Lost in Translation: The GDPR, TikTok, and the Absence of a Comprehensive U.S. Data Privacy Framework

Photo by Geri Tech on Pexels.com

Abstract

In the digital age, privacy has become a second thought to innovation and entertainment. As social media algorithms get smarter and Americans turn to platforms like TikTok for their daily doom scroll, more and more personal data is shared with private companies. Yet, instead of considering an app’s terms and conditions as a signed contract, users view accepting these policies as a blockade to their cherished screentime, begrudgingly scrolling and accepting the pop-up box. Ironically, countless TikToks and Instagram reels have taught us that maybe these policies should be considered more, yet, with millions of daily users, this idea is as fleeting as a scroll onto another TikTok. However, from precise location tracking to the collection of sensitive information, TikTok’s new privacy policy, introduced in late January 2026, garnered mass attention for its potential encroachments upon personal data. These new policies come in the wake of TikTok’s ownership being transferred to a United States entity after its parent company, ByteDance, was threatened by the Trump administration to change its practices, citing national security concerns over China’s government accessing Americans’ data. And while ownership has been transferred, concerns over data privacy still remain. This is due in large part to the United States’ lack of a comprehensive privacy law, contrasting greatly with the EU’s extensive General Data Protection Regulation (GDPR). Unlike the United States’ patchwork of privacy laws, the GDPR has been instrumental in holding platforms like TikTok accountable for their deceptive data collection policies. Therefore, this note aims to highlight how TikTok’s most recent privacy policy and the EU’s GDPR demonstrate the shortcomings in the United States’ patchwork of laws relating to data privacy protections, and looks to shed light on potential data privacy reforms.

I. Privacy Laws in the United States: A Patchwork or Framework?

The word “privacy” is never mentioned in the Constitution. However, in the twentieth century, courts began giving meaning to numerous parts of the nation’s founding document, defining the right to privacy. The concept of privacy was first explored in Griswold v. Connecticut, in which a Connecticut law made it a crime to purchase contraceptives.¹ In its ruling, the Supreme Court held “zones of privacy” were enshrined in the Constitution through the Bill of Rights.² The Court referenced the First, Third, Fourth Amendments in forming these zones: The First Amendment provides the right of association, the Third Amendment prohibits the quartering of soldiers during peacetime, and the Fourth Amendment firmly establishes that individuals have the right to “to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”³ Moreover, the Court held that the Fifth Amendment creates a zone of privacy in which the government cannot force a person to incriminate themselves. In its ruling, the Court referred to an earlier decision in Mapp v. Ohio, in which the Fourth Amendment was referenced as creating a “right to privacy, no less important than any other right carefully and particularly reserved to the people.”⁴ As a result, the challenged Connecticut statute was found to have violated an individual’s right to marital privacy.⁵ Through this decision, the Court established privacy as a fundamental right by means of the Ninth Amendment, which states that “The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.”⁶ Thus, though not explicitly stated, the fundamental right to privacy was implied through the Constitution’s text. Further, Katz v. United States established that the Fourth Amendment protects people, not places, and that individuals have a reasonable expectation of privacy.⁷⁸ Through clarifying the Fourth Amendment’s meaning, Katz became a landmark case and set a precedent for future lawsuits alleging privacy violations.

Other cases, such as Roe v. Wade, decided that through the Due Process Clause of the Fourteenth Amendment, the fundamental right of privacy could be applied to a woman’s bodily autonomy to choose to have an abortion.⁹ Similarly, in Lawrence v. Texas, the Court also cited bodily autonomy and the fundamental right to privacy in its ruling, holding that consenting adults could engage in same-sex sexual relations and that state laws prohibiting sodomy were unconstitutional.¹⁰ However, it must be noted that these “zones of privacy” apparent in the United States Constitution protect the right to live one’s life, free from warrantless intrusion by the United States government—not foreign governments or private companies.

