• by Wendy Davis , October 3, 2024

TikTok users can proceed with a privacy lawsuit alleging that the company logged their keystrokes when they visited outside websites through TikTok's in-app browser, a federal judge has ruled.

In a decision issued this week, U.S. District Court Judge Rebecca Pallmeyer in the Northern District of Illinois found that users' allegations, if proven true, could support claims that TikTok violated federal and California state wiretap laws.

The decision comes in a class-action complaint first brought in November 2022 by California resident Austin Recht, and later joined by other TikTok users. They alleged that TikTok gathered a trove of personal and sensitive data by tracking app users' activity on outside sites.

“Every single detail of a user’s website viewing that occurs through the in-app browser is tracked,” the plaintiffs alleged in an amended complaint filed in July with Pallmeyer.

“In the case of online purchase transactions, this would include all of the details of the purchase, the name of the purchaser, their address, telephone number, credit card or bank information, usernames, passwords, dates of birth, etc.,” the plaintiffs alleged.

They added that TikTok's browser also allegedly tracks information at health sites people visit, such as Planned Parenthood.

The complaint relied on research by security researcher Felix Krause, who reported in August 2022 that TikTok's in-app browser contains Javascript code that is capable of logging keystrokes on outside websites -- including sites where people enter passwords or financial information.

A TikTok spokesperson reportedly said at the time that TikTok didn't track users through the in-app browser, and that the Javascript code flagged by Krause is only used for “debugging, troubleshooting and performance monitoring.”

TikTok urged Pallmeyer to dismiss the complaint for several reasons, including that Krause reported only that TikTok could collect keystroke data -- not that the company actually recorded or transmitted the data.

Pallmeyer rejected that argument for now, writing that Krause's report “does not definitively absolve TikTok of liability.”

“Krause only stated that he had no way of verifying, one way or the other, whether TikTok retains or uses this data -- a question that plaintiffs now seek to answer through discovery,” Pallmeyer wrote.

TikTok also argued that the matter should be dismissed on the grounds that the plaintiffs' allegations were too thin to support the conclusion that the company gathered “sensitive” or “confidential” information.

“Plaintiffs’ claims rest on barebones, identical assertions,” TikTok argued in a dismissal motion filed earlier this year.

“They allege to be TikTok app users who clicked on links in the app that led them to visit websites using its in-app browser. They each then jump to the conclusion that defendants thereby purportedly collected their personal, contact, credit card, or banking information," the company wrote.

Pallmeyer also rejected that argument for now, saying the allegations, if true, suggest that TikTok users often make purchases on outside sites visited through the in-app browser.

For instance, she wrote, the complaint noted that TikTok itself says one out of two Gen Z users "are likely to buy something" while using the app. 

“This makes it easier to believe the named plaintiffs’ assertions that they each entered their personal identifying information (such as their name and billing address) and financial data (such as their credit card numbers and banking details) while using the in-app browser,” Pallmeyer wrote.

She added that she could come to a different decision in the future.

“If it ultimately emerges that one or more of the named plaintiffs was never actually injured by the in-app browser -- such as if they never actually entered their name, credit-card number, or other private information to buy any products -- their claims will be promptly dismissed,” she wrote.

Meta Platforms was hit with a similar lawsuit in 2022. U.S. District Court Judge Aracelia Martínez-Olguín dismissed that case last year, ruling from the bench that the users' allegations were too general because they didn't spell out what sites they visited through Meta's in-app browser, or what type of data Meta might have obtained.

Martínez-Olguín's dismissal order allowed the plaintiffs to beef up their allegations against Meta and bring them again, but they withdrew the suit instead.