TikTok’s $92m US settlement over alleged privacy breaches has been delayed after an Illinois judge objected to the predicted claim rate and claimant notice plan.
Judge John Lee declined on 2 March to approve the proposed settlement of E.R. v. TikTok, Inc. et al. due to a lack of information about how the payout would be delivered and questioned why the platform itself would not be used to notify potential claimants.
The judge scheduled a continuation of the preliminary settlement hearing for 6 April and has requested supplementary briefings.
TikTok’s Chinese parent company ByteDance had agreed to pay $92m to settle the multidistrict litigation consisting of 21 putative class actions, most of which had been brought on behalf of minors. The suit made some substantial claims, including that TikTok violated Illinois’ Biometric Information Privacy Act by not telling its users its facial recognition technology collects and stores their biometric information. It also claimed TikTok analysed users’ faces to determine their ethnicity, gender and age and violated the Computer Fraud and Abuse Act over its transmission of private data.
The payout would have seen funds disbursed to a nationwide class of TikTok and Musical.ly (its predecessor) users, as well as an Illinois subclass. Together these constitute almost all of the US’s 92m TikTok users.
The proposed settlement also contained injunctive relief measures including: a mandate for future disclosures by TikTok, data privacy compliance training for all the company’s employees and contractors and a pledge not to collect biometric or GPS data on American users, which contains an addendum commitment not to transmit data outside the US without disclosure.
TikTok initially sought to have the case dismissed due to an arbitration provision contained in its terms of service. There is a perceived trend amongst US courts for favouring the enforcement of arbitration agreements, though Judge Lee acted against that in this case.
Tony Weibell of IP and antitrust specialists Wilson Sonsini Goodrich & Rosati represented the defendant. The plaintiffs were counseled by representatives from Carlson Lynch, Lincenberg & Rhow and Fegan Scott.
The steering committee comprised lawyers from Freed Kanner London & Millen, Susman Godfrey, Bottini & Bottini, Burns Charest and Hausfeld.
David Swain, partner and head of IP at Lewis Silkin's Hong Kong office, described the proposed settlement as “indicative of the value that customers place on their personal data; a view that is growing in the courts and amongst regulators. In turn, this shows how companies need to ensure they have robust privacy policies and, where applicable in each jurisdiction, inform data subjects as to how they intend to use data subjects’ personal data or obtain consent from data subjects to use their personal data for certain purposes.”
In a recently-settled, landmark class-action lawsuit that argued similar violations, Facebook was ordered to pay $650m after a California federal judge refused an initial settlement proposal of $550m on the grounds that it was not enough.
That case involved a predicted claimant rate of 22 percent. Law360 reported that Katrina Carroll of Carlson Lynch, co-lead counsel for the plaintiffs of the TikTok case, called the expected claim rate for the Facebook settlement “atypically high” and predicted a claim rate of 1-2 percent for the TikTok class action.
Judges in both the Facebook and TikTok cases had both expressed a desire to see elevated rates of claim in privacy class action lawsuits.
The TikTok lawsuit argues the platform unlawfully collected biometric information such as gender, age and ethnicity of the platform’s users (including some minors) using facial recognition software. It also claimed that data had crossed borders to servers in China.
Kristin Bryan, senior associate at Squire Patton Boggs, said: “While there have been several large settlements in the news (such as TikTok’s), the trend remains towards litigation, not settlement. Defendants will continue to litigate what they perceive as meritless claims that are overreaches by greedy plaintiffs’ attorneys.”
The rising significance of data privacy protection has been underlined by states such as Washington and Okolahoma as they enter consultation periods on data protection legislation. Virginia passed a data protection law last week that will be implemented in 2023.
There is a parallel concern in the US to ensure that Big Tech is substantially and effectively penalised for misconduct.
Bryan added: “The trend [in state legislation] will likely be towards an expansion of state privacy statutes providing for a private right of action, allowing individuals aggrieved by a data breach or the unlawful collection of their biometric data to file suit in court and seek damages. For instance, Florida and New York are both considering privacy legislation that contains broad private rights of action, allowing individuals to directly sue defendants for violations.”
California has recently updated its consumer data privacy protection laws to negate the need for a proof of harm to consumers in the event of a data breach, increasing the scope for plaintiff legislation against corporations.
Illinois, Texas and Washington all have laws that govern the use of biometric data. Illinois is the only state of the three that allows for individual lawsuits; Washington and Texas delegate the right of action to their respective attorney generals.
TikTok dominated headlines last summer after then-president Donald trump issued an executive order stating that its US arm needed to become US-owned or it would be blocked from operating by the FTC. This action has since been put on hold by incumbent President Joe Biden.