In the United States, there are currently no all-encompassing national privacy laws. Instead, there are federal laws targeting specific aspects of privacy. For example, the Health Insurance Portability and Accountability Act (HIPPA) Privacy Rule protects “individually identifiable health information,” ensuring that sensitive data of those residing in the United States is secure in healthcare settings.¹¹ Meanwhile, the Children’s Online Privacy Protection Rule (COPPA) provides regulations that companies must abide by when collecting personal information from children under the age of 13.¹² Other United States privacy laws ensure that federal agencies safeguard Americans’ personal information data, like the Privacy Act of 1974 and Social Security Number Fraud Prevention Act of 2017.¹³ And while action has been brought against social media companies and data collection through Section Five of the Federal Trade Commission (FTC) Act—which targets “unfair or deceptive acts or practices in or affecting commerce”— these federal laws are worded broadly and not nearly as stringent as those of the international community.¹⁴¹⁵

As a result of this patchwork of privacy laws, numerous states have developed their own privacy frameworks. As of now, 20 states have privacy laws that enforce stricter regulations inside their borders.¹⁶ Out of these 20 states, California arguably has the most robust privacy regulations. Among its provisions, the California Consumer Privacy Act (CCPA) asserts that “All people are by nature free and independent and have inalienable rights. Among these are…happiness, and privacy.”¹⁷ In broad terms, the CCPA allows users to opt out of personal data that is shared and sold with businesses, to delete data that is being shared, and to have the right to know what this data is that is being shared.¹⁸ These state laws can be compared to the stringency of the EU’s GDPR, which establishes in Recital One that “The protection of natural persons in relation to the processing of personal data is a fundamental right.”¹⁹ This is the key difference between the United States’ patchwork of privacy laws compared to the EU’s GDPR—the EU guarantees the fundamental right to privacy in its Charter of Fundamental Rights, “that everyone has the right to the protection of personal data concerning him or her.”²⁰ In the United States, the right to privacy is established as a fundamental right by implication in the Constitution. Roe v. Wade was decided based on the implied fundamental right to privacy provided by the Fourteenth Amendment, yet it was overturned by Dobbs v. Jackson Women’s Health Organization in 2022. This begs the question: can privacy still be a guaranteed fundamental right? With “privacy” being unenumerated in the Constitution and justices increasingly motivated by partisan politics, a privacy patchwork may no longer be sufficient to protect consumers’ rights in the United States.

II. TikTok’s New Privacy Policy

In September 2025, President Donald Trump signed Executive Order 14352: Saving TikTok While Protecting National Security, which required the platform, owned by the China-based ByteDance Limited, to divest and no longer be controlled by a “foreign adversary.”²¹ In its attempts to comply with the divestiture, in late January 2026, TikTok rolled out a new privacy policy that Americans were expected to accept to continue using the app. Currently, TikTok collects users’ information by three means: information that the user provides, information that is automatically collected, and other sources’ information.²² The app’s policy acknowledges that information users provide “may include sensitive personal information, as defined under applicable state privacy laws”, and references that the information it processes is “in accordance” with state privacy laws like the CCPA.²³ The updated January 2026 policy complies with California’s Shine the Light law in which users residing in California whose personal information is shared with a business are able to request information regarding what data has been collected and shared with other businesses at least once a calendar year.²⁴²⁵ The policy also adheres to California’s Online Eraser law, which allows minors under the age of 18 to request their specific content to be removed.²⁶ Though on the surface these policies seem beneficial, it is worth noting that they only apply to California residents. As a direct result of the United States’ patchwork of privacy laws, these consumer rights and protections for minors are not available to a majority of TikTok’s United States users, a concern that policymakers must address. Further, the policy provides a disclaimer to this compliance, adding “Please note that your request may not ensure complete or comprehensive removal of the material.”²⁷ This disclaimer further highlights that even though TikTok appears to comply with privacy laws, the company may not fully guarantee these legally-mandated protections, demonstrating the need for more stringent data protection laws in the United States.

Similarly, in its section describing the type of information that is automatically collected, the policy outlines that “We may collect biometric identifiers and biometric information as defined under US laws…Where required by law, we will seek any required permissions from you prior to any such collection.”²⁸ The notion “Where required by law,” is ambiguous—it does not describe what laws it must act in accordance with or what these permissions may consist of.²⁹ Each state has varying privacy laws—if it even has developed a privacy framework—and with no known ways established for tracking TikTok’s compliance with this patchwork of privacy laws, this notion evidently falls short of its promises.

