Update – January 31, 2020 – Settlement Website Is Live
The official settlement website for the class action that alleged TikTok illegally tracked, collected and disclosed personally identifiable data of children under 13 years old without consent is now live:
According to the website, if you or your child used the Musical.ly and/or TikTok app under the age of 13, you may be able to obtain benefits from the $1.1 million settlement. A court has issued no judgment in the case and TikTok denies any wrongdoing.
Claims must be submittedby April 16, 2020and can be filed onlinehere. Those who do not submit a claim form or request exclusion from the settlement will not be entitled to any compensation.
Answers to frequently asked questions can be found on the settlement websitehere. To contact the settlement administrator directly, headhere.
Proposed class action lawsuits filed less than a week apart against TikTok have taken divergent trajectories. While the operators of the short-form video app abruptly settled a case over the alleged collection of children’s data without parental consent, the companies still face a proposed class action in California over claims that it shared children’s data with China.
Below is an overview of TikTok, the swift settlement, and the lawsuits targeting the platform’s alleged data collection and dissemination practices.
What Is TikTok?
Downloaded more than 200 million times since 2014, TikTok is an app that’s seemingly filled the shoes left behind by now-deceased short-form video platform Vine. Particularly popular among young people in “Gen Z” and those dubbed as “Millennials,” viral-oriented TikTok allows users to watch and post 15-second videos designed solely for viewing on a mobile phone.
Before it became the worldwide phenomenon it is today, TikTok was known as Musical.ly until it was acquired in November 2017 by Chinese startup ByteDance. At the time of the switch, Musical.ly’s users were migrated to updated TikTok accounts. While the name and overall packaging of the app received a facelift, Muscial.ly’s core function—short-form, 15-second videos—remained unchanged.
Children’s Data and Federal Law
The now-settled lawsuit out of Illinois alleged TikTok surreptitiously “tracked, collected, and disclosed” personally identifiable information and/or viewing data from children under the age of 13 without parental consent. Filed on behalf of two minors by their mothers, the 25-page complaint scathed that TikTok’s data collection and dissemination practices have led to ramifications that include children “being stalked on-line by adults.”
At the heart of the lawsuit was the Children’s Online Privacy Protection Act (COPPA). The 1999 law, the case stated, expressly forbids developers of “child-focused” apps from lawfully obtaining personally identifiable information from children under 13 without first securing verifiable consent from their parents. Personally identifiable information, as defined under COPPA, includes names, email addresses and Social Security numbers. It also includes screen names or usernames, media files containing a child’s image or voice, geolocation data and, in general, any “persistent identifier that can be used to recognize a user over time and across different Web sites or online services.”
The minor plaintiffs alleged that they were not asked for verifiable parental consent to collect, disclose, or use their personally identifiable information, nor were their mothers provided with direct notice from TikTok concerning data collection and dissemination. Given how much personal information a user needs to provide in order to create a Musical.ly/TikTok profile, the defendants, the plaintiffs alleged, failed to put in place appropriate safeguards—namely barriers requiring verifiable parental consent—to prevent minors from creating accounts without permission.
A “First-of-Its-Kind” Settlement
Rather than risk the five-count lawsuit heading through the discovery phase and potentially to trial, the plaintiffs and defendants TikTok and ByteDance Technology Co.; Musical.ly Inc.; and Musical.ly the Cayman Islands Corporation came to a tentative $1.1 million settlement to end claims that the companies violated the COPPA. According to court documents, the plaintiffs believe the all-cash deal “represents the first settlement of its kind” and constitutes an “excellent result” given the “risks, uncertainties, burden and expense” of furthering the litigation.
The settlement, which is subject to a judge’s final approval, looks to cover:
All persons residing in the United States who registered for or used the Musical.ly and/or TikTok software application prior to the Effective Date when under the age of 13 and their parents and/or legal guardians.”
The plaintiffs’ court filing estimates that roughly six million individuals may be covered by the settlement. Given the sheer difficulty of identifying, much less directly contacting, every class member, a settlement website will be created for those looking to file claims. News of the settlement, once approved, will be posted on social media, including Facebook.
It is estimated that settlement awards could range from $10 to $15 per claimant. The plaintiffs look to recover $2,500 each for bringing the suit.
“Lighthearted Fun at a Heavy Cost”: TikTok Accused of Data Sharing with China
Though one proposed class action against TikTok was open and (tentatively) shut the next day, the platform and its operators are still facing another lawsuit centered on similar claims. The other case, however, alleges TikTok’s data collection practices are far shadier—and far more globalized—than users know.
