TikTok has rolled out a new US Privacy Policy, alongside a corporate restructure that places American users under TikTok USDS Joint Venture, a majority USA-owned entity, with Oracle as the anchor data-security partner.
The changes bring TikTok’s US data practices into closer alignment with other large social platforms, especially around precise location collection and off-platform advertising.
However, compared to TikTok’s own earlier US position, the new policy is less privacy-protective in key areas – most notably precise geolocation and broader ad targeting. At the same time, TikTok’s governance and oversight mechanisms are meaningfully stricter than industry peers, due to political and regulatory commitments.
The Internet and social media had enjoyed a fast wave of criticism for the new policies. However, the review of the policies versus other American-based policies show that the differences are small and, overall, the policy is in line with other social media sites such as Meta or Snapchat.
Let’s take a look at the facts.
Why the Policy changed
The update coincides with the formal creation of TikTok USDS Joint Venture LLC to satisfy the 2024 divest-or-ban law and avoid a US shutdown by ByteDance, the Chinese owners of the social media service. Under the new structure, Oracle hosts US user data and plays a prominent role in algorithm security and audits. This is a structural solution to long-running national-security concerns tied to ByteDance ownership. The new terms and privacy notice establish US jurisdiction, set the contract with the new entity, and deliver surface changes in data uses – especially around location and advertising.
TikTok USA less private now, but in line with social media in USA
TikTok’s 2026 U.S. privacy posture tells a two-part story:
- Governance got tougher – and credibly so. US controllers, US hosting, and Oracle’s supervision create oversight mechanisms that most platforms do not have, at least not explicitly in policy.
- Data collection got more “normal” – which, in today’s market, means more expansive than TikTok’s previous US position in some areas. That is a privacy step-back for US TikTok users compared to 2023–2024, even if it simply catches up with the broader social-media playbook.
For enterprises and regulators, the lesson is clear: structural safeguards do not automatically equal stricter data-minimisation. Governance can reduce certain risks (e.g., geopolitical access) while the commercial data footprint still looks very much like the rest of the USA’s social media.
What’s actually different in the new US Policy
1) Legal entity and governance (stricter)
USA users now contract with TikTok USDS, not the legacy ByteDance-controlled entity. The policy references US hosting, oversight, and auditing under Oracle’s environment – measures that go beyond what most social platforms publicly commit to. This is a material governance shift that improves accountability on paper. Here we have stricter governance than before, driven by law and the ownership deal, though this speaks to controls, not necessarily minimisation of data collection.
2) Sensitive data categories (more transparent, not necessarily new)
The new policy explicitly lists the sensitive categories it may process (when users disclose them), including sexual orientation, gender identity, and citizenship/immigration status. While the wording alarmed many users, this explicit listing is largely a compliance requirement under state privacy laws (eg, California Privacy Rights Act (CPRA),) rather than a wholesale expansion of surveillance. The CPRA, in force since 1 January 2023, amended and expanded the earlier CCPA. It means that if a company does collect or process sensitive personal information, it must do so under strict transparency, limitation, and user-control rules.
The previous policy already allowed inference/processing of such traits from user content; the new text is simply more direct. Transparency is up; scope looks broader, but the underlying practice is industry-standard.
3) Precise Location (expanded vs. old TikTok, aligned with industry)
Historically, TikTok’s US policy stated it did not collect precise GPS location from US users on current app versions. The new policy allows precise location if users opt in via device settings, bringing TikTok in line with Meta, Snap, and X. This is a genuine privacy regression compared to TikTok’s previous US stance, even if it is now mainstream. In sum, this is less protective than before for users; but is standard practice among peers.
4) Advertising and off-platform use (broader)
TikTok now states it will use first-party and third-party information to show customised ads on TikTok and off TikTok – again aligning with prevailing adtech practices across social media. Users retain some controls/opt-outs, but the scope is broader than prior language focused primarily on “tailored advertising” inside the app. This is an expanded commercial use, consistent with the market.
5) Cross-border sharing (clearer, but not eliminated)
Despite US data localisation rhetoric, the policy signals limited sharing with global operations to deliver an “interoperable experience,” subject to US law. This mirrors how global platforms operate and reflects the practical realities of a worldwide service. Bottom line: Business-as-usual for global platforms, now stated more plainly.
Side-by-Side Snapshot
| Area | TikTok (New US Policy, Jan 2026) | TikTok (Previous US Posture, 2023–2024) | Industry Position (Meta/Google/Snap) |
| Legal entity & governance | US users contract with TikTok USDS JV LLC; Oracle hosts US data; audits and oversight emphasised. | Contracted with entities ultimately controlled by ByteDance; “Project Texas” commitments not fully embedded in policy language. | No equivalent US-only JV; standard global controller structures. |
| Sensitive data categories | Explicitly lists sensitive categories (e.g., sexual orientation, gender identity, immigration status) when users disclose them. | Allowed processing/inference via content but less prominently disclosed. | Also lists sensitive categories to meet state law requirements; common practice. |
| Precise location | Enabled if user opts in (device location services). | Not collected from US users on then-current app versions. | Common: Meta, Snap, X collect precise location with opt-in. (Regression vs. old TikTok; aligned with peers.) |
| Advertising/off-platform use | On- and off-platform ad personalisation using first-/third-party data; in-app controls referenced. | Primarily “tailored advertising” within TikTok. | Common: cross-site ad personalisation standard across major platforms. |
| Cross-border sharing | Limited sharing to support an “interoperable experience,” consistent with law. | Vague references; US storage assurances prominently messaged. | Common: global data flows with regional safeguards. |
Source: MEF
How it stacks up against Meta and Snapchat
Meta (Facebook/Instagram) and Snapchat already support precise location collection on an opt-in basis and perform extensive cross-site advertising and measurement using first- and third-party signals.
Meta’s public notices list similarly broad sensitive categories, driven by CPRA transparency obligations, including how traits may be inferred from content or activity. Snap likewise discloses location, ad personalisation, and inference uses. Against this backdrop, TikTok’s revised policy is not an outlier; if anything, it reflects the adtech centre-of-gravity that has defined social media for years.
Where TikTok differs is governance: a US-specific entity plus Oracle’s hardening of data hosting and algorithm oversight. These are controls that neither Meta nor Snap currently mirror in the US market. Practically, users get industry-standard data collection, while regulators get unusually prescriptive governance mechanics.