TikTok has updated its privacy policies several times already this year, with improvements for users under 16 and removing the ability to opt out of targeted advertising. But a new statement this week is particularly concerning:
We may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content. Where required by law, we will seek any required permissions from you prior to any such collection.
Though I imagine those who are concerned about TikTok’s connections to the Chinese government or who see it as surveillance software will find this more nefarious than, say, I do, I still think it is pretty alarming. There is no good reason — not one — for a lighthearted social media app to uniquely identify people based on unchangeable physical characteristics, even for something as apparently innocuous as tagging.
Sarah Perez of TechCrunch reports that this policy change may have a more sedate origin:
It is worth noting, however, that the new disclosure about biometric data collection follows a $92 million settlement in a class action lawsuit against TikTok, originally filed in May 2020, over the social media app’s violation of Illinois’ Biometric Information Privacy Act. The consolidated suit included more than 20 separate cases filed against TikTok over the platform’s collection and sharing of the personal and biometric information without user consent. Specifically, this involved the use of facial filter technology for special effects.
In that context, TikTok’s legal team may have wanted to quickly cover themselves from future lawsuits by adding a clause that permits the app to collect personal biometric data.
The plaintiffs in that suit allege a creepy scheme to mine everything created through the app, including draft videos that were not published. This biometric data collection clause may be related to face mask filters and effects. But, if that is the case, why are those features available elsewhere while this clause is U.S.-only? And, given that this clause is so broad, is it reasonable to think that an ad-supported platform will continue to use it solely for fun filters in perpetuity? The answer to that last one seems obvious: rather than minimizing data collection, TikTok is giving itself latitude.
By the way, TikTok has three different privacy policies: one for the U.S., one for Switzerland, the U.K., and the European Economic Area, and one for everywhere else. Comparing these policies raises many questions. For example, the U.S. one seems to permit far greater collection than the other two. Is that because it is described more comprehensively, or is it because the U.S. has virtually none of the national privacy standards that are common elsewhere?
In the rest of the world, TikTok says it is allowed to collect many different types of behavioural information, including “app and file names and types, keystroke patterns or rhythms” in addition to things like IP addresses and device attributes, but that is not so different from many other social media apps. It also says that it collects “the existence and location within an image of face and body features and attributes” in order to, among other things, “enable special video effects”, which explains why it is able to offer face filters without collecting “biometric” data. This language does not appear in the more permissive U.S. policy; it also does not appear in the stricter policy for Europe and the U.K., but a quick scan of top British TikTok users indicates that face-based filters are available there, too.
It seems that the greater privacy protections afforded to non-U.S. countries are not prohibitive. My American readers should ask themselves why lawmakers are failing them when so many industries are eager participants in anti-privacy practices.