Popular video editing app CapCut accused of exploiting user data and violating child privacy

Three leading Danish child welfare and consumer organisations have filed a formal complaint against the video editing app CapCut with the national data protection authority, alleging the app’s terms allow excessive data collection and fail to protect young users.

The complaint, submitted by Save the Children Denmark, Children’s Welfare Denmark, and the consumer watchdog Forbrugerrådet Tænk, claims CapCut’s privacy policies are “incomprehensible” and grant the company sweeping rights to use uploaded content—including training AI models or sharing data for marketing—without proper consent. The organisations warn that the app, owned by ByteDance (which also operates TikTok), poses risks such as potential misuse of children’s images or voices by bad actors.

“It’s impossible for children to understand what they’re agreeing to,” said Sørine Vesth Rasmussen, a tech policy advisor at Children’s Welfare Denmark. She noted the app’s popularity among young TikTok users but criticised its terms, which permit CapCut to repurpose user content for purposes like AI training or data sales. “A child could unknowingly allow their photos or voice to be reconstructed and misused,” she added.

Consumer legal expert Peter Grønlund Holm of Forbrugerrådet Tænk highlighted concerns that CapCut’s AI could regenerate real images from training data, creating risks of exploitation. “We haven’t tested this, but we know it’s technically possible,” he said, pointing to scenarios where scammers could replicate a child’s voice to solicit money. The complaint also argues that CapCut’s 13+ age restriction is easily bypassed, leaving younger children exposed.

CapCut, which topped Denmark’s App Store charts in the “Photo and Video” category Thursday evening, directs users to its website, stating it complies with data protection laws and employs encryption and security audits. However, Amalie Bang, a children’s rights lawyer at Save the Children Denmark, dismissed these assurances: “Even as a specialist in digital children’s rights, I can’t trace where the vast amounts of data they claim to collect actually end up.”

The organisations’ complaint outlines four key violations: – Lack of transparency in how personal data is processed. – Excessive data collection beyond necessary functions. – No legitimate basis for using personal data to train AI models. – Invalid consent mechanisms, with no simple way to withdraw permission.

With the case expected to be referred to Ireland’s Data Protection Commission (ByteDance’s EU regulatory hub), the groups urge authorities to investigate whether CapCut’s practices breach GDPR protections for children. “This raises so many red flags that we need an expert assessment of whether laws are being broken,” Bang said.