TikTok analyzes the videos and images you upload to identify faces, body features, and other attributes, and uses this information for purposes including personalizing ads and classifying your demographic profile.
This analysis describes what TikTok Ads's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Collection of face and body feature data from user content may constitute biometric data processing in certain jurisdictions, triggering specific consent and data rights requirements that go beyond standard privacy protections.
Interpretive note: Whether this collection constitutes 'biometric data' triggering GDPR Article 9 or BIPA depends on jurisdiction-specific definitions and how the data is processed; the policy's characterization of some uses as 'non-personally-identifying' does not resolve this question under applicable law.
The updated policy changed the controlling entity from TikTok USDS Joint Venture LLC to TikTok Pte. Ltd., a Singapore-registered company. The U.S.-specific privacy policy language was replaced with terms covering "other regions." Users previously governed under U.S. privacy protections are now subject to different jurisdictional terms.
View change record →Your videos and images may be analyzed to detect and record facial and body attributes, which TikTok uses for demographic classification and ad targeting; in states like Illinois, this type of data may carry specific legal protections under biometric privacy laws.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
TikTok Ads has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may collect information about the videos, images and audio that are a part of your User Content, such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content. We may collect this information to enable special video effects, for content moderation, for demographic classification, for content and ad recommendations, and for other non-personally-identifying operations.— Excerpt from TikTok Ads's TikTok Privacy Policy
(1) REGULATORY LANDSCAPE: This provision engages GDPR Article 9 (special categories of personal data, which includes biometric data processed for the purpose of uniquely identifying a natural person), Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), Washington My Health MY Data Act, and potentially the EU AI Act given downstream use in machine learning. The relevant enforcement authorities include EU/EEA data protection authorities (with the Irish DPC as lead supervisory authority for TikTok in the EU), the Illinois Attorney General, and the FTC. The policy characterizes some uses as 'non-personally-identifying operations,' but that characterization does not necessarily determine the legal status of biometric data under BIPA or GDPR Article 9, which focus on the nature and capability of the data rather than the company's stated use. (2) GOVERNANCE EXPOSURE: High. The collection of face and body feature location data from user-generated content is a high-exposure provision. Under BIPA, private rights of action exist for unauthorized collection of biometric identifiers without written consent and a published retention/destruction policy. GDPR Article 9 requires explicit consent or another specified legal basis for biometric data processing. The policy's broad disclosure of this collection, combined with multiple stated purposes including advertising and demographic classification, increases the legal surface area for challenge. (3) JURISDICTION FLAGS: Highest exposure in Illinois (BIPA private right of action, statutory damages), Texas (CUBI, AG enforcement), Washington state, and EU/EEA member states under GDPR Article 9. California CPRA also classifies biometric information as sensitive personal information with opt-out and limited use rights. Minor users present additional exposure under COPPA if facial recognition data is collected from children under 13. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should assess whether third-party content moderation and computer vision vendors processing this data on TikTok's behalf have appropriate data processing agreements in place. The policy references service providers for content moderation; those vendors may independently trigger BIPA or GDPR processor obligations. Liability for biometric data breaches in Illinois can be significant and may not be fully contractually shifted. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should audit whether consent mechanisms for face/body feature data collection are jurisdiction-specific and meet the 'explicit consent' standard under GDPR Article 9 and the written consent requirement under BIPA. A biometric data retention and destruction schedule, as required by BIPA, should be verified. Data mapping should specifically tag this processing activity with applicable legal bases by jurisdiction. EU AI Act compliance review should assess whether biometric data use in ML training triggers high-risk AI system obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Collection of face and body feature data from user content may constitute biometric data processing in certain jurisdictions, triggering specific consent and data rights requirements that go beyond standard privacy protections.
Your videos and images may be analyzed to detect and record facial and body attributes, which TikTok uses for demographic classification and ad targeting; in states like Illinois, this type of data may carry specific legal protections under biometric privacy laws.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by TikTok Ads.