TikTok, Congress, Biometric Data, and New Privacy Concerns
September 19, 2022 | 4 minutes read
As the Chinese-based short-form video hosting service and social media platform TikTok has been accused of violating the personal privacy of American citizens at several different points in the past few years, a change that the company made to its data privacy policy last year has led to further concerns for privacy advocates and politicians alike. More specifically, TikTok altered its privacy policy last year to accommodate the collection of biometric data, which can include “faceprints and voiceprints”, among other forms of biometric identifiers. Subsequently, the topic of biometric privacy was raised when TikTok’s Vice President and Head of Public Policy Michael Michael Beckerman answered a wide range of questions concerning his employer in a U.S Congressional Hearing that took place last October.
Nevertheless, Beckerman, as well as other executives and representatives that work for TikTok, have declined to comment publicly on the reasons or factors that influenced the growing social media company to abruptly amend its personal privacy policy. To this end, “TikTok’s earlier privacy policy change had introduced a new section called “Image and Audio Information” under the section “Information we collect automatically.” Here, it detailed the types of images and audio that could be collected, including “biometric identifiers and biometric information as defined under U.S. laws, such as faceprints and voiceprints.”
Biometric data privacy law
To this last point, TikTok’s privacy policy is particularly vague and ambiguous as it concerns the fashion in which the social media platform collects the biometric information of American citizens. Going back to the Congressional Hearing that several TikTok representatives and executives took part in during October 2021, U.S. Senator Kyrsten Sinema (D-AZ) recently asked Vanessa Pappas, TikTok’s Chief Operating Officer, if the biometric data of U.S. consumers was or had ever been accessed by employees of the company that were located in China. Moreover, Senator Sinema also asked if such access to the biometric data of American citizens was even possible.
Despite this direct line of questioning, however, Pappas failed to provide Senator Sinema with a cohesive answer regarding the specific biometric data collection practices of her employer, and instead highlighted the privacy policy of the social media company yet again. Likewise, Pappas was quoted as saying “the way that we use facial recognition, for example, would be is if we’re putting an effect on the creator’s video — so, you were uploading a video and you wanted to put sunglasses or dog ears on your video — that’s when we do facial recognition. All of that information is stored only in your device. And as soon as it’s applied — like that filter is applied and posted — that data is deleted. So we don’t have that data.”
Privacy violations at the U.S. state level
In so many words, the explanation that TikTok’s Chief Operating Officer Vanessa Pappas gives when detailing the particulars of the company’s biometric data collection practices essentially suggests that the manner in which the mobile application works on a technical level prevents the social media company from retaining the biometric data of American citizens. However, while this explanation might seem to be sufficient on a surface level, as testing each individual technical feature within a popular mobile application such as TikTok is outside of the scope of expertise and knowledge of even the most accomplished and well-respected U.S. politicians, it contradicts recent legal rulings that have been imposed against companies in U.S. states where biometric data privacy legislation has been passed.
To illustrate this point further, Snapchat recently settled a class action lawsuit in the state of Illinois for violating the Illinois Biometric Information Privacy Act (BIPA) in August of this year. Under the BIPA, businesses must obtain consent from citizens of the state prior to collecting their biometric data, lest they face heavy monetary penalties. However, much like the case with TikTok, the basis of this class action lawsuit was the video filters and effects that users of the mobile application used when recording videos using the social media application. With all this being said, a district court in Illinois ultimately ruled that the actions of Snapchat constituted a violation of the state’s biometric data privacy law, irrespective of the specific wording or contents of the social media company’s privacy policy.
While the state of Illinois completely changed the biometric data privacy landscape in the U.S. when the Biometric Information Privacy Act (BIPA) was first enacted in 2008, the unfortunate reality is that the overwhelming majority of U.S. states have yet to pass similar laws. For this reason, major tech and social media companies such as TikTok can effectively collect the biometric data of American citizens with little to no issue, regardless of any questions that a government official may pose to them during a Congressional hearing or another similar legal setting. Furthermore, large-scale corporations will continue to dodge questions regarding their data privacy policies until the U.S. passes a comprehensive data privacy law at the federal level.