TikTok has once again been in the spotlight over new concerns that its advertising technology was been scraping data from Australians without their consent, leading to an inquiry from the Australian Information Commissioner.

On Boxing Day, technology editor for the Age and the Sydney Morning Herald, David Swan, published an article accusing TikTok of “harvesting Australians’ data ... without their knowledge or consent”.

Swan's story was built around the use of the Omnibug browser extension which lets you see the hidden requests flowing from websites to advertisers.

With the extension installed, the Nine reporter went to the websites for Kmart, Sportsbet, and mental health charity Beyond Blue among other unnamed Australian companies.

There, he filled out sign up forms and watched as TikTok’s tracking pixel – a hidden piece of code used to secretly gather information about people visiting websites for the purpose of marketing – sent hashed versions of email addresses and phone numbers back to the company's servers before he agreed to the sites’ privacy policies.

Swan noted that both Google and Meta (formerly Facebook) collect “similar data” but only after consent – in the form of accepting the privacy policy – is given.

The story triggered an inquiry from the Office of the Australian Information Commissioner, as the Nine papers reported two days later, along with accusations from Senator James Paterson – a China hawk and public critic of TikTok – that the company’s tracking activity was “deeply concerning and highly likely to be unlawful”.

Attorney General Mark Dreyfus, who is in charge of a major reform of Australia’s privacy legislation, said his “advice for TikTok would be to co-operate with the investigator in this matter”.

TikTok strenuously denied any wrongdoing, saying in a statement that tracking pixels are “an industry-wide tool used to improve the effectiveness of advertising services”.

“Our use of this tool is compliant with all current Australian privacy laws and regulations and we dismiss any suggestion otherwise,” the company said.

“We also rely on our advertising clients to only share data with us through the pixel, if they have in turn provided their customers with the necessary information and obtained the necessary permissions.”

Removing the tracking device

TikTok maintains documentation about how to install and configure its tracking pixel, including descriptions of its Automatic Advanced Matching feature.

This lets advertisers, and the companies who choose to have it installed, “automatically identify form fields on pages where Pixel is installed and to hash and collect email and phone numbers entered on those pages for ad measurement and attribution purposes”.

Keep in mind that TikTok doesn’t go around secretly installing its trackers on the websites of Australian retailers, gambling sites, and charities – they're the ones opting in to TikTok’s ad-tech ecosystem and expose their users to these potentially unlawful data scraping practices.

Beyond Blue told the Nine papers said it would remove the TikTok tracker which Information Age can confirm, using Omnibug, it has done.

Sportsbet’s signup page no longer has a TikTok tracker, but Omnibug does show services from Snapchat, Meta, and Google hovering around as you fill out the form.

Kmart still has the TikTok tracker installed but it no longer appears to be posting scraped data from its sign up form to TikTok.

While TikTok's pixel may have technically done the wrong thing by enabling other companies to scrape data before formal consent was given, the harm caused by TikTok’s controversial tracking pixel would be fairly minimal.

You could argue that a reasonable person who is entering their details into an online form already intends to disclose that information – and they’re unlikely to read through the privacy policy.

That TikTok helped capture this information a few seconds before it was meant to seems like it was caught out on a technicality, albeit not an unimportant one.

So given the prevalence of other trackers waiting to pounce on the same data, why did this minor infraction cause such a stir?

Because TikTok is owned by ByteDance, a Chinese company, and everything its name is attached to – even tools that other businesses choose to use – receives intense scrutiny.

Sadly it seems like the issue is not so much that our data is being constantly harvested and used to manufacture desire for consumption or inform ideology, but rather that the ‘right people’ – specifically, not Chinese-owned companies – are the ones capturing that data.

Hopefully in 2024 we can focus back on securing privacy against all unwanted data trackers, not just those belonging to TikTok.