A proposed class action alleges TikTok has invaded the privacy of millions of users by secretly tracking their activities as they visit third-party websites through the short-form video platform’s in-app internet browser.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
According to the complaint, nowhere in TikTok’s terms of service or privacy policies does it disclose this practice or ask users for consent.
“[E]very single detail of a user’s website viewing is [sic] that occurs through the in-app browser is tracked,” the lawsuit reads. “In the case of online purchase transactions, this would include all of the details of the purchase, the name of the purchaser, their address, telephone number, credit card or bank information, usernames, passwords, dates of birth, etc.”
The lawsuit stresses that TikTok has also likely obtained detailed and sensitive information about individuals’ physical and mental health given that several healthcare providers and pharmacies have a digital presence on the app, posting videos that appear on users’ feeds. For example, the suit says, Planned Parenthood’s verified account provides a link to its website where individuals can read resources pertaining to deeply personal topics, such as abortion, birth control, cancer, emergency contraception, pregnancy, sex, pleasure, sexual dysfunction, sexual orientation and gender identity. As the case tells it, this is just one example of the private details that TikTok actively intercepts and keeps a record of without consent or disclosure.
U.S. TikTok data flows to China, case says
The lawsuit explains that TikTok’s primary source of revenue comes from selling digital advertising space on its platform, then presenting certain advertisements based on which users are most inclined to purchase the product or service. According to the case, TikTok’s tracking software allows it to effectively show users advertisements based on their interests and habits.
As the complaint tells it, the number of people who make purchases and/or learn about new products and brands through TikTok is “significant” given “what has come to light about TikTok’s undisclosed collection of data about its users.” Per the filing, tracking users’ interests and habits is “critical” to TikTok’s revenue-generating ad business, as this is “precisely the kind of information that allows TikTok to sell advertising to its customers as effective and targeted to specific audiences.”
The suit relays that TikTok directs users to advertisers’ websites through either links in sponsored posts or links placed in the profiles of personalities, businesses and organizations with 1,000 or more followers. Once the links are clicked, the website does not open in a device’s default browser but instead through TikTok’s in-app browser, where the alleged data tracking ensues, the case states.
“Websites opened via links in user profiles do not even offer users the option to open the website via anything other than TikTok’s in-app browser,” the suit adds, stressing that in-app internet browsers, especially TikTok’s, pose a number of risks given the amount of money users spend and the amount of data collected.
For instance, a report by software researcher Felix Krause found that TikTok’s code creates new commands to copy users’ every keyboard input on external websites, which the case calls “the equivalent of installing a keylogger.” After testing seven popular apps using a tool of his creation, InAppBrowser.com, Krause concluded that TikTok is the only app that monitors keystrokes, the lawsuit says.
Compounding the foregoing data privacy risks are the unignorable ties between TikTok’s stateside operations and its corporate parent in China, the lawsuit continues.
Although the California-based defendants TikTok, Inc. and ByteDance, Inc. and Chinese-based defendants Beijing ByteDance and ByteDance Ltd work together to sell, develop, and operate the TikTok app, the foreign companies exert “substantial control” over their domestic subsidiaries, the complaint says. Per the case, the U.S.-based defendants function “as mere satellite offices with little independence” from their Chinese parent entities, who constantly monitor the stateside TikTok operation.
According to the suit, CNBC and BuzzFeed News have reported instances in which U.S. staff lacked the authority to access U.S. user data and had to reach out to colleagues in China who could readily pull the information, the case relays.
“The Defendants are all privately held companies and even former employees have noted the secretive nature of details regarding Defendants’ corporate structure,” the case reads.
In Washington, TikTok has garnered bipartisan concern surrounding privacy and data collection, the suit relays. In 2019, Senators Chuck Schumer (D-NY) and Tom Cotton (R-AR) sent a letter to Acting Director of National Intelligence Joseph Maguire on the “national security” risks linked to TikTok and the possibility that TikTok may share users’ personal information with the Chinese government. Earlier this year, Senators Mark Warner (D-VA) and Marco Rubio (R-FL) sent a bipartisan letter to the Federal Trade Commission (FTC) asking it to investigate TikTok once again, the lawsuit adds.
Despite pressure to cut ties with ByteDance and attempts to downplay its association with Chinese companies, TikTok COO Vanessa Pappas, during testimony before the Senate Homeland Security Committee in September 2022, confirmed that the app would not commit to cutting off China’s access to U.S. user data, the case states.
Although former President Donald Trump attempted to issue an executive order in 2020 to ban TikTok unless ByteDance sold its U.S. assets to an American company, the complaint contends that “China’s control over the app has only expanded as the Chinese government has recently acquired a 1% stake in Beijing ByteDance and a seat on its board.”
Currently, TikTok cannot be installed on government-issued phones, and it was banned by the U.S. Army, Navy, Air Force, Coast Guard, Marine Corps., Department of Defense, Department of Homeland Security and TSA, the case says.
It's not TikTok’s first time in the legal hot seat
Since its release in 2018, TikTok’s handling of users’ personal data has been the subject of several investigations, including now-settled litigation over its alleged collection of user biometric data without permission, the complaint relays.
The lawsuit notes that in 2019, the FTC fined TikTok $5.7 million for violating the Children’s Online Privacy Protection Act (COPPA) by collecting information from minors under 13. The United Kingdom, the Dutch Authority and the Ireland Data Protection Commission have each launched similar investigations into TikTok’s privacy practices relating to children.
TikTok’s data tracking capabilities are especially concerning given the recent criminalization of abortion in several states following the Supreme Court’s reversal of Roe v. Wade, the case emphasizes. The possibility that governments could acquire data from commonly used period and ovulation tracking apps to support prosecution cases for abortions is a “well-founded concern,” the filing contends.
Who does the lawsuit cover?
The case looks to represent anyone in the United States who used the TikTok app to visit external websites via the in-app browser.