TikTok Pixel and Data Protection – What Belongs in the Privacy Policy

The TikTok Pixel is a tracking code that website operators embed on their website in order to measure conversion events and create audiences for TikTok advertising. From a data protection perspective, it is a data-processing component that transmits personal data to TikTok Technology Limited (Dublin, Ireland) and its Chinese parent company ByteDance Ltd. This article summarizes what information belongs in the privacy policy of a website using the TikTok Pixel, what data is collected and what legal particularities must be observed.

A. Purpose and Function of the TikTok Pixel

The TikTok Pixel is a JavaScript code that website operators embed in the source code of their website. It differs from TikTok as a social media platform: TikTok is a service for sharing videos and using social content, while the TikTok Pixel is a pure advertising measurement and tracking tool.

The pixel works as follows: As soon as a visitor accesses the website, the JavaScript code automatically sends data to TikTok servers. This data is used to measure advertising campaigns, create custom audiences and for remarketing. The pixel can track various events, including page views (PageView), product views, cart additions, purchases, registrations and custom events.

In contrast to social media use, the use of the TikTok Pixel is not necessary for the operation of the website itself – it serves exclusively for advertising and optimization purposes and is therefore to be assessed critically from a data protection perspective.

B. Mandatory Disclosures in the Privacy Policy

Every website that uses the TikTok Pixel is obliged under Art. 13 GDPR to make complete, comprehensible disclosures in its privacy policy. The following information belongs in this section:

1. Identity of the controller or processor: Name and full address of TikTok Technology Limited (10 Earlsfort Terrace, Dublin, D02 T380, Ireland), and possibly the parent company ByteDance Ltd.

2. Processing purpose: "Measurement and optimization of TikTok advertising", "creation of audiences", "remarketing and custom audiences", "conversion tracking".

3. Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG or – where applicable – other legal bases in individual cases.

4. Recipients of the data: TikTok Technology Limited, ByteDance Ltd., and possibly other TikTok partners.

5. Storage duration: Indication of the periods or criteria according to which data is deleted.

6. Data subject rights: Right of access, rectification, erasure, restriction of processing, data portability and objection.

Many website operators copy generic text templates from samples into their privacy policy without adapting them to their specific situation. This leads to incorrect or incomplete information. An individual privacy policy tailored to the company and the processing is required.

C. Provider

TikTok Technology Limited is the EU company that acts as the contractual partner for the provision of TikTok Pixel:

• Name: TikTok Technology Limited
• Registration number: 635755 (Ireland)
• Address: 10 Earlsfort Terrace, Dublin, D02 T380, Ireland
• Registration date: 12 October 2018

This Irish corporation is the contractual party for website operators who wish to embed the pixel.

Parent company: ByteDance Ltd., based in Beijing, China. ByteDance is the holding company that controls and operates TikTok worldwide. The risk of data transfers to the People's Republic of China is a central data protection concern when assessing the TikTok Pixel.

Data Privacy Framework status: According to the review of the US Data Privacy Framework (DPF), it must be checked whether TikTok is listed among the certified companies. Many sources indicate that ByteDance/TikTok does not meet the DPF. This means that data transfers to the USA must additionally be protected by Standard Contractual Clauses (SCCs) or other mechanisms.

Privacy Policy: TikTok's official privacy policy for users in the EEA is available at https://www.tiktok.com/legal/page/eea/privacy-policy/en. Different conditions partly apply to commercial products such as the TikTok Pixel.

D. Data Processing – Workflow

The processing of personal data by the TikTok Pixel follows this workflow:

E. Data Collected

The TikTok Pixel and the advanced functions (Advanced Matching) collect a wide range of data:

• Web server log data: IP address of the visitor, timestamp of the request, protocol version.

• Click paths and navigation behavior: Visited pages (URLs, full or shortened paths), referrer (where the visitor came from), internal navigation flows.

