Internal privacy experts worried that not having a corporate records retention policy could violate U.S. and EU laws. Years later, the company still doesn’t have one.
TikTok’s parent company ByteDance may have broken laws in the U.S. and EU because it has no internal corporate records retention policy, according to seven current and former ByteDance employees and hundreds of internal documents and chat logs reviewed by Forbes.
The internal materials show TikTok’s legal and policy experts clearly warning senior leaders, including Global Chief Security Officer Kim Albarella, that ByteDance’s lack of a policy for managing internal records could threaten its ability to operate in the U.S. and EU. One, from spring 2023, shows an internal privacy policy expert expressing relief that regulators had not yet noticed that the company was out of compliance.
Employees expressed concerns that the company could be out of compliance with the United States FTC Act and Europe’s privacy regulation GDPR. Rules around corporate record retention and deletion, while seemingly mundane, are critical because they prevent companies from scrubbing their records of evidence of wrongdoing and protect the privacy of people whose information is stored in corporate records.
The seven sources told Forbes that ByteDance lacked such a policy for years, an oversight with potentially dire consequences for a company already under investigation by the U.S. government and that has faced global scrutiny for its data privacy practices. Some worried it could also jeopardize the company’s fast-growing ecommerce business, centered on TikTok Shop, which launched in the U.S. last September and is targeting revenue of $17.5 billion this year.
In communications viewed by Forbes, employees explained that not having a records retention policy put the company out of compliance with the International Payment Card Industry (PCI) Data Security Standard, which — if discovered — could have halted its ability to process credit card transactions entirely. A document from late 2022 stated that TikTok Live had been “launched without consideration of PCI compliance.”
Preservation of corporate records — and the accessibility of those records by U.S. Government officials — has high stakes for TikTok.
The internal materials reviewed by Forbes, many of which are attorney-client privileged, reveal a scramble to create and launch a stopgap policy for credit card-specific documents in early 2023 to ensure the company was compliant with the requirements. But in March 2023, Albarella told employees they were not going to fast-track a cardholder data-specific policy, and instead, would proceed with building and launching a comprehensive policy, the materials show. The problem: her staff said that process would take 1-2 years to operationalize, and in the meantime, the company was still not compliant, the materials show.
In response to a detailed list of questions about the internal materials, TikTok spokesperson Alex Haurek sent the following statement: “We believe these assertions are based on outdated documents, which were predominantly prepared by employees who are no longer with the company, who did not have visibility into all our work in this area, and who are now attempting to advance an agenda without regard for the facts.” Haurek said the 1-2 year timeline “was pulled from a document prepared by a single former employee and was not validated.”
Responding to the internal document about TikTok Live’s PCI compliance, Haurek wrote: “This unauthorized statement does not accurately reflect the PCI compliance status of these products. It was entered into the report – after final review – by an employee who has since left the company.” ByteDance spokesperson Mike Hughes added: “We follow industry standards on apps subject to PCI standards.” When asked directly whether ByteDance is in compliance with the FTC Act and GDPR today, Hughes wrote: “We continuously strive to meet our legal obligations related to data governance.”
Neither spokesperson responded to questions about which country or countries their corporate records were stored in.
Hillary Sale, a professor of leadership and corporate governance at Georgetown Law School, told Forbes that any company of TikTok’s size should have a retention policy, and that these are systems that every startup should implement as they grow. Companies should have “an understanding of how and when to retain documents, and ensur[e] that people across the company understand that importance,” she told Forbes in an interview.
Preservation of corporate records — and the accessibility of those records by U.S. Government officials — has high stakes for TikTok, as it is in the midst of multi-year negotiations with the Committee on Foreign Investment in the United States. The Biden Administration last year threatened that it would force ByteDance to sell TikTok or face a ban of the app in the U.S. (Disclosure: In a previous life, I held policy positions at Facebook and Spotify.)
It remains unclear whether even a TikTok-specific retention policy is now in place.
TikTok is also under criminal investigation by the U.S. Department of Justice for surveilling journalists, including this reporter, and was served a subpoena for documents related to that investigation late last year. Previously, Forbes reported that ByteDance’s own anti-fraud experts warned the company that it was incapable of ensuring that their responses to law enforcement requests, like subpoenas, were accurate, in part because of the company’s irregular data preservation practices. At the time, the company said: “This document was created within one department nearly two years ago, never presented internally beyond that, and is largely inaccurate, with outdated details which are made irrelevant by regular updates to our practices in the years since.”
In fall 2022, a lawyer for TikTok told colleagues that he was working with one product team on an electronic discovery feature that would enable the company to better respond to requests for company records, but warned colleagues that it would be a lengthy process, according to documents reviewed by Forbes. At the time, the task of developing a policy had been given to TikTok’s Data Defense and Access Assurance team, but that team deprioritized it in favor of more pressing work. The project was then given to data compliance experts within the company’s Global Security Organization (GSO).
Also in 2022, ByteDance hired Redgrave LLP, a firm specializing in corporate information governance, to help it create a document retention policy. One of the first questions the outside attorneys raised was whether the policy should be written to cover just TikTok, or all of ByteDance. In a conversation from mid-2022, TikTok’s former global lead for security compliance told Albarella, the company’s acting Chief Security Officer, that the policy would need to be ByteDance-wide, because “ByteDance’s internal system cannot be separated between products.”
Policy drafts from early 2023 authored by Redgrave counsel show that while the attorneys originally intended the draft policy to cover all internal ByteDance documents, they subsequently narrowed it to cover only documents owned by TikTok. (Redgrave did not respond to a comment request.)
Still, it remains unclear whether even a TikTok-specific retention policy is now in place. Forbes asked both TikTok and ByteDance whether they today have comprehensive, enforced data retention policies.
“Like any company, we retain records to meet legal obligations,” Hughes replied. Haurek added: “We have policies and procedures in place that govern the retention of TikTok user personal information.”
Neither answered a follow-up question asking to clarify whether TikTok and ByteDance have corporate records retention policies today.