TikTok collects information about how you type on your device, including the rhythm and patterns of your keystrokes, as well as detailed device and sensor information.
This analysis describes what TikTok Ads's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Keystroke dynamics can be used as a behavioral biometric identifier, capable of uniquely identifying individuals; collection of this data is unusual among mainstream consumer apps and may carry specific legal implications in biometric data jurisdictions.
Interpretive note: Whether keystroke pattern collection constitutes biometric data under BIPA or GDPR Article 9 depends on how the data is used and processed; the policy does not specify the purpose of this collection beyond general device information, creating interpretive uncertainty.
The updated policy states that TikTok Pte. Ltd., a Singapore-registered entity, now provides and controls the Platform, replacing the previous U.S.-based operator. The policy removes its prior explic…
TikTok collects keystroke rhythms and patterns from your device, which is a form of behavioral biometric data that can potentially be used to identify you; this collection occurs automatically as part of using the app and is not separately disclosed as a biometric data practice in the policy.
How other platforms handle this
Geolocation data, such as device location. Internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement. Device identifiers, such as IP address, unique d...
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
Monitoring
TikTok Ads has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We collect certain information about the device you use to access the Platform, such as your IP address, user agent, mobile carrier, time zone settings, identifiers for advertising purposes, model of your device, the device system, network type, your screen resolution and operating system, app and file names and types, keystroke patterns or rhythms, battery state, audio settings and connected audio devices.— Excerpt from TikTok Ads's TikTok Privacy Policy
(1) REGULATORY LANDSCAPE: Keystroke dynamics collection engages GDPR Article 4 (definition of biometric data if used for unique identification), Illinois BIPA (which defines biometric identifiers to include data based on an individual's biological characteristics that can be used to identify an individual), Texas CUBI, and potentially other state biometric privacy statutes. The policy does not characterize keystroke patterns as biometric data, but applicable law may not defer to the company's characterization. The FTC and state attorneys general in biometric-privacy states are the primary enforcement authorities. (2) GOVERNANCE EXPOSURE: High in biometric-privacy jurisdictions. Keystroke pattern collection is not a standard disclosed practice in most consumer social media privacy policies, and its inclusion here without a specific explanation of purpose or legal basis creates elevated regulatory exposure. If keystroke data is used for user identification or authentication purposes, BIPA's definition of biometric identifier may apply, triggering written consent, retention schedule, and prohibition-on-profit requirements. (3) JURISDICTION FLAGS: Illinois (BIPA, private right of action with statutory damages of $1,000 to $5,000 per violation), Texas (CUBI, AG enforcement), Washington, and EU/EEA (GDPR Article 9 if keystroke data is processed to uniquely identify individuals). California CPRA includes biometric information as sensitive personal information with opt-out rights for processing. (4) CONTRACT AND VENDOR IMPLICATIONS: Any third-party analytics or fraud detection vendors receiving keystroke data as part of their service should be assessed for BIPA compliance, including whether they have independent written consent obligations or are acting as processors under a data processing agreement. The policy references keystroke data in the context of general device information but does not specify which vendors receive this data. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether keystroke data is used for user identification or authentication, which would trigger biometric privacy statute requirements. If so, Illinois BIPA compliance requires a publicly available written retention and destruction policy, written consent prior to collection, and a prohibition on selling or profiting from the data. A data protection impact assessment is advisable for this processing activity given its sensitivity. Consideration should be given to whether this data is disclosed under CPRA as sensitive personal information.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Keystroke dynamics can be used as a behavioral biometric identifier, capable of uniquely identifying individuals; collection of this data is unusual among mainstream consumer apps and may carry specific legal implications in biometric data jurisdictions.
TikTok collects keystroke rhythms and patterns from your device, which is a form of behavioral biometric data that can potentially be used to identify you; this collection occurs automatically as part of using the app and is not separately disclosed as a biometric data practice in the policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by TikTok Ads.