TikTok, Inc. (TikTok) and its Chinese-owned parent company ByteDance Inc. are the latest to face a lawsuit under Illinois’s Biometric Information Privacy Act (BIPA or the Act). TikTok, a social media app, allows users to create, view, and share three to fifteen-second videos of dancing, lip-syncing, and other forms of self-expression, as well as short looping videos of three to sixty seconds. TikTok scans a user’s facial geometry before running an algorithm to determine the user’s age. TikTok also uses facial scans to allow users to superimpose animated facial filters onto the moving faces of video subjects. The app has seen increased use during the COVID-19 pandemic.
Under BIPA, a private entity cannot collect or store biometric data without first providing notice, obtaining written consent, and making certain disclosures. A “biometric identifier” is defined as any personal feature that is unique to an individual and specifically includes scans of facial geometry. BIPA is considered one of the most stringent on biometric privacy. The Act contains a private right of action provision that permits the recovery of statutory damages ranging between $1,000 and $5,000 by any “aggrieved” person under the law, which has generated a significant amount of class action litigation.
Plaintiffs, who are bringing the lawsuit against TikTok on behalf of minors identified as P.S. and M.T.W., allege that TikTok collected facial scans of minors and did not obtain parental consent before collecting or using the minors’ facial scans. The plaintiffs also claim that TikTok did not disclose what they do with that data, who has access to it, and whether, where, and for how long that data is stored. BIPA requires companies to publicly disclose how biometric information is used and how long it will be retained.
In 2019, TikTok (formerly known as Music.ly) settled with Federal Trade Commission (FTC) for alleged violations of the Children’s Online Privacy Protection Act (COPPA) for $5.7 million. The complaint alleged that TikTok violated COPPA by failing to notify parents about the app’s collection and use of information, not obtaining parental consent prior to collecting information from children under 13, and failing to delete personal information at the request of parents. Allegedly, the app received thousands of complaints from parents. As part of the settlement, TikTok was required to take down all videos made by children under the age of 13 and continue to monitor and comply with COPPA going forward.
In the last couple of years, Illinois has seen an explosion of BIPA class action litigation. It is important for companies collecting biometric information to implement compliance programs that comply with BIPA, but companies should also consider other state laws that are emerging, including the California Consumer Privacy Act and the New York Shield Act.