On May 2, 2026, the European Union imposed a record €530 million fine on TikTok for illegally transferring European user data to China. Five days earlier, TikTok had already begun restructuring its privacy policy under a new corporate entity based in Singapore. ConductAtlas captured both the timing and the substance of these changes as they happened.
The restructuring involves substantive changes to data governance. TikTok's privacy policy now identifies TikTok Pte. Ltd., a Singapore-based company, as the operating entity instead of the previous U.S.-based structure. This shifts the legal framework governing how your personal data is processed, stored, and shared. For 1.5 billion users worldwide, the practical implications are significant and warrant close review.
This analysis is based on verified policy captures from ConductAtlas, which monitors TikTok's Privacy Policy, Terms of Service, Community Guidelines, and advertising terms. Every claim below links to the archived provision with original clause language.
The EU Fine: What Triggered It
Ireland's Data Protection Commission, TikTok's lead EU regulator, concluded a four-year investigation with the largest penalty it has ever imposed. The core finding: TikTok transferred European user data to China without adequate safeguards and failed to prevent potential access by Chinese authorities under domestic anti-terrorism and counter-espionage laws.
The investigation revealed something TikTok had previously denied. In April 2025, the company disclosed that European user data had been stored on servers in China, contradicting evidence it had submitted to regulators. The DPC imposed €530 million in fines and ordered TikTok to suspend all non-compliant data transfers within six months or face further enforcement action.
TikTok announced it would appeal, stating it has never received a request from Chinese authorities for European user data. The company pointed to its Project Clover initiative, which includes plans for three European data centers. However, the DPC's findings suggest the localization effort has not fully addressed the underlying compliance gaps.
What Changed in the Privacy Policy
ConductAtlas detected a high-severity restructuring of TikTok's privacy policy in May 2026. The most significant changes involve corporate entity restructuring, expanded data sharing disclosures, and broadened collection practices.
| Corporate Entity | Operating entity changed from U.S.-based structure to TikTok Pte. Ltd. (Singapore) |
| Data Sharing | Expanded advertising partner data sharing disclosures and recipient categories |
| Biometric Data | Explicit acknowledgment of biometric identifier collection added to policy |
| Location Tracking | Broadened precise geolocation data collection provisions |
| Minor Safety | Children's Privacy Policy link removed from Community Guidelines navigation |
| Content Collection | Pre-upload content processing provisions retained in restructured policy |
The operating entity shifted from a U.S.-based structure to TikTok Pte. Ltd. in Singapore. This is not a minor administrative change. The entity that controls your data determines which regulatory framework governs your privacy rights, which courts have jurisdiction over disputes, and which government agencies can compel disclosure.
The updated policy expanded disclosures around advertising partner data sharing. TikTok's Advertising Partner Data Sharing provision, classified as high severity by ConductAtlas, describes how user data flows to third-party advertising networks. The May 2026 update broadened the scope of these disclosures.
Six High-Severity Provisions to Know
ConductAtlas classifies 45 provisions across TikTok's documents as high severity. Six deserve particular attention in light of the EU fine and restructuring:
Advertising Partner Data Sharing describes how TikTok shares user data with advertising networks and marketing partners. The scope of sharing and the categories of data involved have expanded in recent updates.
Biometric Data Collection explicitly acknowledges that TikTok collects biometric identifiers. This provision is particularly significant given Illinois BIPA litigation and the growing number of state biometric privacy laws taking effect in 2026.
Location Data Collection covers precise geolocation tracking. TikTok's updated policy broadened location data provisions, a change that has drawn attention from privacy researchers and advocacy organizations.
Pre-Upload Content Collection describes TikTok's practice of collecting data about content before users choose to publish it. Under these terms, drafts, abandoned recordings, and content not ultimately published may still be processed.
Sensitive Personal Information Processing covers how TikTok handles categories of data that receive heightened protection under most privacy frameworks, including racial or ethnic origin, health data, and political opinions.
