The Wall Street Journal said that uers were not told about the tracking which ended in November as US scrutiny of the company dialed up amid claims that it was a Chinese government listening tool.
Apparently, for 15 months, TikTok had been gathering the fixed identifier without users’ knowledge.
Google still failed to plug the hole which is a little odd.
TikTok didn't deny the story it just said:
"Under the leadership of our Chief Information Security Officer (CISO) Roland Cloutier, who has decades of experience in law enforcement and the financial services industry, we are committed to protecting the privacy and safety of the TikTok community. We constantly update our app to keep up with evolving security challenges, and the current version of TikTok does not collect MAC addresses. We have never given any TikTok user data to the Chinese government nor would we do so if asked. We always encourage our users to download the most current version of TikTok."
The US government says that China’s internet security law, which requires firms to provide the Chinese Communist Party with access to user data — hence TikTok’s emphatic denial of passing data. But the existence of the law makes such claims difficult to stick.
France’s data protection watchdog has been investigating TikTok since May, following a user complaint.
The CNIL’s concerns about how the app handled a user request to delete a video have since broadened to encompass issues related to how transparently it communicates with users, as well as to transfers of user data outside the EU — which, in recent weeks, have become even more legally complex in the region.
Compliance with EU rules on data access rights for users and the processing of minors’ information are other areas of stated concern for the regulator.
Under EU law, any fixed identifier (e.g. a MAC address) is treated as personal data — meaning it falls under the bloc’s GDPR data protection framework, which places strict conditions on how such data can be processed, including requiring companies to have a legal basis to collect it in the first place.
If TikTok was concealing its tracking of MAC addresses from users, it’s difficult to imagine what legal basis it could claim — consent would certainly not be possible. The penalties for violating GDPR can be substantial - France’s CNIL slapped Google with a $57 million fine last year under the same framework, for example.