Phone and Social Network Contact Syncing

What it is

If you allow TikTok to access your phone contacts or social network contacts, TikTok collects names, phone numbers, and email addresses of your contacts and matches them against TikTok's user database.

Why it matters (compliance & governance perspective)

This provision means TikTok collects personal data about people who are not TikTok users and have not consented to any TikTok data collection, raising third-party privacy concerns.

This document changed recently

Consumer impact (what this means for users)

When you sync your phone contacts with TikTok, the personal data of your contacts, including people who do not use TikTok, is collected and processed by TikTok; those individuals have no direct ability to control or object to this data collection.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision engages GDPR Articles 6 and 14 (lawful basis for and transparency obligations toward data subjects whose data is obtained from third parties), CCPA/CPRA (which may apply to personal information of California residents collected indirectly through contact syncing), and the FTC Act Section 5 (unfair practices relating to collection of non-user personal data). EU data protection authorities have historically scrutinized contact uploading features and the use of non-user personal data on social platforms. The Irish DPC and other EU supervisory authorities are the primary GDPR enforcement contacts. (2) GOVERNANCE EXPOSURE: Medium. Contact syncing is a common feature on social platforms, but the collection of personal data about non-users raises specific GDPR transparency and lawful basis concerns. Non-users have no contractual relationship with TikTok and cannot exercise data rights through standard account-based mechanisms, which creates a governance gap. EU regulators have previously taken enforcement action against similar practices on other social platforms. (3) JURISDICTION FLAGS: EU/EEA (GDPR Articles 6 and 14, non-user data subject rights), UK (UK GDPR), California (CPRA right to know and delete applies to indirectly collected personal information). The lack of a direct notice mechanism for non-users whose data is collected creates heightened GDPR Article 14 compliance exposure. (4) CONTRACT AND VENDOR IMPLICATIONS: No direct vendor implications for this specific provision, but the policy's reference to matching contact data against the platform user database implies data enrichment processing that should be specifically documented in internal data maps and privacy impact assessments. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether the GDPR Article 14 obligation to provide privacy information to data subjects whose data is obtained from third parties (i.e., non-user contacts) is being met, and whether an exception applies. The purpose limitation for contact data (matching against existing users) should be documented and not expanded without reassessment. The opt-in nature of contact syncing is noted in the policy ('if you choose'), which is relevant to consent-based legal basis arguments.

Applicable agencies

Provision details

Other risks in this policy

• Face and Body Feature Data Collection high
• Off-Platform Behavioral Data Ingestion for Ad Targeting high
• Machine Learning and Algorithm Training Using Personal Data medium
• User Content Used in TikTok Advertising Campaigns medium
• Keystroke Pattern and Device Sensor Data Collection high
• Data Sharing with Corporate Group Affiliates high