TikTok analyzes the videos and images you upload to identify faces, body features, and other attributes, and uses this information for purposes including personalizing ads and classifying your demographic profile.
This analysis describes what TikTok Ads's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Collection of face and body feature data from user content may constitute biometric data processing in certain jurisdictions, triggering specific consent and data rights requirements that go beyond standard privacy protections.
Interpretive note: Whether this collection constitutes 'biometric data' triggering GDPR Article 9 or BIPA depends on jurisdiction-specific definitions and how the data is processed; the policy's characterization of some uses as 'non-personally-identifying' does not resolve this question under applicable law.
The updated policy states that TikTok Pte. Ltd., a Singapore-registered entity, now provides and controls the Platform, replacing the previous U.S.-based operator. The policy removes its prior explic…
Your videos and images may be analyzed to detect and record facial and body attributes, which TikTok uses for demographic classification and ad targeting; in states like Illinois, this type of data may carry specific legal protections under biometric privacy laws.
How other platforms handle this
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
We may collect information about your location, including precise geolocation information, when you use our Services. We use this information to provide location-based services, such as showing you products available in your area, and for other purposes described in this Privacy Policy.
Monitoring
TikTok Ads has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may collect information about the videos, images and audio that are a part of your User Content, such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content. We may collect this information to enable special video effects, for content moderation, for demographic classification, for content and ad recommendations, and for other non-personally-identifying operations.— Excerpt from TikTok Ads's TikTok Privacy Policy
(1) REGULATORY LANDSCAPE: This provision engages GDPR Article 9 (special categories of personal data, which includes biometric data processed for the purpose of uniquely identifying a natural person), Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), Washington My Health MY Data Act, and potentially the EU AI Act given downstream use in machine learning. The relevant enforcement authorities include EU/EEA data protection authorities (with the Irish DPC as lead supervisory authority for TikTok in the EU), the Illinois Attorney General, and the FTC. The policy characterizes some uses as 'non-personally-identifying operations,' but that characterization does not necessarily determine the legal status of biometric data under BIPA or GDPR Article 9, which focus on the nature and capability of the data rather than the company's stated use. (2) GOVERNANCE EXPOSURE: High. The collection of face and body feature location data from user-generated content is a high-exposure provision. Under BIPA, private rights of action exist for unauthorized collection of biometric identifiers without written consent and a published retention/destruction policy. GDPR Article 9 requires explicit consent or another specified legal basis for biometric data processing. The policy's broad disclosure of this collection, combined with multiple stated purposes including advertising and demographic classification, increases the legal surface area for challenge. (3) JURISDICTION FLAGS: Highest exposure in Illinois (BIPA private right of action, statutory damages), Texas (CUBI, AG enforcement), Washington state, and EU/EEA member states under GDPR Article 9. California CPRA also classifies biometric information as sensitive personal information with opt-out and limited use rights. Minor users present additional exposure under COPPA if facial recognition data is collected from children under 13. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should assess whether third-party content moderation and computer vision vendors processing this data on TikTok's behalf have appropriate data processing agreements in place. The policy references service providers for content moderation; those vendors may independently trigger BIPA or GDPR processor obligations. Liability for biometric data breaches in Illinois can be significant and may not be fully contractually shifted. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should audit whether consent mechanisms for face/body feature data collection are jurisdiction-specific and meet the 'explicit consent' standard under GDPR Article 9 and the written consent requirement under BIPA. A biometric data retention and destruction schedule, as required by BIPA, should be verified. Data mapping should specifically tag this processing activity with applicable legal bases by jurisdiction. EU AI Act compliance review should assess whether biometric data use in ML training triggers high-risk AI system obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Collection of face and body feature data from user content may constitute biometric data processing in certain jurisdictions, triggering specific consent and data rights requirements that go beyond standard privacy protections.
Your videos and images may be analyzed to detect and record facial and body attributes, which TikTok uses for demographic classification and ad targeting; in states like Illinois, this type of data may carry specific legal protections under biometric privacy laws.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by TikTok Ads.