How America banned TikTok for data collection while leaving data brokers untouched

By Timothy Page

Data included from Scott signs child digital safety bill – Vermont Daily Chronicle and Trio of online privacy bills see mixed success in Legislature – Vermont Daily Chronicle.

On January 18, 2025, the United States Supreme Court upheld legislation banning TikTok from American app stores, citing national security concerns over the Chinese-owned platform’s data collection practices.¹ The court emphasized that TikTok’s “extensive data collection from more than 170 million U.S. users could be exploited for surveillance, public influence campaigns or other harmful purposes.”² While Vermont had already taken early action by joining 30 other states in banning TikTok from state-owned devices in February 2023, citing concerns about data privacy and safety for its roughly 8,000 state employees,³ this piecemeal approach reveals a fundamental contradiction: thousands of domestic data brokers continue to legally collect, aggregate, and sell Americans’ personal information with minimal federal oversight, even as Vermont’s groundbreaking state legislation shows both the promise and limitations of individual state action.

Vermont’s Privacy Pioneer Status Continues to Evolve

Vermont stands as an unlikely leader in America’s data privacy battle, and recent legislative developments underscore both the state’s commitment and the ongoing challenges. In 2018, the Green Mountain State became the first in the nation to enact comprehensive data broker legislation with Act 171, approved unanimously by the Vermont Senate and requiring data brokers to register annually with the Vermont Secretary of State and pay a $100 annual registration fee.⁴ This groundbreaking law defined data brokers and established unprecedented transparency requirements, forcing these shadowy companies to identify themselves publicly for the first time.

Latest Development: The Vermont Kids Code Becomes Law

In a positive step for kids online safety, Vermont Gov. Phil Scott earlier today signed S.69, a significant age-appropriate design code measure, into law on June 12, 2025. The new law requires a duty of care from companies that develop and provide online services or products, ensuring their products will not inflict emotional distress or result in online addiction.

The Age-Appropriate Design Code will require companies to implement strict data collection processes and restrict access to addictive features like push notifications and endless scroll for users under 18. This represents a significant expansion of Vermont’s privacy protections beyond its pioneering data broker registry.

The Three-Bill Privacy Push: Mixed Results

Vermont’s legislative approach to privacy has recently expanded through what advocates call a “triplet” of privacy bills, all emerging from the controversial H.121 legislation that was initially vetoed by Governor Scott in 2024. Each bill in the triplet focuses on a different aspect of online privacy protections for Vermonters: age-appropriate design, more guards on consumer data and stricter regulations for data brokers operating in Vermont.

The results were mixed but revealing of Vermont’s commitment to privacy leadership:

S.69 (Kids Code) – PASSED AND SIGNED: The first bill to pass into the opposite chamber this year was S.69, better known as the “Kids Code,” which would require companies with online products to make certain existing settings factory standard, such as turning off endless scroll or restricting the type of content kids can see.

S.71 (Consumer Data Privacy) – PASSED: The second of the three bills to survive the crossover deadline was S.71, a companion bill of Priestley’s original, H.208, that aims to increase online consumer data privacy protections for Vermonters.

H.211 (Data Broker Regulations) – STALLED: H.211, the third bill, was not so fortunate. It would add stipulations to Vermont’s data broker laws, including requiring brokers to notify the state of security breaches and guarantee that the data they sell will be used for “legitimate” purposes.

The Vermont Data Broker Regulation took effect on January 1, 2019, and is codified in 9 V.S.A. §§ 2430, 2433, 2446 and 2447.⁵ The law imposes data breach notification requirements on data brokers and provides new guidance that clarifies definitions and compliance requirements.⁶ Yet despite this pioneering effort, Vermont’s approach highlights the limitations of state-by-state privacy protection in a national digital economy, as the law does not prevent data brokers from collecting or selling personal information—it merely requires disclosure.⁷

Vermont’s progressive privacy stance extends beyond data brokers. The Vermont Agency of Digital Services determined that TikTok poses a cybersecurity threat to critical state and personal information, leading to the ban on all state devices.⁸ However, Vermont’s experience also reveals the challenges individual states face. While the state banned TikTok on government devices, some universities have not imposed similar restrictions, illustrating how fragmented approaches create inconsistent protection even within a single state.⁹

The TikTok Precedent: A Tale of Two Administrations

The journey to TikTok’s ban reveals the political complexity underlying America’s privacy concerns. Ironically, the effort began under Donald Trump’s first presidency in 2020, when he signed executive orders targeting TikTok for national security reasons, arguing that “the United States must take aggressive action against the owners of TikTok to protect our national security.”¹⁰ However, Trump’s position underwent a dramatic reversal during his 2024 campaign.

Trump reversed his stance during his 2024 campaign, when he came to believe a ban would help TikTok’s rival, Facebook, which he held responsible, in part, for his 2020 election loss to Biden. This shift transformed TikTok from a national security threat in Trump’s view to a tool for reaching younger voters, particularly young men, during his successful presidential campaign.¹¹

Meanwhile, the Biden administration maintained consistent support for restricting TikTok, ultimately signing the Protecting Americans from Foreign Adversary Controlled Applications Act into law in April 2024.¹² This legislation specifically targeted TikTok’s relationship with its Chinese parent company ByteDance, giving the company until January 19, 2025, to sell to a non-Chinese entity or face a complete ban from U.S. app stores. The measure passed in Congress with bipartisan support, with lawmakers citing national security concerns over the Chinese ownership.

