TikTok is seeking preliminary approval of a class-action settlement with terms that would require the video sharing platform to establish a $92 million settlement fund and create a new compliance framework, including a “newly designed data privacy compliance training program for all TikTok employees and contractors,” according to court documents.

TikTok, an app popular with children and teenagers and owned by Chinese company ByteDance, is no stranger to legal battles around the world concerning user privacy. In the proposed settlement, filed Thursday in U.S. District Court for the Northern District of Illinois, TikTok noted it had to overcome “unique defense-side political and settlement pressures” and referred to the payout as being “among the nation’s highest privacy-related settlements,” consisting of a class of 89 million U.S. users.

The multidistrict litigation consists of 21 federal lawsuits against TikTok and ByteDance, as well as their foreign affiliates. The lawsuits allege TikTok’s app, as well as its predecessor Musical.ly—a video sharing social networking app used to create short videos—“infiltrates its users’ devices and extracts a broad array of private data including biometric data” used to track and profile users for the purpose of ad targeting in violation of both state and federal law.

The complaint alleged violations of privacy laws in Illinois and California, both of which require technology companies to receive written consent before collecting data about a person’s identity. The complaint further alleged the TikTok app has “clandestinely vacuumed up and transferred to servers in China (and to other servers accessible from within China) vast quantities of private and personally identifiable user data and content that could be employed to identify, profile, and track the physical and digital location and activities of United States users now and in the future.”

TikTok denies such conduct. Nonetheless, the company said a settlement was in its best interest.

Compliance obligations

In addition to the $92 million settlement fund, TikTok must also implement remedial measures to prevent future violations, “including a company-wide data privacy training initiative,” according to court documents. TikTok also agreed to numerous other compliance obligations, including:

  • To not collect or store biometric information, biometric identifiers, geolocation or GPS data, or information in users’ device clipboards unless expressly disclosed and in compliance with all applicable laws;
  • To not transmit U.S. data outside the United States or store U.S. user data in databases outside the United States unless expressly disclosed and in compliance with all applicable laws;
  • To delete pre-uploaded, user-generated content collected from users who created videos but did not “save” or “post” the content;
  • To not disclose to any third party the “personally identifiable information” of a “consumer” who uses the app; and
  • To not share user data collected through the app with third parties without disclosing in its privacy policy the categories of third parties with whom user data is shared.

TikTok will also implement a “newly designed training on compliance with data privacy laws and company procedures for all relevant incoming employees and contractors, and annual training thereafter,” court document state. Additionally, TikTok will, at its own expense, hire a third party to review the data privacy law compliance training for a three-year period and provide written verification of this review, along with the verification required by the settlement agreement, to class counsel.

The proposed settlement now awaits final approval by U.S. District Judge John Lee of the Northern District of Illinois.