National mental health organisation Beyond Blue removed the TikTok pixel from its website after being alerted to the tracking issue.
“Beyond Blue takes privacy and security extremely seriously, and we apologise for any concern this has caused,” said a spokeswoman for the organisation.
How we tested the TikTok pixel
- We downloaded a Chrome extension called Omnibug, which is used to test marketing and analytics tools.
- With the extension installed, we visited websites such as Sportsbet, Kmart, Beyond Blue and many others.
- We went to sign up for an account on those websites, entering personal information including our full name, email address, phone number.
- Using Omnibug, we could see in real time that information being sent back to TikTok, often before clicking “I consent” to the website’s privacy policy. TikTok uses a tool called “automatic advanced matching” that sees when a user enters text into a form field or a search box, and if it looks like an email address or phone number, it scrapes that data.
- Similar data is sent to Google and Meta, but only after “I consent”, for example, has been ticked.
“When The Age and Sydney Morning Herald alerted us to this issue, we immediately commenced a review of our privacy policy and removed the TikTok pixel from our website. Our investigations are continuing as a priority.
“Like many health organisations, Beyond Blue uses tools such as pixels to help us deliver safe and relevant content to people online.”
A Sportsbet spokesman said: “We use advanced matching, and that’s consistent with targeting advertising methods that a lot of companies use. Our understanding is they don’t decrypt or use hashed data that has been shared with them.”
Loading
Kmart did not respond to requests for comment.
The tests by this masthead found that for Google and Meta’s tracking pixels, email addresses and phone numbers were sent to Google and Meta only after a user had consented to the websites’ privacy policies.
According to TikTok’s website, the tracking pixel can “help you find new customers, optimise your campaigns and measure ad performance”.
“With the pixel, you can track website visitor actions, like view page or purchase, and create audience segments to re-engage previous site visitors or model lookalikes to find new customers,” TikTok says on its website.
‘Remove that pixel’
The extent of data collected by TikTok’s pixel without user consent has caused concern among Australian marketers. Marketing and advisory agency Civic Data has issued a warning to its clients recommending they remove the pixel from their websites on privacy grounds.
In the client bulletin on December 20, which was obtained by this masthead, Civic Data director Chris Brinkworth said his company had “repeatedly observed non-consensual collection of personal data on Australian wagering, telco, finance, supermarket, e-commerce, charity and media organisations’ websites.
Loading
“This raises serious privacy concerns regarding the lack of transparency, misuse of personal information and disregard for consent requirements under current regulations such as the Privacy Act 1988. Civic Data’s recommendation is that all Australian businesses consider removing the TikTok pixel and other TikTok integrations from their platforms if they cannot guarantee that the data usage matches the consent given by consumers.”
Civic Data’s clients include accounting software company Xero, Ticketek, Carsales, RACV and BlueScope.
Call to protect Australians
Senator James Paterson has called for an urgent probe by Australia’s information commissioner.
Paterson, the Coalition’s cybersecurity spokesman, this year chaired a committee into foreign interference through social media that grilled TikTok executives.
“This is a very serious and potentially unlawful mass breach of the privacy of TikTok users, former users and non-users,” he told this masthead.
“It would be concerning from any company but is particularly alarming given TikTok is beholden to the Chinese Communist Party and has admitted its China-based employees frequently access Australian user data. There’s nothing to stop this industrial-scale unauthorised data collection being simply handed over to Chinese intelligence and security agencies, as TikTok and its employees are obliged to do under Article 7 of China’s National Intelligence Law.
“The information commissioner must commence an urgent investigation into TikTok Australia and use their full range of enforcement powers to protect Australians from this extraordinary surveillance.”
A spokesman for the Office of the Australian Information Commissioner said the agency was monitoring issues relating to TikTok’s handling of personal information, particularly in light of the findings made by the British Information Commissioner’s Office in an investigation into the company.
Loading
“The OAIC will give consideration to the information raised which alleges data scraping in regard to TikTok’s practices,” the spokesman said.
A TikTok spokeswoman denied the pixel breaches Australia’s privacy laws.
“We strongly reject the suggestions outlined by Civic Data and are disappointed that a company would deliberately try to mislead or scare companies without regard to current law or the information available,” she said.
“Pixel usage, which is voluntary for our advertising clients to adopt, is an industry-wide tool used to improve the effectiveness of advertising services. Our use of this tool is compliant with all current Australian privacy laws and regulations, and we dismiss any suggestion otherwise.”
The China connection
In 2016, China designated big data a “fundamental strategic resource”, and four years later its government designated data as the fifth “factor of production”, joining land, labour, capital and technology. Its national intelligence laws allow the ruling Communist Party to pull data upon request from companies based in the nation.
China’s National Intelligence Law of 2017 requires all organisations and citizens to “support, assist and co-operate with the state intelligence work”, and the Australian government this year banned TikTok on government devices over security concerns related to China’s intelligence laws. Governments from Britain, Canada, France and New Zealand have also banned the app from official devices.
Jocelinn Kang, technical specialist at the Australian Strategic Policy Institute, said data from a tracking pixel could be aggregated across websites, apps and social media platforms.
She said pixel tracking could identify users through their “browser fingerprint” – a combination of their IP address, browser and system details.
“However, when more identifying data such as email and phone number is associated with a user, their web activity can be better linked,” Kang said.
Strategic Policy Institute researcher Samantha Hoffman said the data collected by TikTok’s pixel was similar to that of US-based tech giants Google and Meta, but the difference was “the intent”.
Advertising data had “incredible propaganda value”, she said.
Loading
“If you think about that, plus the access that TikTok is required to give the Chinese government, that’s the problem.”
In November 2022, TikTok changed its privacy policy to make it explicitly clear user data can be accessed by some employees from across the world, including China.
“They talk about how even data collected overseas can be used by the company and its partners, and would be kept private unless security organisations make demands of it,” Hoffman said.
The tool kit does not exist to deal with these kinds of problems around data security, she said.
“We need a long-term solution.”
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.