Ruling on a Motion to Dismiss, the N.D. of Illinois (Judge Georgia N. Alexakis) addressed ByteDance’s argument that plaintiffs consented to its privacy policy:
whether plaintiffs waived their rights to bring suit based on their alleged consent to CapCut’s Privacy Policy is an affirmative defense that cannot be resolved via this Rule 12(b)(6) motion. See Fed. R. Civ. P. 8(c)(1) (listing waiver as an affirmative defense); Brownmark Films, LLC v. Comedy Partners, 682 F.3d 687, 690 (7th Cir. 2012) (“[C]ourts should usually refrain from granting Rule 12(b)(6) motions on affirmative defenses.”). Dismissing a claim based on an affirmative defense is only appropriate if “the allegations of the complaint itself set forth everything necessary to satisfy the affirmative defense.” United States v. Lewis, 411 F.3d 838, 842 (7th Cir. 2005). Here, several outstanding questions prevent a determination, as a matter of law, that the attached CapCut Privacy Policies “conclusively establish consent.” In re Google Assistant Priv. Litig., 457 F. Supp. 3d 797, 823 (N.D. Cal. 2020).
None of the materials conclusively establish at this stage of the proceedings when and how plaintiffs agreed to these terms in the CapCut Privacy Policies. Defendants assert that “[u]sers expressly or impliedly consent to the policy upon downloading and using the app,” [31] at 4, but plaintiffs allege that “[d]efendants do not provide such users actual notice of privacy policies or terms of use” and that “[u]sers were able to access the CapCut platform without having to scroll through and read such policies before they were allowed to sign up for the services.” [22] ¶ 130. Although defendants attach to their motion an undated screenshot purporting to show that all users must click “Agree and continue” to CapCut’s Terms of Service and Privacy Policy, see [31-9] Ex. 8 at 1, this evidence is insufficient to establish that the named plaintiffs here in fact agreed to any terms during the period relevant to this suit. This is especially true where the complaint alleges (and the Court must accept as true) that each named plaintiff never read any privacy policy or terms of use. [22] ¶¶ 10, 13, 16–19.
In addition, plaintiffs assert—and defendants do not dispute—that the attached policies are “only three of the ten (or more) versions of the policy that existed over time.” [36] at 9. The Court thus has no way of knowing whether the named plaintiffs agreed to the attached policies or another version that might contain material differences—a distinct possibility given the differences in the policies defendants have attached. Although the two later policies state that defendants collect a user’s location data, the earlier policy does not. Compare see [31-5] Ex. 4 at 4 and [31-6] Ex. 5 at 4, with [31-4] Ex. 3 at 14–16; see also Patterson v. Respondus, Inc., 593 F. Supp. 3d 783, 805 (N.D. Ill. 2022) (declining to conclude as a matter of law that written policies on defendant’s webpage governed plaintiffs’ claims because the case “may involve factual questions about what [defendant’s] policies looked like at different moments in time”).
Given these factual issues (and others that may exist), at this stage, CapCut’s Privacy Policies do not preclude plaintiffs’ claims as a matter of law. See Cottle v. Plaid Inc., 536 F. Supp. 3d 461, 478 (N.D. Cal. 2021) (“The sufficiency of Plaid’s privacy policy is a key disputed issue in this case. Resolution of that issue is inappropriate at this stage.”); In re Meta Pixel Tax Filing Cases, 724 F. Supp. 3d 987, 1003 (N.D. Cal. 2024) (“[W]hether plaintiffs consented to having their data collected is a question of fact … [that] the Court cannot determine at the 12(b)(6) stage.”).
The Court went on to dismiss the VPPA claim and found that CapCut (ByteDance’s video editing app):
is not “engaged in the business” of renting, selling, or even delivering audio visual materials. Rather, CapCut provides users with a service. It is a video-editing application, which, as plaintiffs allege, “allows users to create, edit and customize videos” using “various templates, filters, visual effects, and music.” [22] ¶ 1. As defendants put it: “Users provide their videos to CapCut, not the other way around.” [31] at 11.
…
the relevant question is the definition of “video tape service provider” in § 2710(a)(4), not the definition of PII in § 2710(a)(3), and the former definition limits “video tape service provider” to those who deliver “prerecorded video cassette tapes or similar audio visual materials,” not “services.” Id. § 2710(a)(4) (emphasis added).