TikTok’s new policy also notes that users’ shared information may be handled by the third party’s privacy policy in lieu of TikTok’s. This could result in legal loopholes, especially as the platform does not list each of the third-party partners it shares users’ data with. The policy notes that “information collected by third parties may not have the same security protections as information you submit to us, and we are not responsible for protecting the security of such information.”³⁰ In its policy regarding independent researchers, the text states that “We may share certain of your information with qualifying researchers to facilitate independent research”, not indicating what this “certain of your information” is or providing users with the ability to opt out or consent specifically for this use.³¹ By setting these precedents, users have even less autonomy over their personal information being shared, not only by TikTok, but also by the companies TikTok shares their information with. Therefore, it is clear that narrower guidelines are needed for how companies present their terms and conditions, so users are incentivized to truly understand their rights and what personal data they may willingly be giving up.

TikTok users can request to obtain what information has been collected about them. The policy asserts the platform will not retaliate against a user for exercising their “rights and choices” to do so, “although some aspects of the Services may no longer be available” to the user.³² Thus, users may be disincentivized to truly exercise their “rights and choices”, a phenomenon that defies the so-called fundamental right to privacy all Americans are guaranteed through the “zones of privacy” in the Constitution.³³ And while the policy asserts it will act in compliance with regulations imposed by laws and directives like Executive Order 14352, the policy states that TikTok “may transmit your information outside of the United States, for purposes of sharing with recipients as described in this Privacy Policy.”³⁴ In its very name, Executive Order 14352 was signed to prevent national security threats. With users’ information still being transmitted to unknown locations and unnamed companies for unclear reasons, it is clear that the patchwork of the United States’ privacy laws must be reformed.

III. Case Precedent

In 2017, the Supreme Court heard a case surrounding the usage of cell phone users’ data by wireless carriers. Timothy Carpenter’s location points, also known as cell-site location information (CSLI), were used by prosecutors to convict him of multiple robbery instances. Carpenter argued that the government’s collection of his CSLI without a warrant and probable cause violated his Fourth Amendment rights. The Sixth Circuit affirmed the criminal court’s decision to reject Carpenter’s motion to suppress the data used against him. The lower court held that Carpenter’s location information did not constitute a reasonable expectation of privacy because this information was shared with his wireless carriers.³⁵

After granting certiorari, the Supreme Court held that the seizure of Carpenter’s CSLI was a Fourth Amendment search. As discussed in Katz v. United States, the Fourth Amendment protects certain expectations of privacy in addition to property interests. The Court recognized that an expectation of privacy that society would deem reasonable would require a warrant supported by probable cause for a search to occur. These expectations of privacy can be traced back to the founding era, and what the framers might have considered as an unreasonable search and seizure when the Bill of Rights was ratified. The Court acknowledged that CSLI does not fit within the framers’ original understanding of reasonable expectations of privacy. Instead, the Court referred to the decisions in United States v. Jones, United States v. Miller, and United States v. Smith to inform their reasoning. Jones established a precedent for one’s expectation of privacy in their physical location and movements, while Miller and Smith determined one’s expectation of privacy after voluntarily providing their personal information to a third party.³⁶

The Court acknowledged that when it comes to their physical movements, individuals have a reasonable expectation of privacy. CSLI arguably creates even graver privacy concerns given their historical capabilities.³⁷ In Carpenter, the Supreme Court noted that CSLI has similar qualities to the GPS monitoring discussed in Jones but also invokes the third-party principles of Miller and Smith due to the continuous sharing of location data with wireless carriers and because the records are considered “business records.”³⁸ However, the Court did not fully extend the Smith and Miller decisions to Carpenter due to the unprecedentedness of CSLI.³⁹ As the Court recognized, the Third Party Doctrine comes from the idea that individuals have a lesser expectation of privacy when it comes to information they knowingly share. Since Smith and Miller did not solely rely on the act of sharing, the Court did not apply the same reasoning used in Smith and Miller to Carpenter.⁴⁰ According to the Supreme Court, another rationale for the Third-Party Doctrine is voluntary exposure, which does not necessarily apply with CSLI. While cell phone data is shared, CSLI does not meet the same definition of “shared” as the Supreme Court interpreted it. The Court reasoned that because cell-phones have become an “indispendable” part of everyday life and will log a cell-site record automatically without any action being taken by the user, the Supreme Court’s decision seemingly began to depart from the Third Party Doctrine in the digital age.⁴¹

