TikTok does not profile minors with advertisements. This is true. It is also irrelevant.
In March 2026, a nine-person research team from the Kempelen Institute of Intelligent Technologies and Comenius University Bratislava published the results of an algorithmic audit — the largest of its kind — conducted across 7,095 videos watched over ten days by automated accounts simulating sixteen- and seventeen-year-old users with identical interest profiles to adult control accounts. The paper, "The DSA's Blind Spot: Algorithmic Audit of Advertising and Minor Profiling on TikTok" (arXiv:2603.05653, FAccT 2026), reached a conclusion that should have been contradictory but was instead precisely correct: TikTok complies with the Digital Services Act. TikTok also extensively profiles minors. These two facts are not in conflict. They describe different things.
The thing TikTok complies with is a narrow provision — Article 28(2) of the DSA — prohibiting platforms from presenting "advertisements on their online interfaces based on profiling... when they are aware with reasonable certainty that the recipient of the service is a minor." TikTok does not do this. The formal advertisements it sells through its own ad system are not profiled to minor accounts. The company, in this narrow sense, is in compliance.
What TikTok does instead — and what the researchers found — is profile minors through the remaining 84 percent of commercial content flowing through its system. This content is not classified as an advertisement under the DSA because the platform was not the payment intermediary. It includes influencer partnerships, brand promotions, affiliate content, and creator-paid commercial posts. The DSA covers ads where the platform receives remuneration specifically to promote information. An influencer who posts a paid partnership using their own TikTok account, without TikTok intermediating the payment, falls outside the definition. The algorithm still knows what it is. The law does not.
The researchers built four automated account personas — two minors (16 and 17) and two adults (20 and 21) — with identical declared interests across beauty, fitness, and gaming categories. They ran these accounts concurrently for ten days, collecting and annotating 7,095 videos using a classifier that sorted content into four categories: formal ads (purchased through TikTok's ad system), disclosed ads (creator-labeled as promotional), undisclosed ads (commercial content with no label), and non-ad content.
The results were not subtle. For adult accounts exposed to formal TikTok advertisements, the profiling effect — measured as the percentage-point increase in ad-topic match above baseline — ranged from plus 10.39 to plus 16.43 percentage points. For minor accounts exposed to undisclosed commercial content, the same measure ranged from plus 83.68 to plus 93.18 percentage points. A simulated sixteen-year-old girl who had signaled interest in beauty content received 92.1 percent undisclosed ads algorithmically matched to that interest. The formal advertisements shown to the same account showed no personalization.
The compliance architecture had been built. It was functioning exactly as designed. The minors simply were not receiving the kind of ads the DSA was written to prevent. They were receiving a different kind of ad, one the DSA had not defined.
The DSA's Article 3(r) defines an advertisement as "information designed to promote the message of a legal or natural person, irrespective of whether to achieve commercial or non-commercial purposes, and presented by an online platform on its online interface against remuneration specifically for promoting that information." The key phrase is "against remuneration specifically for promoting." This language captures the transaction between advertiser and platform. It does not capture the transaction between advertiser and creator. A brand that pays a TikTok creator directly to promote a product is not paying TikTok. The platform receives no remuneration specifically for promoting that information. The content therefore does not meet the definition of an advertisement under the DSA, even if it is commercially motivated, even if it is paid, even if the same algorithmic system used to target formal ads is used to distribute it.
This is the blind spot. Not a bug in enforcement — a gap in the architecture. The law regulates the channel through which platforms monetize attention. It does not regulate the channel through which brands monetize creators.
The authors of the paper — Sarla Solorova, Matej Mosna, Matus Tibensky, and colleagues — note that this is not an accidental oversight. The definition of advertisement was a deliberate choice in the legislative drafting, reflecting the DSA's origin as a platform liability framework rather than a comprehensive advertising regulation regime. The act that governs what platforms are responsible for when they intermediate content is not the same act that governs what users are exposed to on platforms. These are different things. The DSA was designed to govern the first. The second was supposed to be governed by other frameworks — GDPR, the Unfair Commercial Practices Directive, national consumer protection law. Those frameworks have their own gaps.
In May 2025, the European Commission issued preliminary findings that TikTok had breached DSA transparency obligations — failing to provide adequate information about advertisements displayed, the targeted recipients, and who had paid for them, and failing to maintain a publicly accessible advertising repository. These were not minor infractions. They went to the heart of the accountability infrastructure the DSA was designed to build. The Commission noted that investigations into addictive design, the protection of minors, and researcher access to data were ongoing.
Separately, the Irish Data Protection Commission — which has been TikTok's primary regulatory interlocutor due to the company's European headquarters in Dublin — had issued two substantial GDPR fines in the preceding two years. A 345 million euro fine in September 2023 addressed public-by-default settings for child accounts, the Family Pairing feature's failure to verify parental consent, and transparency failures around data processing. A 530 million euro fine in May 2025 addressed unlawful transfers of EEA user data to China. A new inquiry was opened in July 2025 after TikTok disclosed that it had inaccurately informed the DPC about the scope of data stored on Chinese servers during the prior investigation.
