The TikTok Pixel tracks conversions and enables retargeting on TikTok, one of the fastest-growing advertising platforms. It carries elevated regulatory scrutiny given TikTok's data handling practices, and its advanced matching feature transmits hashed personal data to TikTok servers. Disclosure obligations are significant and technically precise.
Last reviewed by Lokker Privacy Engineering
Not legal advice
The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.
Data collection
This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.
IP address
TikTok cookie identifiers (_ttp and _tt_enable_cookie)
Page URLs and event data
Browser and device fingerprint signals
Hashed email address, phone number, and name when advanced matching is configured
Custom conversion events and values
Click identifier (ttclid) from TikTok ad links
Processing purposes
Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with TikTok Pixel.
Conversion tracking for TikTok advertising campaigns
Retargeting website visitors with ads on TikTok
Building custom and lookalike audiences
Measuring campaign attribution and return on ad spend
Audience optimization and campaign personalization
Jurisdiction notes
These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.
United States
Under the CCPA and CPRA, transmitting personal information to TikTok for cross-context behavioral advertising is a "sale" or "sharing." Your policy must describe this, provide a Do Not Sell or Share link, and honor GPC signals. Multiple state attorneys general have scrutinized TikTok's data handling practices. If advanced matching is enabled, the transmission of hashed PII to TikTok triggers heightened disclosure obligations and must be explicitly described in the policy.
EU and UK (GDPR)
Under the GDPR, the TikTok Pixel requires explicit opt-in consent. TikTok Technology Limited (Ireland) is the EU data controller. Standard Contractual Clauses are required for data transfers to TikTok Inc. in the United States. Supervisory authorities in several EU member states have issued guidance or enforcement actions regarding TikTok data transfers. Your policy must describe the legal basis, transfer mechanism, and that TikTok uses data for its own platform purposes.
Example language
The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.
Advertising tracker table row
TikTok Pixel (TikTok Inc.): Tracks conversions and website behavior for TikTok advertising campaigns and retargeting. May transmit hashed personal data to TikTok when advanced matching is enabled. Category: Advertising and targeting.
Full TikTok advertising disclosure paragraph
We use the TikTok Pixel, an advertising tracking technology provided by TikTok Inc. (and, for EU visitors, TikTok Technology Limited). The TikTok Pixel collects information about your visits to this website, including pages viewed and actions taken such as purchases or form submissions, and transmits this data to TikTok to measure the performance of our advertising campaigns, enable retargeting of visitors on TikTok, and build advertising audiences. Where we have configured advanced matching, the Pixel may also transmit hashed versions of personal data such as your email address or phone number to improve attribution accuracy. TikTok uses this data for its own platform purposes as an independent data controller. For EU and UK visitors, this processing requires your explicit consent before the Pixel may operate. You can opt out by adjusting your consent preferences in our consent center or through TikTok's advertising settings. Data is transferred to TikTok Inc. in the United States under Standard Contractual Clauses.
Configuration checklist
An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for TikTok Pixel.
Assign the TikTok Pixel to the "Advertising" or "Targeting" consent category. Do not classify it as Analytics, Functional, or Strictly Necessary.
In opt-in markets (EU, UK), the Pixel must not fire before explicit consent is granted. Test no-interaction and reject states to confirm no TikTok endpoints are contacted.
In California, the Pixel must be blocked when a GPC signal is detected or when the visitor has opted out of sale and sharing.
If advanced matching is enabled, the CMP and tag manager must prevent hashed PII from being transmitted without consent. Advanced matching parameters are passed at Pixel initialization; ensure the entire Pixel is blocked, not just event-level data.
Use TikTok Events API (server-side) with care: client-side opt-outs do not automatically propagate to server-side event forwarding without explicit consent-state checks.
Policy vs practice
These are common gaps between TikTok Pixel privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.
What the policy says
Policies describe the TikTok Pixel as consent-gated and state that it only fires after the visitor accepts advertising cookies.
Policies do not mention advanced matching or describe the Pixel as transmitting only "anonymized" behavioral data.
Policies provide a Do Not Sell or Share link and describe opt-out rights but do not confirm that the Pixel is technically blocked after opt-out.
What Lokker validates
Lokker tests the no-interaction, reject, and GPC states to verify whether the TikTok Pixel contacts analytics.tiktok.com or similar endpoints before consent is recorded.
When advanced matching is enabled, the Pixel transmits hashed email, phone, or name to TikTok. Lokker captures Pixel payload data to determine whether hashed PII appears in the network request, which changes the disclosure obligation significantly.
Lokker runs a GPC and opt-out flow and checks whether TikTok endpoints are still contacted. A policy statement about opt-out is meaningless without technical enforcement at the network layer.
Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether TikTok Pixel loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.
Questions
References
Regulatory guidance, enforcement decisions, and legal cases referenced on this page.
Regulatory guidance
European Data Protection Board
Explore further
Same category
Validate technical compliance
Confirm that the TikTok Pixel does not fire in the reject, no-interaction, or GPC states and that advanced matching does not transmit hashed personal data without consent.