevron Deference and strike down major questions. Even if the FTC promulgated a Data Privacy rule directed at TikTok, coupled with overwhelming evidence of unfairness and deception to bring an enforcement action, the Supreme Court may favor a clear legislative solution to data privacy rather than an administrative agency one. However, partisan gridlock, the inherently prolonged legislative process, Congress’s inability to pass the most basic spending bills, and general Congressional dysfunction suggest Congress is unlikely to enact a clear legislative solution for the FTC anytime soon.
Author Biography: Andrew Allen is a J.D. Candidate at The George Washington University Law School and a Senior Moderator of the International Law and Policy Brief. He received his B.A. from Furman University in International Affairs and History in 2021.