Today, Carpenter is considered a landmark case in protecting Americans’ data from unreasonable intrusion and seizure. Yet, as in the Constitution, this case clarifies the government’s ability to access third party data and further, not private companies. Thus, Carpenter renders the Third-Party Doctrine as an ambiguous rule to be applied in today’s digital landscape. In the United States, there is currently little case law—or at least little landmark case law—that strictly deals with data collection by companies and consumer rights. The case law that does exist typically rules in favor of data-hungry companies, like Facebook and Apple Inc. In 2018, the Ninth Circuit dismissed plaintiffs’ claims that Facebook infringed upon multiple state and federal laws through its collection of users’ data when visiting various healthcare websites in Smith v. Facebook.⁴² Among their complaints, the plaintiffs contended that Facebook did not have consent from users to collect this specific data, as the healthcare websites’ privacy policies asserted that they would not share data with third parties. In its opinion, the Ninth Circuit affirmed that “Facebook’s Terms and Policies make no such assurance, and Facebook is not bound by promises it did not make.”⁴³ While the Court was factually correct in determining that there was no basis for the Plaintiffs to make this complaint due to Facebook’s lack of assurance, a case can be made that a reasonable person would expect this assurance for their sensitive health data not to be shared between third-party companies. And while companies need not comply with facilitating a “reasonable expectation of privacy” as the United States government must, these companies should be held to similar standards. HIPAA applies to “covered entities and business associates,” which includes doctors and health insurance companies, among other healthcare related bodies—why shouldn’t it also apply to online platforms and companies like Facebook?⁴⁴ Similarly, in January 2026, the United States District Court for the Northern District of California also dismissed a class action suit against Apple for the “improper collection and use of Apple mobile device users’ data.” Relying on the United States’ patchwork of privacy laws, the plaintiffs attempted to bring a suit against Apple for its alleged violations of the California Invasion of Privacy Act, Pennsylvania’s Wiretapping and Electronic Surveillance Act, and an “invasion of privacy under the California Constitution”.⁴⁵ The Court did not find the plaintiffs’ claims sufficient and granted Apple’s motion to dismiss. Even in a state like California, which champions strict privacy laws and a generally greater protection of individual rights, this California District Court gave Apple the upper hand. As cases like these continue to be argued, there is a clear trend in courts ruling in favor of large companies, resulting not only in losses for consumers but also potential precedent for future claims to be brought by consumers. With the uncertainty surrounding the Third-Party Doctrine in the digital age and the lack of case law in favor of data privacy, there exists few legal mechanisms for consumers to ensure their privacy is protected. For these reasons, the United States patchwork of privacy laws must be reformed and improved to ensure Americans’ fundamental right to privacy is preserved.

