TikTok collects information about how you type on your device, including the rhythm and patterns of your keystrokes, as well as detailed device and sensor information.
This analysis describes what TikTok Ads's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Keystroke dynamics can be used as a behavioral biometric identifier, capable of uniquely identifying individuals; collection of this data is unusual among mainstream consumer apps and may carry specific legal implications in biometric data jurisdictions.
Interpretive note: Whether keystroke pattern collection constitutes biometric data under BIPA or GDPR Article 9 depends on how the data is used and processed; the policy does not specify the purpose of this collection beyond general device information, creating interpretive uncertainty.
The updated policy changed the controlling entity from TikTok USDS Joint Venture LLC to TikTok Pte. Ltd., a Singapore-registered company. The U.S.-specific privacy policy language was replaced with terms covering "other regions." Users previously governed under U.S. privacy protections are now subject to different jurisdictional terms.
View change record →TikTok collects keystroke rhythms and patterns from your device, which is a form of behavioral biometric data that can potentially be used to identify you; this collection occurs automatically as part of using the app and is not separately disclosed as a biometric data practice in the policy.
How other platforms handle this
We collect information about you when you shop in our stores, including through store cameras, loyalty programs, payment processing systems, and other in-store technologies. This information is used to improve store operations, loss prevention, and marketing.
We target (and measure the performance of) ads to Members, Visitors and others both on and off our Services directly or through a variety of partners, using the following data, whether separately or combined: Data from advertising technologies on and off our Services, like web beacons, pixels, ad ta...
We may de-identify or aggregate your personal information so that it can no longer reasonably identify you, and use such de-identified or aggregated data for any purpose, including sharing with third parties for research, analytics, and marketing purposes, without restriction.
Monitoring
TikTok Ads has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect certain information about the device you use to access the Platform, such as your IP address, user agent, mobile carrier, time zone settings, identifiers for advertising purposes, model of your device, the device system, network type, your screen resolution and operating system, app and file names and types, keystroke patterns or rhythms, battery state, audio settings and connected audio devices.— Excerpt from TikTok Ads's TikTok Privacy Policy
(1) REGULATORY LANDSCAPE: Keystroke dynamics collection engages GDPR Article 4 (definition of biometric data if used for unique identification), Illinois BIPA (which defines biometric identifiers to include data based on an individual's biological characteristics that can be used to identify an individual), Texas CUBI, and potentially other state biometric privacy statutes. The policy does not characterize keystroke patterns as biometric data, but applicable law may not defer to the company's characterization. The FTC and state attorneys general in biometric-privacy states are the primary enforcement authorities. (2) GOVERNANCE EXPOSURE: High in biometric-privacy jurisdictions. Keystroke pattern collection is not a standard disclosed practice in most consumer social media privacy policies, and its inclusion here without a specific explanation of purpose or legal basis creates elevated regulatory exposure. If keystroke data is used for user identification or authentication purposes, BIPA's definition of biometric identifier may apply, triggering written consent, retention schedule, and prohibition-on-profit requirements. (3) JURISDICTION FLAGS: Illinois (BIPA, private right of action with statutory damages of $1,000 to $5,000 per violation), Texas (CUBI, AG enforcement), Washington, and EU/EEA (GDPR Article 9 if keystroke data is processed to uniquely identify individuals). California CPRA includes biometric information as sensitive personal information with opt-out rights for processing. (4) CONTRACT AND VENDOR IMPLICATIONS: Any third-party analytics or fraud detection vendors receiving keystroke data as part of their service should be assessed for BIPA compliance, including whether they have independent written consent obligations or are acting as processors under a data processing agreement. The policy references keystroke data in the context of general device information but does not specify which vendors receive this data. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether keystroke data is used for user identification or authentication, which would trigger biometric privacy statute requirements. If so, Illinois BIPA compliance requires a publicly available written retention and destruction policy, written consent prior to collection, and a prohibition on selling or profiting from the data. A data protection impact assessment is advisable for this processing activity given its sensitivity. Consideration should be given to whether this data is disclosed under CPRA as sensitive personal information.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Keystroke dynamics can be used as a behavioral biometric identifier, capable of uniquely identifying individuals; collection of this data is unusual among mainstream consumer apps and may carry specific legal implications in biometric data jurisdictions.
TikTok collects keystroke rhythms and patterns from your device, which is a form of behavioral biometric data that can potentially be used to identify you; this collection occurs automatically as part of using the app and is not separately disclosed as a biometric data practice in the policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by TikTok Ads.