A hot potato: Data collection has become so ubiquitous that most people just assume that any website or app they use is tracking them. Indeed, even after Apple's recent privacy crackdown, Meta has been caught in the act of scraping personal data via a loophole. However, even the savviest users might be surprised that TikTok is tracking them even though they have never used the company's website or app.

According to a Consumer Reports (CR) investigation published last week, TikTok has been planting trackers called "pixels" on hundreds of websites. Partnering with security firm Disconnect, CR looked into about 20,000 websites searching for TikTok's pixels specifically. The pool included the top 1,000 most visited websites and many of the biggest, .org, .edu, and .gov domains since those tend to have more sensitive user data.

The study found that hundreds of companies share data with TikTok. Some prime examples of websites allowing TikTok to embed pixels include the United Methodist Church, Weight Watchers, and Planned Parenthood. Perhaps most disturbing is the Arizona Department of Economic Security's sharing of user data regarding visits to its domestic violence and food assistance pages. By the way, none of these groups would respond to CR's requests for comment. Big surprise.

"I was genuinely surprised that TikTok's trackers are already this widespread," said Disconnect's Chief Technology Officer Patrick Jackson. "I think people are conditioned to think, 'Facebook is everywhere, and whatever, they're going to get my data.' I don't think people connect that with TikTok yet."

"The only reason this works is because it's a secret operation. It shouldn't be happening in the shadows." --- Disconnect

Consumer Reports says that the number of Meta and Google pixels it found dwarfs TikTok's by a long shot. However, it pointed out that TikTok's advertising platform is just getting started, whereas Google and Facebook/Meta have been at it for years.

Consumer Reports was mainly concerned with personal data from organizations with which users would likely have an issue, like hospitals or advocacy groups. Analysts looked closely at the identified TikTok pixels to see what information they shared. TikTok pixels regularly transmit visitor IP addresses, unique ID numbers, pages users view, and what they click and type. It also has access to search requests. All of this is regardless of whether or not the user has a TikTok account.

When asked for comment, TikTok spokeswoman Melanie Bosselait said, "Like other platforms, the data we receive from advertisers is used to improve the effectiveness of our advertising services."

Bosselait added that her company does not create profiles to sell to advertisers. She also claims that data from non-TikTok users is only used for "aggregated reports that they send to advertisers about their websites."

"We continuously work with our partners to avoid inadvertent transmission of [certain sensitive] data," TikTok claims. This type of information would include anything about health conditions, personal finances, or children.

However, CR states that previous investigations have shown that even though sites like Meta and Goole have policies barring transmitting sensitive data, trackers often send it regardless. TikTok's pixels are no different.

For example, CR looked at the national Girl Scouts domain and found that TikTok has a pixel on every page of the website that can transmit personal information if a child is visiting. The analysts also found that searching for "erectile dysfunction" on WebMD resulted in the tracker reporting the query back to TikTok.

Those are just a couple of examples that returned sensitive information to the company despite its privacy statements and rules. If users knew a website they do not even visit had access to this data, they'd likely be outraged.

"The only reason this works is because it's a secret operation," said Jackson. "Some people might not care, but people should have a choice. It shouldn't be happening in the shadows."

Some company executives were unaware of what data their firm was sharing or to whom. Consumer Reports informed the Mayo Clinic that its public website (not the patient portal) was sharing data with TikTok. Disconnect checked later to find that the clinic had removed the TikTok tracker but that the site still used a "considerable number" of other pixels, including those from Microsoft, Google, and others.

Currently, there is not much that consumers can do about this situation. However, CR notes that switching to more privacy-friendly browsers such as Firefox or Brave and strengthening security settings can reduce a lot of tracking. Privacy-protecting extensions are helpful too.

Image credits: TikTok App by Solen Feyissa, Data Value Chain by Open Data Watch