IV. The Legacy of Schrems I & II and The GDPR Today

The Schrems I and Schrems II cases in the midst of the creation and implementation of the European Union’s (EU) General Data Protection Regulation (GDPR), a law that governs the transfer and application of digital and personal data in the EU. Before the GDPR was introduced in 2016, the EU operated on a framework known as the 1995 Data Protection Directive.⁴⁶ Despite these safeguards in place, Maximilian Schrems, an Austrian lawyer and privacy advocate, felt these regulations—especially data sharing agreements between the EU and other countries like the United States—were not enough to protect data being transferred from the EU to foreign countries.⁴⁷ Though with different countries involved and today’s convoluted digital age, one can arguably make the claim that Schrem’s concerns mirror those the average American TikTok user may have today: fears about personal data privacy and it being transferred to foreign countries. Schrems was concerned with Facebook user data being transferred to the United States; the average American TikTok user may be concerned with their data being transferred to third parties and foreign countries without explicit consent. In the EU, the Schrems decisions helped to create a greater awareness about the need for more stringent data collection regulations, setting the stage for the necessity and effectiveness of the GDPR. Yet, today, the only real lawful action taken against TikTok for its data privacy concerns has been Executive Order 14352 and a patchwork of state privacy laws. Like Schrem’s concerns over Facebook’s policies and the EU’s responses, the United States should look to the EU as a model for how to protect its people’s fundamental right to privacy.

V. Schrems I

Schrems brought actions against Facebook Ireland Ltd in an Austrian Court, alleging that the company violated his data protection and privacy rights. Seven other Facebook users from Austria, EU Member States, and non-member States brought forth similar claims, and the case was eventually brought before the Court of Justice of the European Union (CJEU).⁴⁸ In its 2015 ruling, the CJEU invalidated the Safe Harbor Privacy Principles between the United States and the EU.⁴⁹ The Safe Harbor Privacy Principles were developed by the United States Department of Commerce in response to the 1995 Data Protection Directive. This Directive ensured that personal data from the EU could only be transferred to non-EU countries deemed to have an “adequate” level of privacy protection. To ensure this “adequate” level of protection, the United States introduced the Safe Harbor Privacy Principles in 2000. This agreement between the United States and the EU was made up of seven components: notice, choice, onward transfer, security, data integrity, access, and enforcement.⁵⁰ However, the CJEU found that the United States did not meet the Article 25 standard of the Directive regarding an “adequate” level of privacy protection. The judgement highlighted that “‘a number of legal bases under US law allow large-scale collection and processing of personal data that is stored or otherwise processed [by] companies based in the [United States]’ and that ‘[t]he large-scale nature of these programmes may result in data transferred under Safe Harbour being accessed and further processed by US authorities beyond what is strictly necessary and proportionate to the protection of national security.”⁵¹ The CJEU’s judgement further cited concerns relating to United States national security and intelligence gathering as reasons for which it did not meet the “adequate” standard that the Directive necessitated.⁵² Though this ruling seemed to be trivial for the United States, the CJEU’s judgment resulted in the development of new regulations between the EU and the United States. While ultimately invalidated in Schrems II, the EU-US Privacy Shield was introduced in 2016 as a replacement to the Safe Harbor Privacy Principles.⁵³

VI. Schrems II

Similarly, Schrems brought a complaint against Facebook Ireland Ltd to the Irish Data Protection Commissioner (DPC) regarding the transfer of his personal data from Facebook Ireland to its parent company Facebook, Inc., headquartered in the United States. In the 2019 opinion by the advocate general of the CJEU, the Court outlined three ways in which data could be transferred from the EU to a third State, according to EU laws.⁵⁴ This entails that (1) the third State is deemed to have an “adequate level of protection” for the data that is being transferred to it, (2) the transfer occurs with various “appropriate safeguards”, and (3) the safeguards are adopted as a contract containing “standard protection clauses” outlined by the European Commission. Referenced throughout the CJEU’s 2020 judgement, the Charter of the Fundamental Rights of the European Union upholds the protection of personal data as a fundamental right. Article Eight of the Charter states that “Everyone has the right to the protection of personal data” and that “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned”.⁵⁵ Further, the CJEU judgement asserted that “data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union”.⁵⁶ Based on this fundamental right and looking to the GDPR, among other legal mechanisms, the CJEU decided that the EU-US Privacy Shield was invalid as “US law does not afford EU citizens a level of protection essentially equivalent to that guaranteed by the fundamental right enshrined in that article [47 of the Charter of Fundamental Rights of the European Union].”⁵⁷ Further, the EU-US Privacy Shield was found to be invalid due to US surveillance programs like PRISM and UPSTREAM in which EU users may be subjected to in the midst of data transfers, but do not have “a level of protection essentially equivalent to that guaranteed by Article 47” to redress potential “unlawful (electronic) surveillance for national security purposes”. In 2023, after the CJEU invalidated the EU-US Privacy Shield, the EU-US Data Privacy Framework (DPF) was introduced.⁵⁸

