TikTok Is Tracking You—Even If You Don’t Use It

The realization that a product you don’t use is still observing you can be particularly unsettling. Not in a symbolic sense. Literally, in the sense that lines of code associated with a business you never joined are currently logging what you read, fill out, and click on. The main argument of a piece written by Thomas Germain of the BBC in February has been subtly making the rounds in privacy circles ever since. Even those who have never used the app are being tracked by TikTok. It is subtly following them all over the internet, including on pages pertaining to mental health, cancer, and fertility.

The reach is new, but the mechanism is not. We refer to it as a tracking pixel. For readers who have managed to stay away from the ad tech jargon of the past ten years, a pixel is a background-loaded, one-by-one-pixel image embedded on a webpage that is invisible to the human eye. Its actual purpose is not to show anything. It is used to notify a third party—in this case, TikTok, but also Meta, Google, and hundreds of others—that a specific device has loaded a specific page. When you multiply that by the most popular websites on the internet, you get what Patrick Jackson, chief technology officer of the cybersecurity firm Disconnect, describes as “extremely invasive.”

The pixel became specific thanks to Germain’s reporting. He spent a week visiting the websites of a mental health organization, a women’s health company, and a cancer support group. When he clicked a button on the cancer website that indicated he was a patient or survivor, TikTok received his email address and the health context. His browsing was recorded on the fertility website. A signal went out on the mental health website as soon as he said he was seeking crisis support. It was not necessary for him to have a TikTok account. The app didn’t need to be installed. The pixel was unconcerned. Every visitor is affected by it.

As expected, TikTok’s official response is that this is someone else’s issue. Privacy laws are meant to be followed by websites. Websites are meant to disclose the data they gather. Sensitive health information cannot be shared by websites with TikTok’s systems; TikTok claims to notify site owners when it finds such sharing occurring. Additionally, the company correctly—if not comfortingly—pointed out that tracking pixels are a standard in the industry. They are used by all major platforms. Even the BBC, as TikTok pointed out, does not use TikTok trackers on its own website or place advertising pixels on third-party websites, as the BBC clarified in Germain’s piece.

The timing of the TikTok situation makes it especially difficult to ignore. Late last year, a group comprising Oracle, Silver Lake, and MGX purchased TikTok’s US operations. These companies have what human rights experts have cautiously referred to as “ties to” the Trump administration. The agreement was meant to end years of political concern over the use of user data from Americans. Less obviously, it has concentrated a large amount of surveillance infrastructure in the hands of a new group of owners at the exact moment that the capabilities of the pixel are being increased. No one should have to explain that as a coincidence.

The more serious issue is that conventional privacy defenses are ineffective in this situation. It doesn’t help to uninstall the app. You might never have had an account, so deleting it doesn’t help. Because TikTok, like Google and Meta before it, has moved toward a method known as browser fingerprinting, clearing cookies only partially works. The system combines dozens of seemingly innocuous data points, such as your operating system, screen resolution, time zone, battery level, and installed fonts, rather than depending on a cookie that the user can remove. By itself, none of them are dangerous. When combined, they create a signature that is distinct enough to recognize you on different websites, during different sessions, and over different months. According to Disconnect’s researchers, the method is basically unbreakable unless you actively break it.

Reading the story’s coverage gives us the impression that we’ve seen this specific movie before. DuckDuckGo’s Peter Dolanjski told the BBC as much. He said, “This is exactly the playbook that Google and Meta have used over the years: start small, accumulate covertly, and grow into an empire with a clear view of everyday life.” According to DuckDuckGo’s own research, TikTok’s tracker appears on roughly 5% of the most popular websites worldwide. That may seem insignificant, but when you compare it to Google at about 72% and Meta at 21%, you see that TikTok is climbing the ladder in a similar manner to its forebears, albeit more quickly and with fewer apologies.

Practically speaking, what is feasible is limited. Browsers that prioritize privacy, such as Firefox, Brave, and DuckDuckGo, come with integrated tracker blocking that prevents the majority of pixels from firing. You can add extensions to other browsers, such as uBlock Origin, Ghostery, Privacy Badger, and Disconnect’s own tool. iOS users can disable “Allow Apps to Request Tracking” in Settings on their mobile device. Google Settings is where Android users can change their advertising ID. None of these metrics are ideal on their own. When stacked, they create a significant dent. Both Jackson and Dolanjski believe that users should never have been held accountable in the first place. The system’s purpose was to extract. The extraction is functioning.

It’s difficult to ignore how much of today’s privacy advice consists of telling people to put obstacles in the way of systems designed specifically to eliminate it. The pixel economy was designed to be undetectable. Every shoe store, news website, and crisis hotline has it running silently in the background. Those who are most impacted are frequently the least able to protect themselves: older users, users who lack the technical know-how to install browser extensions, and users who have never read a privacy policy because they were never intended to be read. It’s still unclear if TikTok’s increased pixel capabilities will become a regulatory flashpoint or just the new standard. The app you deleted last year most likely still knows where you went this morning, which is less questionable.