The change, first noticed by TechCrunch, appears to have been done quietly, without any formal statement. It is already active, as it went into effect on June 2.
We may collect information about the images and audio that are a part of your User Content, such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content. We may collect this information to enable special video effects, for content moderation, for demographic classification, for content and ad recommendations, and for other non-personally-identifying operations. We may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content. Where required by law, we will seek any required permissions from you prior to any such collection.
Obviously, the company doesn’t provide any valid reasons for collecting biometric data, and doesn’t specify the type of biometric data which will be collected. It should be noted that the data collection happens with the user’s explicit consent. Since only a few U.S. states have laws that restrict companies from harvesting biometric details, including California, Illinois, New York, Washington, and Texas, TikTok may not even need to ask for this permission.
Furthermore, TikTok also may collect information about the nature of the user’s audio, as well as the text of the words spoken in the user’s content. Of course, the service says that the extreme data collection is done to enable special video effects, content moderation, and also to improve demographic classification and content and ad recommendations.
Not the first time TikTok breaches its users’ privacy, either
Last year, TikTok was found breaking Google’s rules on data collection by exploiting the Play Store services in order to bundle personalized advertising without the users’ consent. This practice is officially banned by Google for all applications uploaded on their repository. It appears that the company was able to find a loophole allowing the application to collect the network MAC IDs of the devices.