The difference in legal landscape between the EU and the United States in these instances is that the EU has enumerated the protection of personal data in its governing framework. Conversely, the United States has only recognized the general right to privacy as a fundamental right, which may no longer even be protected based on decisions like Dobbs that have reversed landmark cases protecting these fundamental rights. In both Schrems cases, it was clear that the EU accounted for not only fundamental rights, but also these rights in the context of national security concerns. These concerns originating from Facebook’s policies led to an entirely new framework between the EU and the United States to ensure that foreign data transfers meant users’ personal information was still protected. Yet, what has the United States done with similar concerns regarding TikTok? Executive Order 14352 was passed largely in response to national security concerns over foreign companies—specifically those in China—transferring and collecting users’ data. And while TikTok’s ownership has changed, the ability for the platform to transfer this data to unknown third parties still remains, demonstrating the need for the United States to use the Schrems decisions and EU regulations as a framework to fix its patchwork of privacy laws.

VII. TikTok and the GDPR Today

In April 2025, the DPC of Ireland released a decision, fining TikTok Ireland €530 and ordering the company to suspend its transfer of data from the EU to China and to reform its data processing in accordance with the GDPR within 6 months.⁵⁹ Among the issues the decision encompassed, the DPC found that TikTok Ireland violated Article 46(1) of the GDPR.⁶⁰ Article 46(1) states that “In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”⁶¹ By violating this provision, TikTok Ireland did not properly evaluate the extent of China’s laws governing personal data protection of users in the European Economic Area (EEA).⁶² According to the DPC’s decision, TikTok Ireland did not “verify, guarantee and demonstrate” that its Standard Contractual Clauses and “supplementary measures” were adequate to provide an equivalent level of protection to EEA users as EU users have. Thus, the DPC asserted that TikTok Ireland transferred EEA users’ data in violation of the GDPR and could not provide a “valid lawful basis” for the data that was transferred.⁶³ Further, the DPC decided that TikTok Ireland did not act in accordance with the GDPR’s provisions regarding data collection transparency. Specifically, the 2021 EEA Privacy Policy TikTok Ireland provided the DPC to review infringed upon the GDPR in two ways. Firstly, the GDPR requires that users are aware of “how and where their personal data is processed.”⁶⁴ TikTok Ireland’s privacy policy did not inform EEA users of the third countries their data may be shared to, including China. In doing so, TikTok Ireland infringed Article 13(1)(f) of the GDPR. Secondly, the privacy policy did not describe the transfers by means of remote access to personal EEA user data by staff in China, also infringing on Article(1)(f) of the GDPR.⁶⁵

The DPC’s fine against TikTok further demonstrates the disparities between EU and United States law when it comes to data privacy. The DPC provided TikTok Ireland with a strict timeline to implement these necessary changes. In comparison, President Trump extended the TikTok Enforcement Delay four times using executive orders until TikTok transferred to United States ownership in January 2026.⁶⁶ Unlike the United States, the EU is proactive—with stringent frameworks and case law like Schrems, the EU has proven to be a bastion of data privacy protections. In comparison, the United States’ patchwork and minuscule case law favoring large companies makes for a climate fostering gross invasions of user privacy.

