This week a federal judge in Illinois granted final approval to a $92 million settlement to resolve TikTok privacy multidistrict litigation.  In Re: Tiktok, Inc., Consumer Privacy Litigation (Case: 1:20-cv-04699).  This case is notable for both its large class size and resolution of two dozen privacy litigations which had been previously filed against TikTok and other co-defendants.

Plaintiffs in the over 20 cases involved in the MDL alleged that TikTok unlawfully collected their biometric and other personal data in violation of state and federal privacy laws.  They also asserted that TikTok and the other Defendants exceeded the scope of their authorized access to class members’ electronic devices (notwithstanding certain terms in TikTok’s terms of service).  In addition to raising claims under the Illinois Biometric Information Privacy Act (“BIPA”), the consolidated pleadings alleged claims arising under (1) the Computer Fraud and Abuse Act; (2) the Video Privacy Protection Act; (3) California’s Comprehensive Computer Data Access and Fraud Act; and (4) California’s Unfair Competition Law, among other California and consumer protection law claims.

The settlement involved certification of a nationwide and Illinois subclass.  In granting final approval the Court found that, as ruled in the order granting preliminary approval, that the requirements of Rule 23 were satisfied and the settlement was fair, reasonable and adequate—notwithstanding prior objections raised.  CPW’s Kristin Bryan previously covered the settlement terms, which in addition to the monetary relief provided to class members contained broad injunctive relief.  This included, among other commitments:

• Limits on the Storage and Transmission of Data Outside the US.: Defendants agreed to abstain from using the TikTok App to collect or store a domestic user’s biometric data and geolocation information; from storing or transmitting a domestic user’s data outside of the U.S.; and from pre-uploading domestic user-generated content; unless expressly disclosed in TikTok’s privacy policy and in compliance with applicable law.

• Data Deletion and Employee Training: Defendants agreed to delete all pre-uploaded user-generated content collected from domestic users who did not ‘save’ or ‘post’ the content, and would require a newly designed annual training program for their employees and contractors on compliance with data privacy laws.

• Auditing for Three Years Following the Settlement: Defendants agreed to hire a third-party firm at their own expense to review their data privacy training for a period of three years and to provide a written verification of that review.

Many components of the TikTok settlement are congruent with broader settlement trends in BIPA litigations specifically—including its incorporation of injunctive relief and utilization of a claims-made process—although the class size in this case of 89 million TikTok users was particularly large.  However, the overall claims rate in this case of 1.4 percent is on par with other data privacy settlements (although it was an order of magnitude larger for the Illinois subclass).

For more, stay tuned.  CPW will be there to keep you in the loop.