TikTok and its parent company, China’s ByteDance, have agreed to a settlement resolving a federal class-action lawsuit claiming the short-form video app wrongfully collected users’ biometric data and shared it with third parties.

Under the terms of the settlement, TikTok will pay $92 million toward a fund for users who claim their personally identifiable information was improperly used by the app. The agreement also requires that TikTok establish a new privacy-compliance training program and take other steps to protect its users’ privacy going forward.

If the settlement is approved by the court, affected TikTok users will receive information about how to receive a share of the funds. The multidistrict litigation consolidated 21 cases filed against TikTok, its predecessor Musical.ly, and its affiliates.

TikTok has denied any privacy violations. “While we disagree with the assertions, rather than go through lengthy litigation, we’d like to focus our efforts on building a safe and joyful experience for the TikTok community,” a TikTok spokesperson said in a statement.

The class-action lawsuit contended that the app collected and disclosed personal data in violation of the Illinois Biometric Information Privacy Act (BIPA), the federal Video Privacy Protection Act, and other consumer and privacy protection laws. According to the suit, among other things TikTok failed to notify users that the app’s filters and effects use facial scans — and that such biometric data was stored and used without their consent for various purposes, including for serving targeted ads.

TikTok “unjustly profit[ed] from the secret harvesting of this massive array of private and personally identifiable TikTok user data and content by using it for targeted advertising” and other purposes, according to the plaintiffs’ complaint (available at this link).

The lawsuit also alleged that the TikTok app “clandestinely vacuumed up and transferred to servers in China (and to other servers accessible from within China) vast quantities of private and personally identifiable user data and content that could be employed to identify, profile, and track the physical and digital location and activities of United States users now and in the future.”

TikTok has repeatedly denied that it shares any user data with Chinese authorities, a concern that led former President Trump to threaten to ban TikTok in the U.S. unless it sold the app to American buyers. The Biden administration has put that order on hold amid a broader cybersecurity review.

Currently, Illinois is the only U.S. state with a law that lets consumers seek monetary damages if their biometric information is wrongfully taken. As such, the settlement proposes that each Illinois class member receive an additional five shares of the $92 million settlement fund compared with class members in other states.

The settlement was presented for approval Thursday to U.S. District Court Judge John Z. Lee of the Northern District of Illinois by the three attorneys appointed to lead the case in September 2020: Beth Fegan of FeganScott, Katrina Carroll of Carlson Lynch, and Ekwan Rhow of Bird, Marella, Boxer, Wolpert, Nessim, Drooks, Lincenberg & Rhow.