TikTok Accused of Sending User Data to China

A California class action lawsuit filed in the Northern District of California (Hong v. ByteDance,Inc. et al 5:19-cv-07792-SVK) accused TikTok, a social video sharing platform, of transferring private user data to Chinese servers, despite its claims that it does not store personal data. TikTok is also facing an investigation by the United States government over national security concerns regarding data storage and potential censorship of politically sensitive information.

The plaintiff, Misty Hong, is a college student and resident of California. She downloaded the TikTok app in March or April of this year but never made an account. She claimed that she discovered months later that TikTok created an account for her without her knowledge or consent and created a file of information about her, including biometric information taken from videos she made, but never posted.

The complaint stated, TikTok “clandestinely… vacuumed up and transferred to servers in China vast quantities of private and personally-identifiable user data that can be employed to identify, profile and track the location and activities of users in the United States now and in the future.”

The complaint stated that since adopting a new privacy policy in February, TikTok has transferred user data to two Chinese servers: bugly.qq.com and umeng.com as recently as April; transferred data included information about the user’s device and any websites the user visited. The servers are owned by Tencent, China’s largest software company and e-commerce giant, Alibaba Group, respectively.

The suit also alleged since at least 2017, source code from Chinese tech-giant Baidu and advertising service Igexin are embedded within the TikTok app, which enabled developers to install spyware on a user’s phone.

“TikTok’s lighthearted fun comes at a heavy cost. Meanwhile, TikTok unjustly profits from its secret harvesting of private and personally-identifiable user data by, among other things, using such data to derive vast targeted-advertising revenues and profits. Its conduct violates statutory, Constitutional, and common law privacy, data, and consumer protections.”

The complaint further alleged that after a user records a video and presses the next button, their video is transferred from their device to a domain owned by ByteDance, the company that owns TikTok, but there is no indication that a user’s video is being transferred. Users are unaware that their videos and biometrics are transferred and stored by TikTok.

TikTok is accused of using user’s data for targeted advertising, which is financially beneficial to TikTok. Further, TikTok attempted to cover up that it had taken and used personal user data. Information taken from users include username, password, age/birthday, email address, profile image, user-made content, phone and social network contacts, the device’s WiFi MAC address, the device’s International Mobile Equipment Identity (IMEI) and Subscriber Identity (IMSI), IP address, device ID, device operating system version, cookies, browsing history, metadata, location, and other pieces of information. TikTok’s privacy policy and terms of use do not account for the sharing of this personal data.

The complaint alleged that TikTok violated the Computer Fraud and Abuse Act, California Comprehensive Data Access and Fraud Act, the right to privacy as provided in the California Constitution, Intrusion upon Seclusion, the California Unfair Competition Law, and the California False Advertising Law. Negligence and restitution for unjust enrichment are also among the alleged offenses.

Plaintiff Hong is represented by Bird Marella Boxer as well as Glancy Prongay & Murray.