Steve Berman
CHICAGO - A federal judge has canceled most of a class action lawsuit alleging TikTok’s parent company improperly scraped private data from the CapCut video editing software, as the judge said concerns over national security from the popular Chinese app don’t necessarily give plaintiffs grounds to sue for privacy law violations under federal law.
However, the judge said portions of the litigation can still proceed under Illinois' stringent biometric privacy law, which requires less burden of proof to advance potentially costly legal claims.
U.S. District Judge Georgia Alexakis, of the Northern District of Illinois, issued an opinion Aug. 28 on ByteDance’s motion to dismiss the second amended complaint from several TikTok users, which sought to recover damages under the Computer Fraud and Abuse Act and other laws.
The lawsuit was filed in 2023 by attorneys with the law firm of Hagens Berman Sobol Shapiro, of Seattle and Chicago; and the Aurelius Law Group, of Chicago. The lawsuit accused TikTok’s corporate parent companies of using CapCut to harvest sensitive data from users, including email addresses, biometric identifiers and other private information, and allegedly profiting from the alleged gleaning, while allegedly sharing the information with the Communist Chinese government.
Defendants Beijing Douyin Information Service and Beijing ByteDance Technology and others have sought to dismiss the action, asserting the plaintiffs haven’t sufficiently shown how they were harmed to continue their legal claims under the CFAA, in particular.
Before addressing the dismissal motion, Alexakis considered the issue of how the China-based defendants could be notified of their status as defendants. She agreed with the corporations that the plaintiffs didn’t offer a compelling reason as to why it took two years to ask for permission to send such information via email.
“It was not reasonable for plaintiffs to rely on the hope of successful negotiations for two years in lieu of asking the court for relief at the beginning of this case (or at least after a reasonable amount of time when it would have been clear to plaintiffs that waiver of service was not forthcoming and settlement discussions would not bear fruit),” Alexakis wrote. “Plaintiffs do not blame their delay on the extra time it takes to serve defendants in China — in fact, as far as the court can tell, plaintiffs have not attempted to serve these defendants via the Chinese central authority.”
Regarding the larger dismissal motion, Alexakis said the amended complaint still doesn’t do enough to show how plaintiffs suffered adequate losses to sustain a CFAA claim. She rejected their theories invoking subscription fees for users who paid to access additional CapCut services and the impact on battery usage of “unnecessary electricity costs,” while also saying concerns about national security are misplaced.
“Plaintiffs cite no authority holding that national security concerns stemming from the Chinese government’s access to personal data — even assuming those concerns are as well-founded as plaintiffs contend — are actionable under the CFAA,” Alexakis wrote.
She likewise agreed to dismiss claims under the Computer Data Access and Fraud Act, again calling the battery and subscription theories “speculative and unsupported.” She noted the unjust profit allegation doesn’t show a link between user data and corporate profits and said the claim contains only “vague assertions about loss of memory and bandwidth” instead of “any cognizable impact on their specific devices.”
The amended complaint further failed to improve on the allegations under the Electronic Communications Privacy Act and the California Invasion of Privacy Act because those laws require a showing of intercepted communications and not just access to data. The CIPA claim also required plaintiffs to allege use of an electronic device for amplification or recording of eavesdropping.
“Although the predicate facts alleged describe how an interception could occur, plaintiffs do not credibly allege that defendants in fact intercepted their communications,” Alexakis wrote. “The complaint does not allege, for example, how the interception occurred, whose communications were intercepted or what was contained in those communications.”
Another theory requiring “too many inferential leaps” is the alleged violation of the Stored Communications Act, which the plaintiffs said was newly relevant under the Protecting Americans from Foreign Adversary Controlled Applications Act that Congress passed in April 2024. Alexakis said the amended complaint doesn’t claim that China-based ByteDance employees, who may have ties to the country’s communist party, are required to disclose the TikTok and CapCut user data they can access to the government or party.
“Even if plaintiffs had sufficiently alleged that CCP-affiliated ByteDance employees disclose data to the Chinese government and CCP, plaintiffs do not sufficiently allege that these employees disclose user communications as opposed to the other types of data CapCut collects about its users,” Alexakis wrote. “The SCA claim therefore suffers a similar flaw as the ECPA and CIPA claims: although plaintiffs allege communications that in theory could be disclosed to third parties, they do not plausibly allege that defendants in fact engaged in any unlawful disclosures.”
Alexakis also said the complaint falls short under California’s Unfair Competition and False Advertising laws as well as restitution and unjust enrichment claims. However, she reversed her earlier dismissal of a claim under the Illinois Biometric Information Privacy Act since the amended complaint included allegations of “eight different industry standards of care” the corporate defendants “violated with respect to their biometric data.”
The users said the companies never obtained their informed consent before collecting any biometric information, didn’t pledge to collect only data necessary for a specific purpose, had no measures for the transmission and secure storage of protected data, didn’t have regular security audits, failed to establish data retention policies or meet transparency and accountability standards and didn’t “adhere to relevant regulations and laws for the protection of users’ biometric data.”
Although the defendants said the allegations can’t overlap with BIPA requirements imposed elsewhere, Alexakis said they provided no basis for that argument. She gave the defendants until Sept. 26 to answer the surviving BIPA claims and requested a joint status report on discovery proceedings by Oct. 10.
Plaintiffs are represented by attorneys Steve W. Berman and Jeannie Evans, of the Hagens Berman firm; and Douglas G. Smith, of the Aurelius Law Group.
