Safeguarding U.S. User Data
Project Texas
To fulfill our commitments to safeguard U.S. user data, we have a cutting-edge program called “Project Texas.” A central goal of Project Texas is to enhance the way that U.S. user data is protected, including how it is accessed, stored, and shared. Project Texas has tasked a special purpose subsidiary called TikTok U.S. Data Security (“USDS”) with managing business functions that require access to protected U.S. user data and safeguarding the systems that deliver content on the platform in the U.S. To that end, USDS has the ability to strictly limit where such data is stored and who can access it – including members of the ByteDance corporate group.
Protected Data
Under Project Texas, protected U.S. user data is afforded enhanced protection. Protected U.S. user data broadly means personal information collected from a TikTok U.S. user. Subject to limited exceptions, protected U.S. user data includes the following categories of data, even if deidentified, anonymized, or aggregated: user-related data, such as email and birthdate; non-public user content, such as private videos and direct messages; behavioral data, such as user interaction with content including favorites; data inputs to TikTok’s recommendation engine, such as video completion and video viewing time; and device and network data, such as IP address and device model.
There are some necessary exceptions to protected U.S. user data to allow TikTok to continue operating as a business and as an integrated global platform, including public data such as public videos, business metrics such as daily active user stats, data of certain creators pursuant to agreement, interoperability data such as data needed to apply a user’s public or private account setting globally, and e-commerce data such as shipping information.
Our Progress
Accountability
We have dedicated substantial effort to creating and refining accountability mechanisms relating to our protection of U.S. user data. This ongoing effort has included enhancing and testing our technical and procedural controls, which outline privacy and security standards within our business.
Privacy Principles
We are committed to aligning our business practices to widely-accepted privacy principles, such as privacy by design, data minimization, and transparency. To this end, we routinely conduct employee trainings focused on privacy or security concepts. Additionally, we have updated multiple USDS and global privacy and security policies and guidelines, including policies relating to data access and data classification. We are improving governance relating to USDS, and we will continue to incorporate privacy principles into our comprehensive privacy and security program moving forward.