In a move that concerns users and experts alike, TikTok’s recently announced that its U.S. privacy policy changed—”automatically” allowing the platform to collect more of its users’ biometric data, including “faceprint” and “voiceprints.” The change comes after TikTok settled a $92 million class action lawsuit that alleged the app violated the Illinois’s Biometric Information Privacy Act, the federal Video Privacy Protection Act, and other privacy-centric laws by harvesting users’ personal data and passing it to third parties.

TikTok vs. the Law

According to experts, the update is a business-centric move.

“Since TikTok’s business model is advertising, it’s reasonable to guess that this expansion of data collection is either going to enhance targeted advertising or is going to be the basis for a novel advertising product,” says Chris Wiggins, lead data scientist at the New York Times and  professor at Columbia University. “That is, it’s possible that they’re planning to give marketers the option to advertise to people who match a particular customer segment that can be defined using, for example, faceprints, voiceprints or other biometric data.”

The policy states that the app will ask for permission where required by law, but only a few states have biometric privacy legislation: California, Illinois, New York, Washington and Texas. It is not clear if the app intends for state law, federal law or both. The impetus of this section of the policy—alongside the policy at large—is murky.

“We may collect information about the images and audio that are a part of your User Content, such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content,” the policy says. “We may collect this information to enable special video effects, for content moderation, for demographic classification, for content and ad recommendations, and for other non-personally-identifying operations.”

Users should be wary of the open-endedness of this wording, says Derek Riley, the director of the Milwaukee School of Engineering’s computer science program.

“Capturing that information means TikTok could use it within their application, or they could turn and share it with another actor, government or company,” he told TIME. “Capturing that information means TikTok could use it within their application, or they could turn and share it with another actor, government or company.”

The China Concern

Vague wording and newly settled lawsuit aside, what alarms experts most about the updated policy is TikTok’s parent company, China-based Bytedance. And although President Biden rolled back on former President Trump’s attempts to ban TikTok last summer via executive order, the app still raises national security concerns.

“It’s possible that we could see a resurgence of such concerns given contemporary attention to abuse of individual data, not in the hands of the state but instead in the hands of private companies,” says Wiggins on the people powers that can constrain TikTok’s ongoing relevance. He points to legal theory to back up his claim.

“There’s a growing awareness that any data set can become what the legal scholar Paul Ohm called a ‘database of ruin.’ For example, data that are ‘anonymized’ by redacting names can nonetheless contain enough information that, when combined with another data set, allows personal information to be revealed in a way that is considered to be privacy violating.”

Currently, TikTok ranks as the seventh most used social network in the world, with about 100 million of its 689 million users being American. This makes for a bevy of biometric information—a kind of information that is unique, vast and unchangeable.

User Awareness, Consent

User consent is of utmost import in this update, particularly when it comes to younger users—it is estimated that around 41% of the app’s user base is between 16-24 years of age.

Riley warns users to be vigilant on the app. “It has a web of tangential outcomes that could turn out to be really problematic,” he told TIME.

ABOUT THE WRITER

Olivia Baker is a tech editor and journalist at Identity Review, where she writes on tech policy and national digital identity technologies.

Contact Olivia Baker at olivia@identityreview.com.

Do you have information to share with Identity Review? Email us at press@identityreview.com.