TikTok Swore Off Your GPS. Now It Collects It.

Introduction

TikTok's 2024 privacy policy said it in plain English: the app does "not collect precise or approximate GPS information from US users." The version that took effect on January 22, 2026, the same day the company's court-ordered "safety" deal closed, says it now collects "approximate or precise location information from your device." That deal handed the data infrastructure for more than 200 million American users to Oracle, a federal contractor whose CEO told investors that "citizens will be on their best behavior because we are constantly recording and reporting everything that's going on." The surveillance threat Congress voted to end mostly just changed flags.

The Deal Congress Sold as a Fix

Back up to April 2024. Congress passed the Protecting Americans from Foreign Adversary Controlled Applications Act, signed into law on April 24, 2024. The pitch was clean: ByteDance, TikTok's Chinese parent, had to sell the U.S. operation or the app got banned. The fear driving the vote was that the Chinese government could compel ByteDance to hand over data on the more than 150 million Americans then using the app, or quietly tune the algorithm. The Supreme Court upheld the law in January 2025.

The divestiture closed January 22-23, 2026. What came out the other side is TikTok USDS Joint Venture LLC, with three managing investors each holding 15%: Silver Lake, Abu Dhabi's MGX, and Oracle. ByteDance kept 19.9%, parking itself exactly a tenth of a percent below the 20% threshold that would have triggered PAFACA's foreign-control rule. Oracle got two jobs out of the deal: a 15% equity stake, and the role of "Trusted Security Partner," which means Oracle hosts the U.S. user data and reviews the source code in its own cloud.

Here's the thing the headlines mostly skipped. TikTok's old policies were, in a couple of specific ways, more protective than what Meta or Google offer. Rather than bringing TikTok up to industry standard, the restructuring stripped the protections that had put it above the standard, and it did so right as the company was negotiating with the Trump administration over its survival.

What Actually Changed in the Documents

There are three policy changes that matter, each on a different date, and the order they happened in tells you most of what you need to know.

First, the user notification promise. Until around April 25, 2025, TikTok's site said: "It is our policy to notify TikTok users before disclosing their data to law enforcement." Forbes reporter Emily Baker-White documented that the company quietly cut that language while it was negotiating its deal with the administration. The new version only commits to notifying users "where required by law," and it moved the timing from before disclosure to if disclosure happens. If the government takes your data and the law doesn't force a heads-up, you find out never.

Second, who counts as a requester. The same revision expanded the category of who can ask for data from "law enforcement" to "law enforcement (including regulatory authorities, where relevant)." That phrase does a lot of quiet work. "Law enforcement" means cops and federal criminal investigators. "Regulatory authorities" is a much wider net that can pull in agencies like the IRS, the FTC, the SEC, and immigration bodies such as ICE and DHS, depending on how it's read. TikTok doesn't list which agencies, and when asked, won't narrow the category.

Third, the GPS reversal. The February 5, 2026 privacy policy, the first one issued under the new ownership, removed the explicit ban on collecting precise location from U.S. users. Wired ran the before-and-after side by side; the BBC did the same. Caitriona Fitzgerald of the Electronic Privacy Information Center told CBS News the location change was "the most stark," because the old policy had flatly said the app didn't do this. Her line on what precise location means: "down to your address or even what floor you're on in an apartment building."

To TikTok's credit, the GPS collection is opt-in. The company's explainer page says precise sharing is off by default, optional, limited to accounts 18 and up, and active only when the app is open. That's real user control. It's also a setting that can change whenever the company decides, and the flat prohibition from 2024 is gone, replaced by language that permits the collection it used to rule out.

Who Benefits

Two companies and one branch of government.

Oracle's the easy one to follow, because the money is on the surface. A 15% stake in a platform with 200 million users and billions in ad revenue, plus the cloud-hosting contract, plus the prestige of being the government-blessed "Trusted Security Partner" for the most-watched app in the country. Oracle already runs infrastructure for the IRS, the Defense Department, and DHS, and it shares the $9 billion JWCC military cloud contract. Larry Ellison's September 2024 statement about citizens being "on their best behavior because we are constantly recording and reporting everything" reads less like a gaffe and more like a description of the product his company now hosts.

The government is the beneficiary that didn't have to build anything. With the data sitting in a U.S. cloud instead of on ByteDance servers, federal agencies can reach it through administrative subpoenas, which don't require a judge to sign off. We know the appetite is there. In February 2026, the New York Times reported that DHS had issued "hundreds" of administrative subpoenas to Google, Meta, Discord, and Reddit, hunting for identifying information on people who criticized ICE or tracked agents' locations. Google and Meta together received tens of thousands of subpoenas of all types in the first half of 2025. The EFF sent an open letter to ten tech companies, TikTok included, asking them to demand court review before complying. And the policy change that removed advance notice means a target can't fight a request before the data is already gone.

ByteDance gets cover. It dropped to 19.9% and gave up operational control, which lets everyone say the China problem is solved. The current privacy policy still discloses that data flows to "TT Commerce & Global Services LLC and its affiliates," a ByteDance-linked entity, for an "interoperable experience." Whether that channel actually closes Chinese access is disputed by national security experts, and at least one, Hudson Institute's Michael Sobolik told PBS, ByteDance has already requested U.S. user data "outside of normal channels" on Oracle's watch.

Neither Risk Went Away

Internet Safety Labs put it sharper than I could. The original worry was that China might gain a "golden share" of unfettered access to Americans' records. After the deal, the group wrote, "the US government has achieved its own kind of 'golden share' of unfettered TikTok user data." Their verdict on the trade: "perhaps the worst of all possible worlds." ByteDance still licenses the algorithm and keeps a fifth of the company, so the Chinese risk never went away, and now there's a domestic access risk stacked on top of it.

This is the part the news coverage mostly missed. The drop wasn't just TikTok sinking to the level of every other app. The one above-standard protection it offered, telling you before your data went to the government, got treated as a liability to shed during a negotiation about the company's survival. Timothy Edgar, a Harvard Law lecturer who was the first privacy and civil liberties official on the White House National Security Staff, told Harvard Law Today the deal made the problem "even worse." His reasoning: "We don't have comprehensive privacy regulations in the U.S. So, it's pretty much fair game for all these big social media platforms." Before the sale, the foreign-ownership scrutiny created pressure that functioned as a kind of oversight. "Now that it's been sold, that pressure comes off, and TikTok is now in the same position as other social media companies."

Users noticed something was off, even if they couldn't name the mechanism. In the week after the new terms went live, the daily rate of Americans deleting the app jumped 195% over the prior three months, per Sensor Tower data in The Guardian. One of them summed up the trust level: "I trust Oracle and Ellison about as much as I trust eating a raw burger on a hot summer day."

The Bottom Line

Here's where the trail goes cold, and it's deliberate. Asked repeatedly whether it has shared user data with ICE or DHS, TikTok will not confirm or deny it. When Forbes pressed the company on the policy changes, a spokesperson called the reporting "click bait" but didn't deny a single change and wouldn't answer whether data had gone to immigration authorities. So what's documented is the capacity, not a confirmed transfer: the notification promise is gone, the requester category now reaches "regulatory authorities," precise location is collectible, and the whole pile sits in a cloud run by a company that holds DHS contracts and whose CEO talks openly about constant recording.

Congress set out to stop one government from reaching into 200 million phones and built a cleaner path for a different one. The open question is whether anyone in Washington who voted for PAFACA will treat the domestic access it created as the same kind of problem they called a national emergency when the flag on it was red.