TikTok Biometric Data Collection: Faceprints & Voiceprints

TikTok Updates Privacy Policy to Include Biometric Data Collection

On Wednesday, TikTok modified its U.S. privacy policy, introducing a new clause stating the platform “may collect biometric identifiers and biometric information” from user-generated content. This encompasses data points such as “faceprints and voiceprints,” as detailed within the revised policy.

When asked for clarification, TikTok representatives were unable to specify the product advancements prompting the inclusion of biometric data in their disclosures regarding automatically collected user information. However, they affirmed that user consent would be sought should such data collection practices be implemented.

Details of the New Policy

The specifics concerning biometric data collection were introduced within a newly added section titled “Image and Audio Information,” which falls under the “Information we collect automatically” heading in the policy.

This section details the types of data TikTok gathers from its users, building upon an already comprehensive existing list.

The initial portion of this new section clarifies that TikTok may gather information pertaining to the images and audio present in user content. This includes “identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content.”

While this may raise concerns, many other social media platforms utilize object recognition on uploaded images to enhance accessibility features – like describing images on Instagram – and to refine ad targeting strategies.

Identifying individuals and surrounding environments can facilitate augmented reality effects, while speech-to-text conversion powers features like TikTok’s automatic captions.

Data Usage and Concerns

The policy further indicates that this data collection is intended for enabling “special video effects, for content moderation, for demographic classification, for content and ad recommendations, and for other non-personally-identifying operations.”

However, the more noteworthy aspect of the new section pertains to the potential collection of biometric data.

The policy states:

The statement lacks precision, failing to specify whether it considers federal, state, or both sets of regulations. It also does not elaborate on the rationale behind TikTok’s need for this data, nor does it define the terms “faceprints” or “voiceprints.”

Furthermore, it doesn’t outline the process for obtaining “required permissions” from users, or whether it will adhere to state or federal laws in securing consent.

This is significant because currently, only a limited number of U.S. states have enacted biometric privacy laws, including Illinois, Washington, California, Texas, and New York. If TikTok were to only request consent “where required by law,” users in other states might not be informed about the data collection.

TikTok’s Response and Context

A TikTok spokesperson declined to provide further details regarding the company’s plans for biometric data collection or its integration with existing or future products.

“As part of our ongoing commitment to transparency, we recently updated our Privacy Policy to provide more clarity on the information we may collect,” the spokesperson explained.

The company also directed attention to its data security article, the latest Transparency Report, and the newly launched privacy and security hub, designed to help users better understand their privacy options within the app.

This disclosure arrives as TikTok endeavors to rebuild trust among some U.S. users.

During the Trump administration, the federal government attempted to ban TikTok’s operation within the U.S., citing national security concerns due to its ownership by a Chinese company.

TikTok contested the ban, asserting that U.S. user data is exclusively stored in U.S. data centers and in Singapore. The company also denied sharing user data with the Chinese government or censoring content, despite being owned by Beijing-based ByteDance, and pledged to refrain from doing so if requested.

Although the initial ban was halted by the courts, the federal government pursued appeals. However, upon President Biden’s inauguration, his administration suspended the appeal process to review the actions of his predecessor.

While President Biden has signed an executive order restricting U.S. investment in Chinese firms linked to surveillance, his administration’s stance on TikTok remains ambiguous.

Legal Precedent and Policy Scope

It’s important to note that this disclosure regarding biometric data collection follows a $92 million settlement in a class action lawsuit against TikTok, initially filed in May 2020. The suit alleged violations of Illinois’ Biometric Information Privacy Act.

The consolidated lawsuit encompassed over 20 separate cases concerning TikTok’s collection and sharing of personal and biometric information without user consent, specifically related to the use of facial filter technology.

In this context, TikTok’s legal team may have proactively sought to shield the company from future litigation by incorporating a clause permitting the collection of biometric data.

The disclosure has been added solely to the U.S. Privacy Policy, as other regions, such as the EU, have more stringent data protection and privacy regulations.

This update was part of a broader revision to TikTok’s Privacy Policy, encompassing various changes, from correcting typos to introducing entirely new sections. Most of these adjustments were readily explainable, such as new sections referencing TikTok’s e-commerce ambitions or modifications addressing the implications of Apple’s App Tracking Transparency on targeted advertising.

Existing Data Collection Practices

Even without biometric data, TikTok already possesses a substantial amount of data on its users, their content, and their devices.

TikTok’s policy already states that it automatically collects information about users’ devices, including location data derived from SIM cards, IP addresses, and GPS, usage patterns, and all content created or uploaded. This also includes data sent in messages, metadata from uploaded content, cookies, app and file names, battery status, and even keystroke patterns.

In addition to this, TikTok collects information users actively provide, such as registration details, profile information, user-generated content, phone and social network contacts, payment information, and text, images, and video from the device’s clipboard.

(TikTok previously faced scrutiny for accessing iOS clipboard content, as highlighted by Apple’s iOS 14 feature. The policy now states TikTok “may collect” clipboard data “with your permission.”)

Rollout Issues

Some users reported encountering issues with the Privacy Policy rollout, receiving pop-up messages about the update but finding the policy page inaccessible. Others experienced repeated pop-up notifications. However, these issues do not appear to be widespread.

https://twitter.com/matthewericdoes/status/1400115048782045187

https://twitter.com/diegheaux/status/1400223230577762310

https://twitter.com/allimaemangsat/status/1400372351301128200

Additional reporting by Zack Whittaker