The Supreme Court’s unanimous decision to uphold the ban centered on what Justice Department officials called “well-supported national security concerns regarding TikTok’s data collection practices and relationship with a foreign adversary.”¹³ The court determined that these concerns justified restricting the First Amendment rights of TikTok’s 170 million American users. However, the Biden administration chose not to enforce the ban, leaving implementation to the incoming Trump administration, which promptly issued an executive order suspending the ban for 75 days to allow time for a potential U.S. buyer.¹⁴

The Data Broker Industry Thrives: Lessons from Vermont’s Registry

While TikTok faced extinction over privacy concerns, America’s domestic data broker industry continues to operate with remarkable freedom. According to the Electronic Privacy Information Center, “thousands of data brokers in the United States buy, aggregate, disclose, and sell billions of data elements on Americans with virtually no oversight.”¹⁵ Vermont’s data broker registry provides a rare window into this shadowy industry, revealing hundreds of companies most residents have never heard of that maintain detailed profiles on Vermonters’ daily lives.

The scope of this industry is staggering. While TikTok collected data from its own users, data brokers vacuum up information from countless sources: credit card companies, retailers, social media platforms, public records, and mobile apps. They then create detailed profiles of Americans’ lives, preferences, and behaviors—profiles that are bought and sold without most consumers ever knowing their data is being traded. A 2021 report analyzing state data broker registries found information on 540 unique registered data brokers and their privacy policy practices.¹⁶

Vermont’s Evolving Understanding of the Data Collection Threat

Vermont Attorney General Charity Clark has become increasingly vocal about the scope of data collection, noting that “Targeting children is useful because once you have a loyal consumer, you have them for life. That’s a good investment to make for a company.” Clark provided a troubling example relevant to Vermont’s new Kids Code: If someone has an eating disorder, they might be more prone to look at social media content that promotes fitness or skinny body types. In that situation, an algorithm designed to show users more of what they frequently view may perpetuate unhealthy practices.

Representative Monique Priestley, D-Bradford, who authored much of Vermont’s recent privacy legislation, emphasized the pervasive nature of data collection: “If you are on the web at any given time and you have different pixel trackers, cookies — they are tracking your behavior everywhere and scraping what you’re doing and looking at and who.”

Continued in Part 2…

Footnotes

1. NPR, “Supreme Court upholds TikTok ban, threatening app’s existence in the U.S.,” January 18, 2025, https://www.npr.org/2025/01/17/nx-s1-5258396/supreme-court-upholds-tiktok-ban
2. Holland & Knight, “U.S. Supreme Court Upholds TikTok Sale-or-Ban Law,” January 2025, https://www.hklaw.com/en/insights/publications/2025/01/us-supreme-court-upholds-tiktok-sale-or-ban-law
3. WCAX, “Vermont bans TikTok, WeChat on state-owned devices,” February 17, 2023, https://www.wcax.com/2023/02/17/vermont-bans-tiktok-wechat-state-owned-devices/
4. Kelley Drye, “In the Data Business? You May Be Obligated to Register in Vermont,” September 15, 2023, https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/in-the-data-business-you-may-be-obligated-to-register-in-vermont-by-thursday
5. VeraSafe, “What is the Vermont Data Broker Regulation?” December 30, 2019, https://verasafe.com/blog/why-you-should-be-aware-of-the-vermont-data-broker-regulation/
6. Inside Privacy, “Vermont Publishes New Guidance on Law Regulating ‘Data Brokers,'” July 14, 2021, https://www.insideprivacy.com/data-privacy/vermont-publishes-new-guidance-on-law-regulating-data-brokers/
7. Kelley Drye, “In the Data Business? You May Be Obligated to Register in Vermont,” September 15, 2023, https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/in-the-data-business-you-may-be-obligated-to-register-in-vermont-by-thursday
8. Vermont Public, “Vermont bans TikTok on state-owned devices: Here’s the reasoning,” February 23, 2023, https://www.vermontpublic.org/local-news/2023-02-21/vermont-bans-tiktok-on-state-owned-devices-heres-the-reasoning
9. Times Argus, “State bans TikTok on state-owned devices,” April 6, 2023, https://www.timesargus.com/news/local/state-bans-tiktok-on-state-owned-devices/article_96d3a7aa-4754-5c9a-bb49-82383871a40e.html
10. White House, “Executive Order on Addressing the Threat Posed by TikTok,” August 6, 2020, https://trumpwhitehouse.archives.gov/presidential-actions/executive-order-addressing-threat-posed-tiktok/
11. Associated Press, “Trump’s evolution on TikTok: From backing a ban to being hailed as a savior,” January 20, 2025, https://apnews.com/article/trump-tiktok-ban-da11df6d59c17e2c17eea40c4042386d
12. NPR, “President Biden signs law to ban TikTok nationwide unless it is sold,” April 24, 2024, https://www.npr.org/2024/04/24/1246663779/biden-ban-tiktok-us
13. Holland & Knight, “U.S. Supreme Court Upholds TikTok Sale-or-Ban Law,” January 2025, https://www.hklaw.com/en/insights/publications/2025/01/us-supreme-court-upholds-tiktok-sale-or-ban-law
14. PBS News, “Trump signs executive order to suspend TikTok ban for 75 days to find U.S. buyer,” January 21, 2025, https://www.pbs.org/newshour/politics/trump-signs-executive-order-to-suspend-tiktok-ban-for-75-days-to-find-u-s-buyer
15. Electronic Privacy Information Center, “Data Brokers,” https://epic.org/issues/consumer-privacy/data-brokers/
16. Privacy Rights Clearinghouse, “Registered Data Brokers in the United States: 2021,” February 22, 2022, https://privacyrights.org/resources/registered-data-brokers-united-states-2021