Regulatory Actions Target TikTok in the EU and US
The European Commission issued preliminary findings alleging TikTok’s product design violates the EU Digital Services Act (DSA), arguing that features such as infinite scroll, autoplay, push notifications, and highly personalized recommendations can drive addictive use patterns and that protections for minors (including parental controls and screen-time tools) are insufficient. TikTok rejected the characterization and said it will contest the findings; potential outcomes include mandated changes to algorithms/interface design and fines of up to 6% of global annual revenue if violations are confirmed.
In the United States, TikTok’s continued operation has been tied to a divest-or-ban framework requiring ByteDance to divest its U.S. business or face removal from app stores and blocking by service providers, driven by longstanding concerns about data access and Chinese legal jurisdiction. The reference describes repeated deadline extensions via executive orders after an initial shutdown period, ongoing negotiations/interest from potential investors, and reporting that TikTok has explored a separate U.S.-specific app (“M2”) amid uncertainty over the platform’s final outcome in the U.S. market.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
TikTok rejects EU findings and says it will challenge them
TikTok responded to the Commission's preliminary findings by calling them a mischaracterization and stating that it would contest the conclusions through legal channels.
European Commission issues preliminary DSA findings against TikTok
The European Commission published preliminary findings that TikTok's design may violate the DSA, citing addictive features such as infinite scroll, autoplay, push notifications, and highly personalized recommendations, as well as inadequate parental controls and screen-time limits.
EU opens formal Digital Services Act investigation into TikTok
The European Commission opened a formal investigation into TikTok under the EU Digital Services Act, focusing on potential systemic risks to minors and the platform's design features.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
European Governments Move to Restrict Social Media Use by Minors
The **European Commission** issued preliminary findings that **TikTok’s product design**—including *infinite scroll*, *autoplay*, *push notifications*, and *personalized recommendations*—may breach the EU **Digital Services Act (DSA)** by failing to adequately assess and mitigate risks to users’ physical and mental well-being, particularly for **minors and vulnerable users**. If confirmed, the Commission said the violations could result in penalties of up to **6% of TikTok’s global annual turnover**, and it signaled expected design changes such as **screen-time breaks**, adjustments to recommendation systems, and disabling or reducing features deemed to drive compulsive use. Separately, **Spain** announced plans to **ban social media access for children under 16** and require **age verification** by platforms, aligning with a broader European trend toward statutory restrictions on minors’ social media use. The announcement follows similar initiatives across Europe, including Australia’s under-16 restriction (cited as precedent), the Netherlands’ push to bar under-15s, French legislation targeting under-14s, and the UK studying a ban for children 15 and under—indicating accelerating regulatory pressure on platforms to implement enforceable child-safety and access controls.
Mar 21, 2026
TikTok U.S. Joint Venture and Proposed Security Standards for Foreign-Owned Apps
TikTok announced the creation of **TikTok USDS Joint Venture LLC** to keep operating in the U.S. under a September 2025 executive order. Under the arrangement, **ByteDance would reduce its ownership to 19.9%**, with majority ownership shifting to majority-American investors; TikTok said the new entity will implement national-security safeguards including U.S.-based data protections and controls around the recommendation algorithm. The company stated that U.S. user data and algorithm security will be supported via **Oracle’s U.S. cloud environment**, and that the joint venture will run a cybersecurity and privacy program aligned to frameworks such as **NIST CSF**, `NIST 800-53`, and **ISO 27001**, with third-party auditing/certification; TikTok said similar safeguards would extend to other U.S.-available apps such as **CapCut** and **Lemon8**. Separately, a policy commentary argued that the TikTok controversy highlights the lack of consistent U.S. standards governing **foreign-owned apps**—particularly around **data ownership/access** and **algorithmic oversight**—and called for clearer, enforceable requirements (e.g., upfront disclosure of who owns collected data and how users can opt out). While it does not add new incident details about TikTok’s joint venture, it frames the broader national-security and consumer-protection rationale for establishing uniform rules for foreign-based software providers operating in the U.S., citing TikTok and other China-linked apps as examples.
Mar 21, 2026
Regulatory-Driven Consumer Privacy and Child Safety Controls in the EU and California
TikTok said it will roll out stronger **age-verification** capabilities across the EU in the coming weeks, following a year-long pilot that analyzes profile details, posted videos, and behavioral signals to estimate whether an account may belong to a user under 13. Flagged accounts are to be reviewed by specialist moderators rather than automatically removed; TikTok said a UK pilot resulted in the removal of thousands of accounts. The move reflects increasing regulatory and public pressure on major platforms to more reliably prevent underage access, particularly where services process significant personal data and use algorithmic recommendations. California launched a new consumer privacy mechanism—the **Delete Request and Opt-out Platform (DROP)**—that allows residents to request deletion of personal information held by more than 500 registered data brokers. The tool, available via `privacy.ca.gov/drop`, supports identity and residency verification either by entering personal details (e.g., name, date of birth, address) or by using a *login.gov* account (which may require uploading government ID). The platform operationalizes expanded state privacy rights by centralizing deletion requests, aiming to reduce the exposure and resale of personal data by the data broker ecosystem.
Mar 21, 2026