A change to TikTok’s U.S. privacy policy on Wednesday introduced a new section that says the social video app “may collect biometric identifiers and biometric information” from its users’ content. This includes things like “faceprints and voiceprints,” the policy explained. Reached for comment, TikTok could not confirm what product developments necessitated the addition of biometric data to its list of disclosures about the information it automatically collects from users, but said it would ask for consent in the case such data collection practices began.
The biometric data collection details were introduced in the newly added section, “Image and Audio Information,” found under the heading of “Information we collect automatically” in the policy.
This is the part of TikTok’s Privacy Policy that lists the types of data the app gathers from users, which was already fairly extensive.
The first part of the new section explains that TikTok may collect information about the images and audio that are in users’ content, “such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content.”
While that may sound creepy, other social networks do object recognition on images you upload to power accessibility features (like describing what’s in an Instagram photo, for example), as well as for ad targeting purposes. Identifying where a person and the scenery is can help with AR effects, while converting spoken words to text helps with features like TikTok’s automatic captions.
The policy also notes this part of the data collection is for enabling “special video effects, for content moderation, for demographic classification, for content and ad recommendations, and for other non-personally-identifying operations,” it says.
The more concerning part of the new section references a plan to collect biometric data.
It states:
We may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content. Where required by law, we will seek any required permissions from you prior to any such collection.
The statement itself is vague, as it doesn’t specify whether it’s considering federal law, states laws, or both. It also doesn’t explain, as the other part did, why TikTok needs this data. It doesn’t define the terms “faceprints” or “voiceprints.” Nor does it explain how it would go about seeking the “required permissions” from users, or if it would look to either state or federal laws to guide that process of gaining consent.
That’s important because as it stands today, only a handful of U.S. states have biometric privacy laws, including Illinois, Washington, California, Texas and New York. If TikTok only requested consent, “where required by law,” it could mean users in other states would not have to be informed about the data collection.
Reached for comment, a TikTok spokesperson could not offer more details on the company’s plans for biometric data collection or how it may tie in to either current or future products.
“As part of our ongoing commitment to transparency, we recently updated our Privacy Policy to provide more clarity on the information we may collect,” the spokesperson said.
The company also pointed us to an article about its approach to data security, TikTok’s latest Transparency Report and the recently launched privacy and security hub, which is aimed at helping people better understand their privacy choices on the app.
The biometric disclosure comes at a time when TikTok has been working to regain the trust of some U.S. users.
Under the Trump administration, the federal government attempted to ban TikTok from operating in the U.S. entirely, calling the app a national security threat because of its ownership by a Chinese company. TikTok fought back against the ban and went on record to state it only stores TikTok U.S. user data in its U.S. data centers and in Singapore.
It said it has never shared TikTok user data with the Chinese government nor censored content, despite being owned by Beijing-based ByteDance. And it said it would never do so, if asked.
Though the TikTok ban was initially stopped in the courts, the federal government appealed the rulings. But when President Biden took office, his administration put the appeal process on hold as it reviewed the actions taken by his predecessor. And although Biden has, as of today, signed an executive order to restrict U.S. investment in Chinese firms linked to surveillance, his administration’s position on TikTok remains unclear.
It is worth noting, however, that the new disclosure about biometric data collection follows a $92 million settlement in a class action lawsuit against TikTok, originally filed in May 2020, over the social media app’s violation of Illinois’ Biometric Information Privacy Act. The consolidated suit included more than 20 separate cases filed against TikTok over the platform’s collection and sharing of the personal and biometric information without user consent. Specifically, this involved the use of facial filter technology for special effects.
In that context, TikTok’s legal team may have wanted to quickly cover themselves from future lawsuits by adding a clause that permits the app to collect personal biometric data.
The disclosure, we should also point out, has only been added to the U.S. Privacy Policy, as other markets like the EU have stricter data protection and privacy laws.
The new section was part of a broader update to TikTok’s Privacy Policy, which included other changes both large and small, ranging from corrections of earlier typos to revamped or even entirely new sections. Most of these tweaks and changes could be easily explained, though — like new sections that clearly referenced TikTok’s e-commerce ambitions or adjustments aimed at addressing the implications of Apple’s App Tracking Transparency on targeted advertising.
In the grand scheme of things, TikTok still has plenty of data on its users, their content and their devices, even without biometric data.
For example, TikTok policy already stated it automatically collects information about users’ devices, including location data based on your SIM card and IP addresses and GPS, your use of TikTok itself and all the content you create or upload, the data you send in messages on its app, metadata from the content you upload, cookies, the app and file names on your device, battery state and even your keystroke patterns and rhythms, among other things.
This is in addition to the “Information you choose to provide,” which comes from when you register, contact TikTok or upload content. In that case, TikTok collects your registration info (username, age, language, etc.), profile info (name, photo, social media accounts), all your user-generated content on the platform, your phone and social network contacts, payment information, plus the text, images and video found in the device’s clipboard. (TikTok, as you may recall, got busted by Apple’s iOS 14 feature that alerted users to the fact that TikTok and other apps were accessing iOS clipboard content. Now, the policy says TikTok “may collect” clipboard data “with your permission.”)
The content of the Privacy Policy itself wasn’t of immediate concern to some TikTok users. Instead, it was the buggy rollout.
Some users reported seeing a pop-up message alerting them to the Privacy Policy update, but the page was not available when they tried to read it. Others complained of seeing the pop-up repeatedly. This issue doesn’t appear to be universal. In tests, we did not have an issue with the pop-up ourselves.
Additional reporting by Zack Whittaker