What is The Non-Consensual Cookie Bandit?

A satirical web experience that parodies cookie consent popups by "auditing your life" instead of tracking your data. It's a humorous exploration of digital consent culture.

Is this actually tracking my cookies?

No. Despite the name, we don't actually track cookies in the traditional sense. This is a parody project that uses "cookies" as a metaphor for life decisions.

Is the life audit real?

The audit is generated for entertainment purposes only. Results are satirical and should not be taken as genuine life advice.

Can I play games on this site?

Yes! We have several mini-games including the Reject Button Game and Cookie Clicker. More games are being added regularly.

Does TikTok collect data on videos I recorded but never posted?

Yes. Draft content is collected. The policy specifically covers "User Content" which includes content "generated or uploaded." If you filmed yourself and deleted it before posting, that data was already transmitted during the drafting process on most versions of the app.

Is TikTok more dangerous than other social apps?

The Bureau does not rank danger. We rank sneakiness. TikTok receives a 10/10 for the biometric data collection clause alone. Other platforms collect similar volumes of data but have not explicitly written faceprint collection into their base policy without prominent user notification.

What age does TikTok require to use the platform?

Thirteen. The data collection practices described in this audit apply to users aged thirteen and above, including the biometric data provisions. The Bureau notes this without comment, as the comment would take too long.

← Hall of Shame

TikTok

social-mediabiometricalgorithmdata-transferyouth-data

6,100

Word Count

24 min

Reading Time

0 min

Human Patience

10/10

Sneakiness

Translation Service

What They Say

TikTok describes a platform built for creativity, expression, and community. Their privacy policy explains data collection as necessary to provide personalised content, improve safety, and fight fraud. They emphasise that users are in control of their data and provide tools to request deletion. The policy includes a section on data security that uses the word "robust" twice and "industry-standard" three times, both phrases that the Bureau has flagged as requiring independent verification.

What They Mean

TikTok's algorithm is a surveillance instrument that happens to also show you videos. The platform collects biometric identifiers — faceprints and voiceprints — from your videos, along with everything you type (including things you deleted before sending), your precise GPS coordinates, and the WiFi networks near you. The recommendation algorithm uses this to build a psychological profile so accurate that researchers have documented it identifying depression, anxiety, and political orientation from scroll patterns alone. This data is accessible to ByteDance, TikTok's parent company, which operates under Chinese law.

Worst Clause — Exhibit A

"We may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content. Where required by law, we will seek any required permissions from you prior to any such collection."

Bureau Translation:

"Where required by law" is doing all the work in this sentence. In most US states, there is no law requiring them to ask. This clause establishes that TikTok collects your biometric data by default in all jurisdictions that have not specifically passed legislation saying they cannot. The word "may" in the first sentence means "do," with legal optionality retained for jurisdictions where courts are paying attention.

Evidence Tags — Data Collected

Faceprints and voiceprints (biometric identifiers)Precise GPS location and location historyAll content created including drafts never postedKeystroke patterns and clipboard contentsDevice contacts and calendarWiFi access points and Bluetooth signalsViewing behaviour and scroll patterns

Bureau Verdict

"TikTok's privacy policy is the Bureau's Grade F recipient for a reason: it collects biometric data, retains content you never published, and operates under a legal structure that gives its parent company access to the full dataset. The policy is technically compliant with the jurisdictions it operates in, which says less about TikTok and more about how behind those jurisdictions are."

Overall Grade

Dense (Strategic)

Frequently Asked Questions

Dark Patterns Documented

Privacy Zuckering →Misdirection →Confirmshaming →

See the full Dark Pattern Encyclopedia for documentation of each technique.

← All Companies Dark Pattern Encyclopedia →Terms Nobody Read →

Audited: 2026-03-15