VIII. The Path Forward

The epitome of Schrems’ arguments are reflected in the United States’ current data privacy landscape—or the lack thereof. TikTok’s policy that it “may transmit your information outside of the United States, for purposes of sharing with recipients as described in this Privacy Policy” was the very concern Schrems brought suit against.⁶⁷ America’s patchwork of privacy protections pale in comparison to standards set by the EU’s GDPR. However, instead of simply comparing the United States’ shortcomings to the EU’s extensive safeguards, policy makers should be implored to use the GDPR as a model for a federal data privacy protection law. As discussed, the key difference between the United States and the EU is the enumeration of the fundamental right to data privacy. The EU has established this through cases like Schrems, the GDPR, and its Charter of Fundamental Rights. Comparatively, the United States has only gone as far to say that individuals have a reasonable expectation of privacy and that the fundamental right to privacy is implied through the Constitution. As discussed earlier in this note, this is what was said about the right to abortion—based on an individual’s fundamental right to privacy—and this was overturned by Dobbs. The little case law that exists demonstrates the courts’ tendency to overlook this so-called fundamental right to privacy and prioritize the interests of large companies like TikTok. At the end of the day, TikTok is a business that is invested in its own interests. Included in its privacy policy, it states that TikTok can share the information it collects “to enforce any terms applicable to the Services, and to protect and defend our rights, interests, safety, and security, and those of our affiliates, users, or the public.”⁶⁸ Thus, TikTok even acknowledges that it is willing to sacrifice its users’ data to defend its own interests. This accommodation by the United States’ patchwork of privacy laws must change.

For one, a new federal data protection law must specifically state that the right to an individual’s data privacy is a fundamental right. This can be modeled off of Article Eight of the Fundamental Rights of the European Union, which once again states that “Everyone has the right to the protection of personal data”. Or, should policymakers want to look closer to home, they can refer to the language of California’s Constitution or even the Colorado Privacy Act (CPA), which went into effect in 2023. Article I of the CPA states that “The people of Colorado regard their privacy as a fundamental right and an essential element of their individual freedom”.⁶⁹ With states increasingly recognizing data privacy as a fundamental right, the United States federal government should, too. Doing so would not only begin to hold large companies like TikTok accountable but would also ensure that courts begin holding government actions that infringe upon a fundamental right like data privacy to strict scrutiny. And while it is platforms like TikTok that are also the infringers, an argument can be made that the government’s inaction to prevent this infringement proves that this issue needs to be further addressed.

Moreover, the issue of privacy fatigue must be addressed through improved federal policies and, in turn, platforms’ policies. Privacy fatigue occurs when complex privacy disclosure agreements, especially on social media platforms, and continuous data leaks and breaches make users cynical, deterring individuals from engaging in “protective disengagement behaviors”—such as scrolling through a privacy agreement and automatically choosing “accept.”⁷⁰ According to the Pew Research Center, 56% of Americans do not read the privacy policy and simply “agree” to it.⁷¹ When crafting these new data privacy policies, lawmakers should keep the phenomenon of privacy fatigue in mind, creating provisions to ensure that users are fully aware of their privacy rights. For instance, Recital 58 of the GDPR states that “The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.”⁷² Using a similar approach, a new United States federal law could implement similar policies, ensuring that platforms operating within the country revise their privacy policies for users to be properly informed of their rights. To comply, a platform like TikTok could make its privacy policies more accessible by also offering short-form video content explaining its policies in addition to its written policy. Yet, this is just one of many possible solutions that policymakers can implement. The path forward is clear: Americans should no longer “accept” their private data being utilized and transferred in unspecified and unprotected ways. Lawmakers must mend the patchwork of privacy laws with a federal framework, and in turn, platforms like TikTok must be held accountable for upholding users’ fundamental right to privacy.

Edited by Annie Cayer and Emma Morgan

About the Author

Olivia Woodard is a junior at Northeastern University majoring in International Affairs and International Business with a minor in Political Science. She currently serves as a Staff Writer for the Northeastern University Undergraduate Law Review. As a Staff Writer, she wrote a note titled From Immunity to Accountability: Rethinking Section 230 in the Digital Era, which analyzed the creation and implementation of Section 230, arguing the need for its reform in the context of today’s ever changing social media and First Amendment landscape. Olivia hopes to pursue a career as a trial lawyer with legal interests in public interest and constitutional law. She is currently on her second co-op as a Legal Intern and Advocate at Prisoners’ Legal Services of Massachusetts and previously worked as a Legal Intern at the Law Offices of Rachel L. Rado. Outside of writing and academics, you can find Olivia searching for the best thrift shops in Boston, kayaking, and experimenting with latte art!

Northeastern University Undergraduate Law Review