Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
TikTok Embed is the official iframe that lets you display a public TikTok video inside another website. The embed loads embed.js from www.tiktok.com, sets ByteDance tracking cookies (tt_webid, tt_csrf_token, _ttp, msToken, ttwid) and transmits the visitor IP, User Agent and referring URL to TikTok as soon as the iframe initialises. The Irish DPC fined TikTok 345 million euros in September 2023 and 530 million euros in May 2025 over EU to China transfers, and EU regulators classify the embed as a high risk processing activity requiring prior consent under the ePrivacy Directive.
The TikTok embed is loaded by including a script tag pointing to www.tiktok.com/embed.js plus a blockquote referencing the video URL. As soon as the script executes, the visitor browser opens connections to www.tiktok.com, p16 sign.tiktokcdn us.com and several supporting CDN domains, downloads the player, and lets TikTok set and read its tracking identifiers. The interaction is technically equivalent to opening the video on tiktok.com itself, only inside an iframe on your domain. ByteDance therefore receives the visitor IP, User Agent, language, time zone, referring URL and any cookies previously set on tiktok.com.
TikTok sets a stack of tracking cookies including tt_webid and tt_webid_v2 (device identifiers), tt_csrf_token (CSRF protection), _ttp (TikTok Pixel identifier when the Pixel is enabled on the operator site), msToken (anti scraping and session token), ttwid (web identifier), and passport_csrf_token / passport_auth_status_ss when the visitor is logged in. The embed view is logged in TikTok analytics and contributes to the recommendation graph. When the operator also runs a TikTok Pixel on the same domain, the embed and the Pixel can be correlated to enrich the ByteDance profile of the visitor.
The TikTok embed is not strictly necessary to the requested service, so Article 5(3) of the ePrivacy Directive requires prior opt in consent before any cookie is written or any script is loaded. The Irish DPC decision of 1 September 2023 fined TikTok 345 million euros for child data and transparency failures and, in May 2025, the same authority added 530 million euros for transfers of EEA user data to China. EU regulators consistently flag TikTok integrations as high risk, especially when the audience may include minors.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Project Clover commits TikTok to storing EEA user data on Oracle infrastructure inside the EU, with a third party security trustee (NCC Group) auditing access. The project is still being rolled out and ByteDance personnel in China retain controlled remote access for engineering, content moderation and trust and safety. Until Project Clover is fully audited and EDPB endorsed, the embed must be treated as a high risk transfer to a non adequate third country. A DPIA is required in most cases and operators in regulated sectors should avoid the embed.
Implement a click to load placeholder that is opt in by default, expose TikTok in the consent banner as a social media or advertising vendor, and only inject the embed after granular consent. Avoid using TikTok embeds on pages aimed at minors. Update the privacy policy with the link to TikTok privacy terms, the list of cookies and the disclosure of the transfer to ByteDance. Safer alternatives include hosting an MP4 of the video on your own CDN under the creator licence, using a static thumbnail with a link to the TikTok URL, or relying on a server side proxy that fetches the video without contacting TikTok from the visitor browser.
Websites using TikTok Embed must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required for the TikTok embed on most EU facing properties. The combination of large scale processing by ByteDance, possible inferences of special category data through the videos consumed and historic transfers to China make this a high risk activity. Following the Irish DPC 2023 and 2025 decisions, operators must document the lawful basis, the consent flow, the residual risk after Project Clover, the categories of data transferred and the safer alternatives evaluated.
Sample consent text
We embed videos from TikTok. Loading this embed shares your IP address, User Agent and browsing context with TikTok and ByteDance and may involve transfers outside the EEA. The embed only loads after you accept advertising and social media cookies.
Third-party domains contacted
tiktok.comwww.tiktok.comp16-sign.tiktokcdn-us.comp16-sign-va.tiktokcdn.commssdk.tiktokv.combyteoversea.comtiktokcdn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| tt_webid | http | 12 months | TikTok device identifier set by www.tiktok.com when the embed loads. Used for analytics, recommendations and fraud prevention. |
| tt_webid_v2 | http | 12 months | Newer TikTok device identifier used alongside tt_webid for cross session recognition. |
| tt_csrf_token | http | Session | CSRF token paired with TikTok requests to prevent cross site request forgery on actions performed inside the embed. |
| msToken | http | ~30 minutes | Anti scraping and short lived session token rotated on every interaction with TikTok endpoints. |
| ttwid | http | 12 months | TikTok web identifier used to track the device across TikTok properties and recommend content. |
| _ttp | http | 13 months | TikTok Pixel identifier. Set on the operator domain when a TikTok Pixel is installed and shared with the embed to correlate visits. |
| passport_csrf_token | http | 6 months | TikTok login session protection cookie set when the visitor is authenticated, linking the embed view to a TikTok account. |
TikTok Embed places tracking cookies for advertising — comply with GDPR using FlowConsent.
When the embed loads, www.tiktok.com sets ByteDance tracking cookies including tt_webid and tt_webid_v2 (device identifiers, 12 months), tt_csrf_token (CSRF protection), msToken (anti scraping and session, around 30 minutes), ttwid (TikTok web identifier, 12 months), and _ttp when the operator also runs a TikTok Pixel. Logged in visitors trigger additional passport cookies tying the embed view to a TikTok account.
Yes. The embed loads scripts and writes tracking cookies and is not strictly necessary to the service. Article 5(3) of the ePrivacy Directive requires prior opt in consent, and the EDPB clarifies that consent must be specific, informed and granular. The standard implementation is a two click placeholder served from your own domain that only loads the iframe after the visitor accepts.
The only realistic legal basis is consent under Article 6(1)(a) GDPR. Legitimate interest is not available because the embed enables large scale profiling by ByteDance and exposes the visitor to potential transfers to China. TikTok itself relies on additional bases for its own processing, but the website embedding the iframe is responsible for collecting consent before any data leaves the visitor browser.
Yes. Even with Project Clover migrating EEA user data to Oracle data centres in Europe, ByteDance personnel in China retain controlled access. The Irish DPC fined TikTok 345 million euros in 2023 and 530 million euros in 2025 specifically over transfers and child data. The embed must be treated as a high risk transfer to non adequate third countries and disclosed accordingly in the privacy policy.
Yes in most cases. The combination of large scale processing by ByteDance, possible inference of special category data through the consumed videos, and historic China transfers exceeds the threshold of Article 35 GDPR. The DPIA must document the necessity of the embed, the lawful basis, the consent mechanism, the residual risk under Project Clover, and the safer alternatives evaluated. Operators in regulated sectors should generally avoid the embed.
Block the embed by default and replace it with a click to load placeholder served from your own domain that explains the data flow to TikTok. Expose TikTok in the consent banner as a social media or advertising vendor and only inject the iframe after granular consent. Document the processing in your privacy policy with the cookie list, the link to TikTok privacy terms and the China transfer disclosure. Avoid the embed entirely on pages with minor audiences.
Common alternatives include downloading the MP4 of the video with the creator authorisation and hosting it on your own CDN, displaying a static thumbnail that links to the TikTok URL, or using a server side proxy that fetches the video without exposing the visitor browser to TikTok endpoints. For curation use cases, an EU based video host (PeerTube, Vimeo with EU residency, Bunny Stream) can replace TikTok integration entirely.
Add TikTok and ByteDance Ltd as data recipients, list the cookies set by www.tiktok.com (tt_webid, tt_webid_v2, tt_csrf_token, msToken, ttwid, _ttp, passport variants) with their duration and purpose, disclose the transfer outside the EEA and to China, mention Project Clover and reference the Irish DPC decisions. Refresh the entry whenever TikTok updates its disclosures.