Popular short-form video-sharing service TikTok quietly revised its privacy policy in the U.S., allowing it to automatically collect biometric information such as faceprints and voiceprints from the content its users post on the platform.
The policy change, first spotted by TechCrunch, went into effect on June 2. TikTok users who reside in the European Economic Area (EEA), the U.K., Switzerland, and other geographies (excluding India) where the service operates are exempted from the changes.
“We may collect biometric identifiers and biometric information as defined under U.S. laws, such as faceprints and voiceprints, from your User Content. Where required by law, we will seek any required permissions from you prior to any such collection,” the ByteDance-owned company said in a newly introduced section called “Image and Audio Information.”
On top of this, the company’s privacy policy also notes that it may collect information about “the nature of the audio, and the text of the words spoken in your User Content” so as to “enable special video effects, for content moderation, for demographic classification, for content and ad recommendations, and for other non-personally-identifying operations.”
Besides not clearly defining the exact nature of biometrics being collected or offering a convincing reason as to why this data gathering is necessary in the first place, the vaguely worded language could allow TikTok to amass such sensitive data without users’ explicit consent.
Given that only a handful of states in the U.S. — California, Illinois, New York, Texas, and Washington — have laws restricting companies from collecting biometric data, the move could mean that TikTok doesn’t have to ask permission from its users in other states, as noted by TechCrunch. In other words, users are consenting to have their biometric data collected simply by agreeing to its terms of service.
The revisions to its privacy policy come months after TikTok agreed to pay $92 million to settle a class-action lawsuit that alleged the app violated the Illinois’ Biometric Information Privacy Act (BIPA) by clandestinely capturing biometric and personal data from users in the U.S. to target ads without meeting the informed consent requirements of the state law.
As part of the settlement, TikTok complied to avoid collecting or storing biometric information, biometric identifiers, geolocation, or GPS data unless expressly disclosed in its privacy policy. Viewed in this light, it’s possible that the changes are a result of the lawsuit agreement.