Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
The TikTok Pixel is an advertising measurement and audience building tool from TikTok (ByteDance) that tracks website conversions and enables retargeting audiences for TikTok ads. It faces heightened GDPR scrutiny due to ByteDance's Chinese ownership and concerns about potential data access under Chinese national security laws. Multiple EU member state authorities have investigated or restricted TikTok's data practices. Consent is required before the pixel loads, SCCs are required for US/Singapore transfers, and a DPIA is strongly recommended.
The TikTok Pixel is a JavaScript snippet installed on websites to measure conversions from TikTok advertising, build custom audiences for retargeting, and optimise ad delivery algorithms. It tracks page views, add-to-cart events, purchases, lead form submissions, and other custom events. The TikTok Events API provides a server-side alternative sending conversion data directly from the server to TikTok without browser cookies.
TikTok is owned by ByteDance, a Chinese company. Chinese national security laws (National Intelligence Law 2017, Data Security Law 2021, Personal Information Protection Law 2021) may require ByteDance to provide data to Chinese government authorities on request. This creates a transfer risk beyond standard SCCs — even with SCCs, data may be subject to Chinese government access without GDPR-compliant safeguards. Multiple EU regulators have investigated TikTok''s data practices and several EU institutions have banned TikTok from employee devices.
TikTok has faced significant EU regulatory action: a 345 million EUR fine from the Irish DPC (September 2023) for mishandling children''s data, investigations by multiple DPAs into data transfers to China, and device bans by the European Commission, European Parliament, and several member state governments. These actions create heightened GDPR risk for organisations deploying TikTok advertising tools.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Conduct a DPIA before deploying the TikTok Pixel on EU-facing websites. Block the Pixel via CMP until advertising consent. Accept TikTok''s Data Processing Agreement. Sign SCCs. Disclose the US/Singapore transfer and ByteDance ownership in your privacy policy. Consider using TikTok Events API (server-side) instead of the browser Pixel to reduce cookie-based tracking. Assess whether the ByteDance risk warrants a Transfer Impact Assessment.
Websites using TikTok Pixel must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended for TikTok Pixel deployments due to: cross-site advertising tracking, US and Singapore data transfers, ByteDance ownership creating potential Chinese government access risk, and TikTok's history of EU regulatory action.
Sample consent text
We use the TikTok Pixel to measure the effectiveness of our TikTok advertising campaigns. This involves cookies and transfer of data to TikTok (ByteDance) in the US and Singapore. You can decline advertising cookies below.
Third-party domains contacted
analytics.tiktok.combusiness.tiktok.comads.tiktok.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _ttp | persistent | 13 months | TikTok cross-site tracking identifier for conversion measurement and audience building |
| _tt_enable_cookie | persistent | 13 months | TikTok consent flag cookie recording whether visitor has accepted TikTok advertising tracking |
TikTok Pixel places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. The TikTok Pixel sets advertising cookies requiring consent under the ePrivacy Directive. It must not load until advertising consent is obtained. Block via CMP.
ByteDance is a Chinese company subject to Chinese national security laws that may require data disclosure to Chinese authorities. SCCs alone may not adequately protect EU data from such access. Conduct a Transfer Impact Assessment to document the risk and any supplementary measures.
TikTok received a 345 million EUR GDPR fine from the Irish DPC in September 2023 for mishandling children's data. Multiple EU institutions including the European Commission and Parliament banned TikTok from employee devices. Dutch, French, and other national DPAs have investigated TikTok's data transfers to China.
TikTok Pixel sets _ttp (tracking and conversion, 13 months) and _tt_enable_cookie (consent flag). These require advertising consent. The pixel also uses Advanced Matching to hash personal data for better attribution.
The Events API is server-side and avoids browser cookies. This bypasses the ePrivacy cookie consent requirement. However, it still transfers personal data (hashed email, IP, browser data) to TikTok in the US and Singapore. GDPR disclosure, SCCs, and a DPA are still required.
Yes, strongly recommended. The combination of advertising tracking, ByteDance ownership, US/Singapore transfers, and potential Chinese government access constitutes high-risk processing requiring a DPIA under GDPR Article 35.
Accept TikTok's Data Processing Agreement in TikTok Ads Manager (Account Settings, Data Processing Agreement). This covers the Pixel data and Events API. Sign SCCs separately if required by your legal team.
TikTok advertising is legally permissible with consent, a signed DPA, and SCCs. However, the ByteDance risk factor means some organisations — particularly in regulated sectors or those processing sensitive data — may choose to avoid TikTok advertising for EU audiences pending further regulatory clarity.