Ban or No Ban, You Need a TikTok (or Any App) Exit Plan

In a sleek Manhattan conference room today, a Fortune 500 company CMO is probably asking her team, “What should we do now?”

For several years, chief marketing officers have spent a good chunk of their annual budget on TikTok, placing ads and paying for influencers to tout their products. But after the U.S. Supreme Court last Friday let stand a bipartisan law banning the wildly popular short-form app in the United States, this firm – like any of the millions of organizations, including an estimated 7 million small to midsized businesses, serving some 170 million U.S. consumers – is now uncertain how or whether to shift gears.

Shortly after taking office this week, President Trump signed an executive order to delay the app’s ban for 75 days as “an opportunity to determine the appropriate course forward.” Presumably, that means giving TikTok owner ByteDance time to find a U.S. buyer, even though the Chinese company has indicated it had no interest in doing so. Trump says he wants at least 50% U.S. ownership through a joint venture.

Gain visibility to vulnerable data – in real time and at scale – and meet regulatory compliance requirements.

Meantime, although TikTok is up and running again after a brief nationwide shutdown on Sunday, businesses that anticipated a possible shutdown are left wondering how they should update their plans to adapt if efforts fail to save TikTok in the U.S. And companies that never had a plan are likely realizing they need to get one – and soon. And not just for TikTok.

The trouble with TikTok and how we got here

Back in 2020, during Trump’s first administration, he threatened to block TikTok over national security concerns – ByteDance is governed by the Data Security Law of the People’s Republic of China (DSL), which obligates companies to share confidential user data with the government if requested. Pressure on ByteDance persisted, culminating in President Biden signing legislation last April requiring it to sell off its U.S. operations to a non-Chinese entity by last Sunday (Jan. 19) or face a ban.

Plenty of foreign policy and cyber experts cite critical reasons why we should be worried about TikTok. Richard J. Harknett, co-architect of the U.S. national cybersecurity strategy and an adviser to the National Security Agency, for one.

“If I’m chairman Xi [Jinping], … and someone came to me and said, ‘Hey, chairman, we’re in [more than] 150 million pockets of Americans on a device that … some of them spend over 10 hours a day on,’ it would be the height of irresponsibility for me not to use that device, [especially] if I think that the American way of life is not in Chinese interest,” said Harknett, director of the Center for Cyber Strategy and Policy at the University of Cincinnati, on a recent episode of Focal Point‘s companion podcast, Let’s Converge.

TikTok can track not just what videos you click on, he explained, “but just whether I hover on a video, and [its] algorithm then tailors what gets sent to me and then starts to shape what I… look [at].”

[Read also: How cybercriminals, activists, and bored teens use social media to misinform and disinform – and the enterprises most at risk]

And what we look at, of course, informs what we believe – about political candidates, social trends, and (most significant for businesses) individual brands.

Lest any business think they might simply shrug off a future ban, the law imposes civil penalties on companies that help TikTok “distribute, maintain or update” its services, including those that operate app stores. Those penalties could be sought up to five years after the alleged violation, including after Trump leaves office.

Marketers must shift gears – carefully

If TikTok ends up exiting the scene, marketers will have to shift their ad budgets elsewhere. The app took in an estimated $10.42 billion in U.S. ad revenue last year, according to eMarketer. Ironically, top contenders for those dollars include Lemon8, which also happens to also be owned by ByteDance, and RedNote, another Chinese short-form app. Both face the same data-sharing requirements – and potential bans – as TikTok. Interestingly, shortly after TikTok’s brief shutdown this week, Apple’s App Store halted downloads of all ByteDance apps.

Organizations need to address this head-on. The definitive wrong approach is to not have any policy at all or to act like this is a non-issue.

It’s too soon to tell what could ultimately replace TikTok, if a ban happens. But T.J. Sayers, director of intelligence and incident response at the Center for Internet Security (CIS), warns companies to be wary about switching to another Chinese-owned platform.

“You’ve got to be very careful, and I would even suggest companies do their own risk calculations where they ask, ‘Do we want to leverage any social media that is incorporated in China or falls under the auspices of its law?’” he says.