• Device data: Device type (smartphone, tablet, desktop), operating system (Android, iOS, Windows), device identifier (e.g. IDFA on iOS, Advertising ID on Android).

• Browser information: Browser type and version, installed plugins, language used, time zone.

• Coarse location data: Approximate location derived from the IP address (country, region, city).

• User profiles and audience data: Creation of custom audiences, interest profiles, interaction history with the website.

• Conversion events: Purchases (with or without product details), registrations, cart additions, page views, downloads, lead generation.

• Interaction data: Clicks on elements, form entries, time spent on the page.

• Hashed personal data (with Advanced Matching): Email addresses, phone numbers and other contact data in hashed form.

F. Purposes of Use

TikTok uses the pixel data for the following purposes:

• General marketing and campaign measurement: Evaluation of advertising performance, cost analysis (ROAS – Return on Ad Spend), reach measurement.

• User profile creation: Segmentation of audiences, creation of custom audiences for re-engagement (remarketing), lookalike audience generation (users similar to existing customers).

• User-individual (personalized) marketing: Targeted advertising on TikTok based on website behavior, conversion probability, identified interests.

• Cross-domain tracking: Tracking of users across multiple websites (provided that several websites use the TikTok Pixel).

• Product development and service improvement: Internal analyses to improve the TikTok ecosystem and ad mechanics.

G. Legal Bases

The processing of personal data by the TikTok Pixel is to be classified as marketing tracking from a data protection perspective. This is not an essential service for the operation of the website.

Required legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TDDDG (Telecommunications Telemedia Data Protection Act, for cookies and similar technologies).

This means: Prior, informed and explicit consent of the visitor is mandatory before the pixel is activated. This must be ensured via a consent management system (cookie banner).

H. Special Features and Notes

Joint Controller status: The use of the TikTok Pixel may give rise to joint controllership (Joint Controllership under Art. 26 GDPR) between the website operator and TikTok. TikTok has published a "TikTok Analytics Joint Controller Addendum" on this. Website operators should check whether and to what extent a Joint Controller Agreement is required or available.

Third-country transfers and Schrems II risks:

• Data is partly transferred to the USA. The effectiveness of Standard Contractual Clauses (SCCs) has been disputed since the "Schrems II" ruling (CJEU, 2020).
• A third-country transfer to the People's Republic of China (to the parent company ByteDance) cannot be ruled out and significantly increases the data protection risk.

Opt-out and settings:

• Users can manually adjust TikTok ad settings (https://www.tiktok.com/legal/page/eea/privacy-policy/en).
• A technical opt-out for the pixel at the website level should be offered (e.g. via a consent banner before pixel loading).

Advanced Matching and hashing: Website operators can activate advanced matching functions in which email addresses and phone numbers are transmitted to TikTok in hashed (encrypted) form. This intensifies the tracking and must be documented separately.

Events API as an alternative: The TikTok Conversion API (Server-Side Events API) is a more privacy-friendly alternative to the pixel. It enables conversions to be tracked on the website operator's server, not in the user's browser. Ad-blocking tools cannot block events in this way.

Data protection agreements: A Data Processing Agreement (DPA) must be concluded with TikTok Technology Limited or – if joint controllership exists – a corresponding Joint Controller Agreement.

I. Frequently Asked Questions about TikTok Pixel and Data Protection

J. Conclusion

The TikTok Pixel is a widely used advertising measurement tool that may be necessary for website operators to optimize TikTok campaigns. From a data protection perspective, however, it is particularly critical: It requires explicit consent, it processes sensitive data, and it carries significant risks due to third-country transfers to the USA and a possible transfer to the Chinese parent company ByteDance.

The legal obligation to disclose all essential processing details in the privacy policy is mandatory. A generic privacy policy that is not tailored to the specific operator and use is not sufficient. A data protection lawyer or specialized generator tool should be consulted to create legally compliant texts. The use of Standard Contractual Clauses (SCCs) or a Joint Controller Agreement with TikTok must be examined on a case-by-case basis.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com