TikTok users were awarded up to $168 in financial compensation on Wednesday as part of a data privacy class action settlement.
ByteDance, the parent company of TikTok, has agreed to pay $92 million to settle allegations that it collected personal data without users’ consent.
TikTok users received a notice from the app on Monday to file a claim for compensation. Some expressed confusion on social media and questioned whether the notification was part of a larger scam before the media confirmed the authenticity of the payout.
The settlement is the result of consolidating 21 lawsuits, many of which were filed on behalf of minors, NBC News said in a story Wednesday.
Documents filed in U.S. District Court in Illinois alleges that TikTok uses a “sophisticated artificial intelligence system to recognize facial features in users’ videos” and that it analyzes faces to “determine a user’s age, race/ethnicity, and gender … to recommend content and profiles for the user to follow.”
The lawsuit also alleges that TikTok extracted user information from draft videos that were never posted.
“By using this private and biometric information,” the lawsuit continues, “TikTok maintains a competitive advantage over other social media applications and profits from the use of improperly obtained data, while failing to comply with the minimum requirements for processing users’ biometric data established of” the state’s Biometric Information Privacy Act, which guarantees people the right to take action against companies that collect biometric data without consent.
TikTok’s terms of service allow for the collection of biometric data, but in doing so violate the Illinois Biometric Information Privacy Act, the plaintiffs claim.
Attorneys who filed the suit said Illinois residents would get five shares of the $92 million settlement, instead of one, because of the state’s privacy laws.
Chief Operating Officer Vanessa Pappas said Congress in September, the social media company does not use “any type of facial, voice or audio recognition or body recognition that would identify an individual.”
“We may collect biometric identifiers and biometric information as defined in US law, such as face and voice prints, from your User Content,” the policy states.
TikTok has officially denied all charges, but settled to prevent the case from going to court.
“While we disagree with the allegations, instead of going through lengthy litigation, we would like to focus our efforts on building a safe and joyful experience for the TikTok community,” the company said in a statement after the settlement agreement in February.
TikTok will also have to change and disclose its data collection practices as a condition of the settlement.
Sign on the dotted line
The lawsuit didn’t come as a shock to many analysts, and was probably expected by TikTok’s top executives themselves.
TikTok is one of the most invasive apps on the market today. In 2021, it was also the most downloaded with 656 million installs. TikTok has already made its way onto the phones of over a billion users.
Most see it as a good video sharing app that transforms the “vine” format into a global technology with significant staying power. Eager to create an account to access their favorite influencer’s latest recipes or exercise tips, many users don’t read the terms of service. If they did, they would be sent down a dishonest rabbit hole of data collection and location tracking.
Like all social media in 2022, TikTok collects user-generated content, including comments, photos, live streams, audio recordings, videos, and videos with virtual elements that users choose to create with or upload to the platform.
If users choose to connect or register through a third-party social network or login service (such as Facebook, Twitter, Instagram or Google), it collects information from those services, including contact lists and information related to the use of the platform .
It also ambiguously mentions that the app “may collect information about you from other publicly available sources.”
Taking into account biometric facial prints, geolocation tracking, and third-party data collection, the most dangerous tool at TikTok’s disposal may be its “keylog” capability. Keylogging, also known as keystroke tracking, allows the app to recover any data entered into the phone.
This could mean that “anyone using their phone with the TikTok app on it could expose username and password data without even realizing it,” said Matthew Fulmer, cyber intelligence engineering manager at Deep instinct.
“When you look at a keylogging breakdown, it’s extremely easy to find the user and the password. If all of this is transferred to external servers (where there is no clear understanding of who has access to them), who knows that this level of access may be readily available within certain companies.”
ByteDance insists the company does not send US user data to foreign servers, but Chinese entities are much more beholden to their government than those in the West. This means that the Chinese government can (and most likely will) collect user data. Additionally, hackers would have a treasure trove of data to use if TikTok’s servers were compromised.
Lawmakers are also particularly wary of TikTok and its invasive policies because its largest demographic of users are children and teens — a vulnerable market that may not understand the extent of privacy violations being committed.
A recurring theme
US tech and social media majors are grappling with similar legal issues.
In just the past five years, the Federal Trade Commission has brought 76 cases against companies for violating the privacy or security of their users, including lawsuits against Twitter, Facebook, Zoom, Google, YouTube, Uber and PayPal, according to The hill.
Most recently, the state of Texas filed a new lawsuit against Google, alleging that it violated the state’s biometric privacy law by “indiscriminately” collecting voiceprints and facial recognition data from users and non-users of the company’s products without their consent.
Texas Attorney General Ken Paxton has argued that the company’s widespread implementation of facial recognition technology in Google Photos and use of voice recognition technology in its line of smart speakers and other home products is a violation of the state’s Capture or Use of Biometric Identifiers Act .
According to the complaint, Google scans photos, identifies subjects without user consent, and listens to conversations without engaging in Google’s indiscriminate voice typing.
The complaint describes Google’s Nest Hub Max, a smart home display with a built-in camera, as “a modern-day Eye of Sauron — constantly watching and waiting to identify a person it knows.”
Amazon Inc. drew the ire of Congress earlier this year when it released a Ring doorbell recording to law enforcement 11 times over a 6-month period without the user’s permission. A letter from Amazon to Congress revealing the fact was released in June by US Senator Edward Markey. The Massachusetts Democrat sent a separate letter to Amazon in June questioning Ring’s surveillance practices and engagement with law enforcement.
The list of litigation and public outrage goes on and on. Unfortunately for users, progress will be slow on online privacy rights when the $97 million settlements feel like little more than a slap in the face to leviathans like TikTok.
Is the economy of information and personal data worth more than the cost of a few thousand $100 checks?