IT should pivot as well

For enterprises doing business or advertising on TikTok, its removal would also raise urgent questions about data retention and compliance. Indeed, businesses must act swiftly to secure their online assets, says Darcey Groden, an associate at Fisher Phillips law firm, which represents companies in privacy-related litigation.

If you have any data on TikTok and want copies for posterity, then before you delete your account, make sure to download and save it because, if you don’t, it could be gone forever.

“If you have any data on TikTok and want copies for posterity, then before you delete your account, make sure to download and save it because, if you don’t, it could be gone forever,” she advises.

Removing TikTok pixels, cookies, and tracking tools embedded in corporate websites is also critical. These pixels, which collect user data for analytics, could expose businesses to privacy litigation, in which they could be painted as data brokers.

“Out of an abundance of caution, remove that pixel immediately,” Groden says. “Even if you don’t sell data for money, you could be considered a data broker under certain laws.”

Groden also recommends using cookie-management software to monitor tracking capabilities and being transparent about how cookies are used, as well as the company’s privacy policy. These steps show both consumers and employees that you take data privacy and privacy-by-design seriously, and they can help prevent or address potential litigation, she says.

[Read also: Managing risk in the age of data privacy regulation]

Enterprises should also implement strict policies to govern employee interactions with TikTok. Even if social apps, service providers, and businesses block TikTok, determined employees are notorious for finding ways around IT obstacles. The use of unsanctioned tools, apps, and software – aka shadow IT – has long been a problem for IT departments, and now security leaders are tracking the rapid rise of shadow AI. Employees have connected personal smartphones to corporate networks, used ChatGPT instead of approved AI tools, and, without clear policies and enforcement, could attempt to use corporate devices to access overseas TikTok hubs, exposing their organizations to unnecessary risks.

“Organizations need to address this head-on,” Sayers emphasizes. “The definitive wrong approach is to not have any policy at all or to act like this is a non-issue.”

Attorneys say a better approach is to make clear to employees that company policy prohibits them from accessing TikTok while at work and laying out consequences, such as reprimands or dismissal, for any violation. While these violations are not technically a federal crime, companies arguably have a right to enforce such policies through “theft of time” precedents.

[Read also: Is your employee training on cyber risks not getting through? Here’s why the best AI policies start with education]

What employees do on their own time, however, is another matter.

“Certain states like California, where I’m from, have specific laws in place that actually protect employees from being penalized by companies for what they do off the clock,” says Groden. “You don’t want to tell them what they can do when they’re not in the office.”

TikTok’s crisis is your opportunity: Time to haul out all those other third-party tools

A TikTok ban could be a one-and-done kind of thing. Or it could also be a harbinger of stricter regulations to come. To protect themselves, enterprises should take this moment to assess all third-party tools in their arsenals to determine their levels of risk, says Sayers.

“This is just the tippy-top of the iceberg here,” he says. “It’s not just TikTok; any app under similar laws could face similar scrutiny.”

[Read also: The TikTok issue comes down to risk management and compliance management, an increasingly murky realm – learn the differences, nuances, misconceptions]

Now, back in that Manhattan conference room, the marketing team’s whiteboard is getting filled with various ideas: Consider RedNote, Lemon8 or go with other options, like Instagram Reels, YouTube Shorts, or Twitch. Talk to IT about what they would recommend and support. Seek legal advice on whether it’s a good idea to delay any action until it’s clear what will happen in the next month or so.

“No matter what happens with TikTok, more app regulation is coming,” our fictitious team leader says. “It’s our job to ensure we’re ready for whatever comes next.”

TO LEARN MORE

Check out more of our exclusive interviews and coverage of TikTok.

• Ep. 23: From TikTok to AI Regs – How U.S. Cyber Policy Can Guide Enterprises | Let’s Converge podcast
• As Congress Debates TikTok Ban, Here Are 3 Ways Enterprise Leaders Can Prep for New Regs | Focal Point
• What the Tech Sector Can Learn From TikTok – Trust Is Everything | Focal Point