TikTok, which has over 100 million users in the U.S. alone, introduced a newly added section in its privacy policy titled "Image and Audio Information." Under the heading of "Information we collect automatically," the app said it will collect "biometric identifiers and biometric information" such as "faceprints and voiceprints." The company claimed that it will seek permission to collect the data "where required by law."
On top of this, TikTok's privacy policy said it will collect other information in the content its users' post. It said:
"We may collect information about the images and audio that are a part of your User Content, such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio and the text of the words spoken in your User Content. We may collect this information to enable special video effects, for content moderation, for demographic classification, for content and ad recommendations and for other non-personally-identifying operations."
Other social media apps and websites already conduct object recognition on images their users upload. These processes are supposedly done to power accessibility features, such as helping an app recognize what is in a photo somebody uploads. These object recognition processes are also usually done for ad targeting purposes.
Other than stating that it may collect "faceprints and voiceprints," TikTok refused to clearly define the exact nature of the biometrics it will collect. It has also refused to answer why this policy change was made nor offer any convincing reason why a social media app like itself has to collect such intimate data from its users.
Furthermore, the vaguely worded language of the updated privacy policy could allow TikTok to amass a treasure trove of sensitive data without its users' explicit and informed consent.
TikTok's emphasis on only asking for permission to collect user data "where required by law" is potentially very dangerous. Only a handful of states – Washington, Texas, New York, Illinois and California – have laws that restrict how much biometric data companies are allowed to collect. (Related: Big tech supporting and writing privacy legislation in multiple states to preempt passage of stronger privacy laws.)
This could mean that, for users not from the above-mentioned states, users are already consenting to have their biometric data collected by simply agreeing to TikTok's terms of service.
The revisions to TikTok's privacy policy come less than four months after the company agreed to settle a class-action lawsuit in Illinois and pay the plaintiffs $92 million. The plaintiffs alleged that the app violated Illinois' Biometric Information Privacy Act by stealing personal and biometric data from users all over the country for targeted advertising purposes. This information was taken without meeting the informed consent provisions required by state law.
As part of the company's settlement, TikTok agreed to comply with state law by ceasing its collection and storage of biometric information, biometric identifiers, geolocation or GPS data unless this is expressly disclosed in the company's privacy policy.
The changes to the privacy policy might be a way to make sure TikTok can take personal data without violating any more laws.
This latest update has set off a lot of new alarm bells for privacy advocates. But before the release of the new privacy policy, TikTok was already allowed to gather a fairly extensive amount of data from its users.
Learn more about how social media giants like TikTok force users to willingly give it their data by reading the latest articles at PrivacyWatch.news.
Sources include: