ByteDance sued for allegedly collecting biometric data without consent

A class-action lawsuit takes aim at the TikTok owner's video-editing app CapCut.

NurPhoto via Getty Images

ByteDance is facing a class-action lawsuit over claims that its CapCut video-editing app is vacuuming up data from its more than 200 million active users without consent. Among other things, the lawsuit, which was filed in Illinois, claims that CapCut violates the state's Biometric Information Privacy Act (BIPA) by collecting data like face scans and voiceprints without informing users or getting express permission.

The app also allegedly collects details about a user's location, date of birth and gender as well as their photos and videos. Much of this is said to be in service of delivering targeted ads. In addition, the suit claims that the app is capable of harvesting data from user devices, including the MAC address and SIM serial number.

The lawsuit, which The Record unearthed, asserts that CapCut's privacy policy was designed to make it hard for people to understand or to give the app “meaningful, express consent.” One plaintiff who started using the app while in the seventh grade was allegedly able to use CapCut without having to sign up for an account, reviewing a privacy policy or having parental consent.

Moreover, the suit points out that, since ByteDance is headquartered in Beijing, the company may be compelled to share CapCut data with the Chinese government. It claims that a former ByteDance official revealed publicly that the Chinese Communist Party can use a “backdoor channel code" to access data on users based outside of the country, including those in the US.

ByteDance, of course, owns TikTok, which has long been the subject of claims that the Chinese government can access US user data. The company has been trying to convince US regulators that TikTok doesn't pose a threat to national security. TikTok CEO Shou Zi Chew claimed at a congressional hearing earlier this year that "ByteDance is not an agent of China or any other country."

Since last year, TikTok has been routing all US user data to Oracle servers based in the country. That initiative, called Project Texas, also included the goal of removing US users' private TikTok data from ByteDance's own data centers.

Nonetheless, Montana legislators have passed a bill to ban TikTok outright in the state. Many other jurisdictions, including the federal government, have prohibited the app on nearly all state-owned devices. The Justice Department is reportedly looking into claims that four ByteDance employees used TikTok to snoop on the locations of two US journalists.

The class-action suit asks a district court to block ByteDance from sending CapCut user data and content to China, and from collecting users' biometric information and other data without consent. The plaintiffs asked the court to compel ByteDance to delete any user data and content it unlawfully obtained through CapCut as well. In addition, the suit seeks unspecified damages.

Engadget has asked ByteDance for comment.