TikTok Fights Sprawling Litigation Over Alleged In-App Browser Data Harvesting

TikTok is facing a slew of class action lawsuits alleging it tracks and harvests troves of personal information on users through its in-app browser.

In the most recent suit filed on Wednesday, users allege TikTok has “secretly amassed massive amounts of highly invasive information and data by tracking their activities on third-party websites.” At least a dozen class actions have been filed since November alleging violations of the federal wiretap act, among other claims.

TikTok remains under fire by the government due to concerns that data it collects on American users can be leveraged by the Chinese government to advance its interests. The company could, for example, be forced to tweak its algorithm to boost content that undermines U.S. democratic institutions or muffles criticism of China and its allies, according to lawmakers. A bipartisan bill backed by the White House was introduced on Tuesday that would establish a unified process for reviewing and addressing technology that could be subject to foreign influence. Under the measure, Chinese parent company ByteDance could be forced to sell TikTok or the platform could be completely banned, though that would face significant hurdles.

The first suit, known as Recht v. TikTok, was filed in November. It was based on a report from Felix Krause, a software researcher who found that the company injects lines of code that commands the platform to copy user activity on external websites. Of the seven popular apps he tested — including Instagram, Snapchat, Amazon — he found that only TikTok monitored keystrokes.

The named plaintiff in the complaint, California resident Austin Recht, says he clicked on an ad to a third-party website, where he bought merchandise after he entered private data that included his credit card information. Tiktok “surreptitiously collected data associated” with his activity on the third-party site accessed through the platform’s in-app browser, according to the complaint.

The class actions detail how TikTok intercepts and harvests data. The in-app browser inserts code into the websites visited by users with the purpose of tracking “every detail about [their] activity,” Recht claims.

“In the case of online purchase transactions, this would include all of the details of the purchase, the name of the purchaser, their address, telephone number, credit card or bank information, usernames, passwords, dates of birth,” reads the complaint filed in California federal court.

The data isn’t limited to purchase information and extends to private information about users’ health, the suit alleges. When users click on a link to Planned Parenthood on TikTok, for example, their activity on the site is tracked and harvested. This could identify users looking for abortion services or those looking for information about gender identity, according to the suit.

TikTok has faced legal action for illegally harvesting user data. In 2020, it was sued for alleged violations of the Illinois Biometric Information Privacy Act, a state statute that prohibits private companies from collecting users biometric identifiers without first obtaining consent. It settled the litigation for $92 million.

In response to suits alleging violations of the Federal Wiretap Act, Tiktok has said that the purported class members are covered under the settlement for those who sued for violations of the Illinois privacy law because it “addressed all user data collected through the app.”

Though the plaintiffs in the suit don’t allege any injury, the Federal Wiretap Act doesn’t require proof of actual harm to recover monetary damages. The law prohibits the intentional interception of communications, which includes personal information.

Some of the suits also allege violations of state invasion of privacy and competition laws. A hearing has been set for March 30 on whether the litigation should be consolidated.

In California, TikTok could face massive damages if there’s a data leak. Under the California Consumer Privacy Act, companies that mishandle personal data face statutory damages ranging from $100 to $750 for each consumer per incident.

TikTok didn’t immediately respond to requests for comment.

This article originally appeared on THR.com.