Minor User Protections outlines TikTok's approach to users under 18. ConductAtlas also detected that a Children's Privacy Policy link was removed from the Community Guidelines navigation in a separate update, a change classified as medium severity.
Why the Singapore Restructuring Matters
Corporate entity changes in privacy policies are often dismissed as administrative housekeeping. In this case, the timing and regulatory context make the change worth examining closely.
The shift from a U.S. entity to a Singapore entity changes the default legal framework for dispute resolution, data subject rights enforcement, and regulatory oversight. Singapore's Personal Data Protection Act provides a different set of protections than U.S. state privacy laws, GDPR, or the frameworks that applied under TikTok's previous structure.
For U.S. users, this means the entity processing your data is no longer domiciled in the same country where you reside. For EU users, the restructuring raises questions about whether the new entity structure adequately addresses the compliance failures identified in the DPC's investigation. For users in Southeast Asia, where TikTok's user base is growing fastest, Singapore's regulatory environment may offer stronger protections than the previous arrangement.
The restructuring also coincides with TikTok's January 2026 establishment of TikTok USDS Joint Venture LLC, the new entity created as part of the U.S. divestiture deal involving Oracle, Silver Lake, and other American investors. The relationship between the Singapore entity and the U.S. joint venture adds another layer of complexity to understanding where your data goes and who controls it.
Regulatory Landscape
The EU fine is the most visible enforcement action, but TikTok faces regulatory pressure from multiple directions simultaneously:
The DPC's €530 million penalty specifically cited GDPR Articles 44-49 on international data transfers and Article 5(1)(a) on transparency. TikTok has six months to bring its processing into compliance or face suspension of EU data transfers entirely.
In the United States, 20 states now have comprehensive privacy laws in effect as of 2026, including new laws in Indiana, Kentucky, and Rhode Island. California's CCPA/CPRA amendments introduce automated decision-making technology requirements. Colorado's AI Act takes effect this year. Each creates distinct compliance obligations for platforms processing U.S. consumer data.
At the federal level, the FTC retains authority under Section 5 to pursue unfair or deceptive practices related to data handling. TikTok's previous $5.7 million COPPA settlement in 2019 and the DPC's 2023 €345 million fine for child data processing violations establish relevant regulatory history for this platform.
What You Can Do
Go to Settings and Privacy, then Privacy, and audit what data collection permissions you have enabled. Pay particular attention to location services, personalized ads, and data downloads.
Both GDPR and most U.S. state privacy laws give you the right to access the personal data TikTok holds about you. Submit a data access request through the app under Settings and Privacy.
TikTok's ad settings allow you to limit some forms of personalized advertising. This does not stop data collection, but it can restrict how that data is used for targeting.
If you use TikTok for business, advertising, or content creation, the entity restructuring may affect your commercial agreements and data processing terms. Review your TikTok Ads agreements and any data processing addenda.
TikTok's policies are changing faster than most platforms ConductAtlas tracks. The restructuring suggests additional updates are likely as the company responds to the EU enforcement order and U.S. regulatory requirements.
Why Companies Restructure Privacy Entities
Corporate entity changes in privacy policies serve several legitimate purposes. They can reflect genuine operational restructuring, improve regulatory compliance, centralize data governance, or align corporate structure with where users and operations are actually located.
They can also have the effect of shifting the jurisdictional basis for data processing, changing which regulatory authority has primary oversight, or creating separation between entities for liability purposes. Without access to internal decision-making, it is not possible to determine which motivations apply in any specific case.
What can be observed is the timing, the scope of changes, and the regulatory context in which they occur. In TikTok's case, all three factors are notable.
Primary Sources
TikTok Privacy Policy (archived by ConductAtlas, updated May 2026)
TikTok Terms of Service (archived by ConductAtlas)
TikTok Community Guidelines (archived by ConductAtlas)
This analysis is based on 45 high-severity provisions across 5 monitored TikTok documents. Every claim links to the provision page with original clause language and full version history.