Back in June 2021, TikTok sneakily changed its US privacy policy to introduce a new section—allowing the company to “automatically collect biometric data, including certain physical and behavioral characteristics from video content posted by its users.” This includes things like “faceprints and voiceprints,” the policy continued. The disclosure has only been added to the US privacy policy, as other markets like the EU have stricter data protection and privacy laws.

When reached for comment by many publications, TikTok could not confirm the product developments which necessitated the addition of biometric data to its list of disclosures about the information it automatically collects from users, but said it would ask for consent in case such data collection practices began. Here’s where a slight loophole comes in. Although the app said it would seek “required permissions” to collect “faceprints and voiceprints” where required by law, it failed to elaborate on whether it’s considering federal law, states laws or both—only a handful of US states have biometric privacy laws, including Illinois, Washington, California, Texas and New York.

Furthermore, considering the fact that TikTok’s privacy policy, which lists the types of data the app gathers from users, was already fairly extensive, it comes as no surprise that this new announcement worried the US government.

In a letter sent 9 August addressed to TikTok’s CEO Shou Zi Chew, US senators Amy Klobuchar and John Thune say they are “alarmed” by the recent change to TikTok’s privacy policy. In it, both Klobuchar and Thune asked the app to explicitly explain what constitutes a “faceprint” and “voiceprint,” as well as to explain how this data will be used and how long it will be retained.

The senators also quizzed TikTok on whether any data is gathered for users under the age of 18 or whether it makes any inferences about its users based on the biometric data it collects. They also asked the platform to provide a list of all third parties that have access to the data.

“The coronavirus pandemic led to an increase in online activity, which has magnified the need to protect consumers’ privacy,” the letter reads. “This is especially true for children and teenagers, who comprise more than 32% of TikTok’s active users and have relied on online applications such as TikTok for entertainment and for interaction with their friends and loved ones.”

TikTok has been given until 25 August to respond to the lawmakers’ questions.

As most of you may have noticed, this isn’t the first time TikTok’s excessive data collection plans have come under scrutiny. Earlier this year, the company paid out $92 million to settle a class-action lawsuit claiming it unlawfully collected users’ biometric data and shared it with third parties. Some argue that TikTok’s legal team may have wanted to quickly cover itself from future lawsuits by adding a clause that permits the app to collect personal biometric data.

This came after the Federal Trade Commission (FTC) in 2019 slapped TikTok with a $5.7 million fine for violating the Children’s Online Privacy Protection Act (COPPA), which requires apps to receive parental permission before collecting a minor’s data.

This new controversy comes at a time when TikTok has been working to regain the trust of some US users. Under the Trump administration, the federal government attempted to ban TikTok from operating in the country entirely, calling the app a national security threat because of its ownership by a Chinese company. TikTok fought back against the ban and went on record to state it only stores US-based user data in its US data centres and in Singapore.

The platform also said that it has never shared user data with the Chinese government nor censored content, despite being owned by Beijing-based ByteDance. And it said it would never do so, if asked. Meanwhile, although Biden has signed an executive order to restrict US investment in Chinese firms linked to surveillance, his administration’s position on TikTok remains unclear.

The new section was part of a broader update to TikTok’s privacy policy, which included other changes ranging from corrections of earlier typos to revamped or even entirely new sections. Most of these tweaks and changes could be easily explained, though—like new sections that clearly referenced TikTok’s e-commerce ambitions or adjustments aimed at addressing the implications of Apple’s App Tracking Transparency (ATT) on targeted advertising.