None of these actions addressed the profiling gap identified in the March 2026 audit. They addressed what the DPC and the Commission had tools to address. The blind spot remained.
The Canadian Joint Privacy Investigation, published in September 2025, went further in describing what the profiling apparatus actually does. Investigators found that TikTok had used biometric data — facial analysis and voice pattern recognition — combined with location information to construct what the report described as "elaborate inferences" about children, including their spending power, health conditions, political views, gender identity, and sexual orientation. These inferences were available for advertising purposes. The investigation found that advertisers could target users based on transgender status — a finding TikTok disputed but could not fully rebut with its internal documentation. Consent, the investigators concluded, was not "valid or meaningful" for the tracking and profiling being conducted.
The United States Federal Trade Commission, in an August 2024 lawsuit filed by the Department of Justice, alleged that TikTok and ByteDance had knowingly allowed millions of children under thirteen on the platform, built back doors to bypass age verification gates, collected data to target advertising to children without parental consent, and violated a 2019 FTC consent order. The case was pending as of this writing. In January 2025, the FTC finalized a rule requiring opt-in consent for targeted advertising to children — a COPPA update expanding the definition of personal information to include biometric identifiers and imposing data retention limits. This rule would eventually close the definitional gap in US law. It had not yet done so.
What the research reveals is not a story about a company evading responsibility. It is a story about the architecture of responsibility — about what happens when compliance is measured against the wrong definition.
The compliance function at TikTok, operating in good faith, could demonstrate with precise documentation that the platform does not profile minors with advertisements. This would be accurate. It would also be the equivalent of noting that a building's sprinkler system does not activate in rooms where there are no fires, while remaining silent about the fact that certain rooms have been reclassified as storage closets and therefore fall outside the sprinkler's jurisdiction. The fire is still burning. The compliance infrastructure is functioning. The building code was written for a different class of structure.
The authors propose four remedies: expanding the DSA's definition of advertisement to include influencer marketing and undisclosed brand content, extending Article 28(2) protections accordingly, improving enforcement of creator labeling requirements, and enabling independent algorithmic auditing to verify compliance. These are technically sound recommendations. They require the European Commission to amend a regulation that took three years to negotiate and has been in force for less than two. The legislative timeline for the proposed fixes would be measured in years. The profiling apparatus continues to operate in the interim.
There is something precise about the mechanism that allows this to persist. The advertising technology industry has spent two decades building systems for maximizing the relevance — and therefore the monetary value — of the attention it aggregates. Relevance is a function of data. The more data the system has about a person, the more precisely it can match that person to content, and the more valuable the inventory becomes. The system has every economic incentive to accumulate the maximum amount of data about every user, including minor users, for as long as possible, before any regulatory classification takes effect.
The enforcement gap is not an accident of legislative drafting alone. It is also an artifact of the timeline on which regulatory systems operate versus the timeline on which attention markets compound. A platform that has profiled thirty million minors for two years before a regulation is amended has extracted the value from that profiling. The fines, if they eventually arrive, are calculated against future revenue. The data already collected is already monetized. The architecture of penalties does not reach backward to the period of unregulated operation.
The researchers note that 84 percent of the commercial content seen by minors in their audit was undisclosed — commercial in nature, algorithmically matched to inferred interests, without the label that would make it recognizable as advertising to a user who had not studied the methodology. For adults, the comparable figure was 49 percent. Minors were not just more heavily profiled through this channel. They were also less likely to be told that what they were seeing was advertising.
The compliance architecture, properly understood, is a machine for reclassifying the same outcome through different legal categories until the outcome no longer matches the definition of the thing being regulated. TikTok does not profile minors with advertisements. TikTok profiles minors with commercial content, through a system that was designed for the same purpose, achieves the same result, and happens not to be classified as advertisements under the Digital Services Act.
This is the blind spot. Not an absence of vision — a presence of a gap, precisely where the definition ends.
References
Solorova, S., Mosna, M., Tibensky, M., Jakubcik, J., Bindas, A., Liska, S., Hossner, F., Mescarik, M., and Srba, I. (2026). The DSA's Blind Spot: Algorithmic Audit of Advertising and Minor Profiling on TikTok. arXiv:2603.05653. FAccT 2026.
Regulation (EU) 2022/2065 — Digital Services Act. Articles 3(r), 28(2). European Parliament and Council.
European Commission (2025). Preliminary Findings — TikTok DSA Compliance. May 2025.
Data Protection Commission Ireland (2023). TikTok Decision — 345 Million Euro Fine. September 1, 2023.
Data Protection Commission Ireland (2025). TikTok Decision — 530 Million Euro Fine. May 2, 2025.
Joint Privacy Investigation — TikTok and Children (2025). Office of the Privacy Commissioner of Canada / Commission d'acces a l'information du Quebec / Federal Privacy Commissioner. September 2025.
Federal Trade Commission / Department of Justice (2024). Complaint Against TikTok Inc. and ByteDance Ltd. August 2024.
New Scientist (2026). "TikTok Legally Complies with Child Ad Rules While Undisclosed Marketing Profiles Minors." March 2026.