Addressing the CIPA (Section 631) claim, the court found that plaintiffs’ conclusory allegations that CapCut “intercepted” communications was insufficient:
based on plaintiffs’ allegations, it is not clear whether any communications were intercepted while in transit as opposed to merely shared with third parties after the fact. Although the Seventh Circuit has declined to decide whether the interception must be contemporaneous with transmission, see Epstein v. Epstein, 843 F.3d 1147, 1149–51 (7th Cir. 2016); United States v. Szymuszkiewicz, 622 F.3d 701, 705–06 (7th Cir. 2010), “[e]very court of appeals to consider the issue” has reached this conclusion. See Peters v. Mundelein Consol. High Sch. Dist. No. 120, No. 21 C 0336, 2022 WL 393572, at *11 (N.D. Ill. Feb. 9, 2022) (citing Boudreau v. Lussier, 901 F.3d 65, 77 (1st Cir. 2018)). True, plaintiffs assert in their complaint that defendants “intercept” plaintiffs’ communications, see id. ¶¶ 184, 186–91, 270, but these allegations are purely conclusory. Without additional support, and even viewing this allegation in the light most favorable to plaintiffs, the Court cannot reasonably infer that the communications were intercepted in real-time. This is especially true where the complaint otherwise alleges only that the [Chinese Communist Party (“CCP”)] “is able to access international and US data,” id. ¶ 76 (emphasis added), and that ByteDance was “monitored by a special committee of [CCP] members,” id. ¶ 77.
Evaluating the common law invasion of privacy claims, the Court found that amongst the various theories, plaintiffs alleged enough to survive the motion to dismiss. For example:
With the consent issue aside, the Court considers whether plaintiffs have stated a claim as to the collection of each type of private data defendants allegedly collected: videos and images; user identifiers, registration information, and sign-up information; location information; and biometric information. To the extent defendants argue that “common sense” dispels plaintiffs’ reasonable expectation of privacy in the collection of their data, the Court views this contention as part and parcel with whether plaintiffs’ expectation of privacy was objectively “reasonable” and considers it as part of the discussion that follows.
Beginning with the collection of videos and images, defendants contend that “there must be something sensitive about those videos [and images] that creates a reasonable expectation of privacy in them.” [31] at 20. Because the California plaintiffs do not allege their photos and videos were “sensitive or private in any way,” defendants say they cannot serve as the basis of a privacy claim. Id. at 21. However, the right to privacy does not depend solely on the sensitivity of the particular content collected but also considers whether “the manner it was collected … violate[d] social norms.” Facebook Tracking, 956 F.3d at 603 (emphasis added). In Facebook Tracking, for example, plaintiffs alleged that Facebook collected full-string detailed URLs from websites that plaintiffs visited even after they had logged out of the Facebook application. Id. at 603, 605. In concluding that plaintiffs had adequately alleged an expectation of privacy, the appeals court did not evaluate the specific content of the URLs that Facebook collected but instead focused on the fact that users would not expect Facebook to collect information about their habits on third-party websites when they were not operating within Facebook itself. Id. at 603–04…[Plaintiffs] allege that CapCut accesses and collects all the videos and photos stored on their devices, not just those they voluntarily uploaded to the CapCut app. See [22] ¶ 11 (alleging that, with regard to plaintiff Rodriguez, “the CapCut app gained access to all of the photos and videos on her device”); id. ¶ 120 (alleging that defendants “took plaintiffs’ … private videos and audio-visual material from their devices”). Taking these allegations as true, plaintiffs have sufficiently alleged a reasonable expectation of privacy in this data.
…
As for the user/device identifiers, registration information, and sign-up information, courts have held that there is no reasonable expectation of privacy in these types of data. [citations omitted.]
As a threshold issue, plaintiffs must allege economic injury to move forward on a UCL claim. Plaintiffs asserted four theories:
- the diminution in the value of their data, (2) that their devices have “been impaired and slowed,” (3) that they incurred data and electricity costs, and (4) that they were harmed by the invasion of their privacy. [22] ¶ 254. None of these four theories suffices to establish that plaintiffs “lost money or property as a result of” defendants’ data privacy practices.
Evelia Rodriguez, Erikka Wilson, A.N., a minor, Aiden Gundlach, J.V., a minor, Zachary Buckus, & Raymon Marines, individually & on behalf of all others similarly situated, Plaintiffs, v. ByteDance, Beijing Douyin Info. Serv. Co. Ltd., ByteDance Ltd., ByteDance Pte. Ltd., Beijing ByteDance Tech. Co. Ltd., & TikTok, Defendants., No. 23 CV 4953, 2025 WL 672951, at *1 (N.D. Ill. Mar. 3, 2025).