The focal point of the sweeping proposed class action filed in the Northern District of California is the allegation that TikTok comes surreptitiously equipped with surveillance software that “vacuums” up user data and transfers the information to servers in China to “identify, profile and track the location and activities of users” in the U.S. now and in the future. Filed against ByteDance, TikTok, Beijing ByteDance Technology Co. Ltd. and Musical.ly, the 46-page case alleges the defendants have taken users’ content, including mobile device details and drafts of videos never intended for publication, without their consent or knowledge.
Arguing that the videos on the platform are “inherently private, personal and sensitive,” the case claims that once a TikTok user clicks the “next” button after filming and before they either save or post a video, the content is transferred to Musdbn.com, a domain owned and controlled by the defendants. It’s at this stage in the process, according to the complaint, when users’ videos are also transferred in secret to two Musical.ly servers—xlog-va.musical.ly and log2.musical.ly.
The lawsuit alleges that during this process, those using the app see “no progress bar or any other indication” that their content is being transferred anywhere. Also undisclosed, the case continues, is any indication that the defendants are capturing the videos and users’ biometric identifiers.
“Consequently, TikTok users are prevented from knowing that Defendants have taken their private videos and Biometric Identifiers,” the lawsuit charges. “No user consent exists.”
User Profiles for Tracking, Targeted Advertising
According to the suit, Beijing ByteDance’s biggest revenue source is advertising, and its management, the plaintiff claims, is tasked with hitting “increasingly ambitious” goals with regard to monetizing the platform. To meet these expectations, TikTok relies on targeted advertising that appears within users’ feeds, offering promotional content in between user content. As the suit tells it, the vast swaths of data scooped up by the defendants are the backbone of the companies’ ad business, and users have little choice of opting out aside from declining to use TikTok at all.
Further, the plaintiff claims the companies have gone to great lengths to hide any sign of their collection of user information, including by obfuscating source code and using non-standard encryption to conceal the transfer of data.
With regard to the user identifiers collected by TikTok and Musical.ly, the lawsuit claims that once the app is installed on a device, the defendants capture a combination of everything from usernames, passwords, email addresses and birthdates to MAC and IP addresses, operating system data, browsing history, meta data and a user’s precise physical location. Additionally, users who sign into TikTok from Facebook, Google or Twitter, the case says, unknowingly give the defendants access to private information stored on other social media accounts, including user and device identifiers and friends’ photos and contact information.
The picture a full assembly of user identifiers can paint is ultimately used by the defendants for profit, the plaintiff asserts.
“These are living files that are supplemented over time with additional private and personally-identifiable user data, and utilized now and in the future for various economic and financial purposes,” according to the suit. “For example, Defendants’ control over these ever-expanding dossiers make tracking and profiling users, and targeting them with advertising, much more efficient and effective. Defendants unjustly earn substantial profits from such targeted advertising.”
Further still, even when an individual stops using Musical.ly/TikTok, the defendants “continue to use the apps to harvest” certain personally identifiable information from their mobile device, the case claims.
TikTok and China
Prior to Senators Charles Schumer (D-NY) and Tom Cotton (R-AR) sending a letter to Acting Director of National Intelligence Joseph Maguire on the “national security” risks linked to TikTok, the app’s operators in July 2019 retained consultants who the lawsuit says “opined” that there is no indication that the Chinese government had accessed users’ data. Further, TikTok, the case says, issued a statement prior to the lawsuit’s filing in which it claimed it stores all user data on servers in the United States with only “backup redundancy” in Singapore, assuring that none of users data is subject to Chinese law.
The plaintiff alleges, however, that TikTok’s “unpersuasive” assurances carefully leave out any mention of its past data collection, retention and dissemination practices. From the complaint:
In fact, the statement does not actually say that no private and personally-identifiable user data is transferred to China. Rather, it simply says that private and personally-identifiable user data is stored in the United States (but not necessarily exclusively in the United States) and that the current data centers are located outside China (but not whether these data centers transfer private and personally-identifiable user data to China).”
Hand, Meet Glove: Government Cooperation
The complaint rounds out with the claim that the Chinese government is “taking full advantage” of companies such as the defendants, Baidu, Alibaba and Tencent’s domination of the country’s artificial intelligence, social media and greater internet landscapes. According to the complaint, the entities “routinely assist the Chinese government in the surveillance of its people through the use of biometric data” such as that supposedly captured by TikTok. American users, the proposed class action alleges, are wholly unaware of what happens to data utilized by TikTok.