Tik Tok Ads: the Garante warns against ‘personalized’ ads based on legitimate interest. The legal basis is inadequate, and there is the risk that the ads also target children.
Background
Through an urgent decision adopted on 7 July, the Garante warned the platform that the personal data stored in users’ devices may not be used to profile those users and send personalized ads without their explicit consent.
Tik Tok has previously told users that those above the age of 18 would begin receiving ‘personalized’ adverts, i.e., ads based on profiling users’ behavior on TikTok, from July 13. In addition, TikTok and its partners have changed their privacy policies, indicating that the processing of personal data will no longer be based on consent but on loosely defined ‘legitimate interests.’
The Garante quickly began an ‘investigation’ into the revised privacy policy and requested information from the social network.
The ruling on TikTok Ads
With the data provided by TikTok, the Garante came to the conclusion that the change in legal basis was incompatible with EU directive 2002/58, as well as with the Italian personal data protection law (the “Code”). Both legal documents categorically state that the consent of the data subjects is the only legal basis for “storing information or gaining access to information already stored in the terminal equipment of a subscriber or user.”
Aside from the insufficient legal basis, the Garante was especially concerned about protecting registered underage users on the platform. According to the Garante, TikTok’s current challenges in establishing compliance with the platform’s age limitations do not rule out the possibility that ‘personalized’ advertising with inappropriate content may be shown to younger users based on the company’s legitimate interest.
The Garante used the powers granted to it by the GDPR to send TikTok a formal ‘warning’‘ that processing data based on its ‘legitimate interest’ would be in conflict with the current regulatory framework, at least with regard to the information stored in users’ devices, and would entail all the relevant consequences, including corrective measures and fines.
The discovery of an ePrivacy directive violation allowed the Garante to intervene directly and urgently in relation to TikTok, bypassing the GPDR’s cooperation procedure, which would have required the Irish Data Protection Commission to lead the proceeding – TikTok’s main EU establishment is in Ireland.
In any case, relying on the controller’s legitimate interest to process information that is not retained on users’ devices does not appear to be in accordance with the GDPR. As a result, Garante notified the European Data Protection Board and the Irish Data Protection Commission of its decision, allowing them to take additional action.
TikTok’s Response
As a result, TikTok has ‘paused’ its privacy policy update in Europe following the regulatory scrutiny from the Garante.
The update in Europe was set to go live today (July 13), which would have meant the platform stopped asking users for permission to be monitored in order to get targeted advertising, according to TechCrunch.
TikTok – A spokesperson from the social media platform sent this statement to TechCrunch:
While we engage on the questions from stakeholders about our proposed personalized advertising changes in Europe, we are pausing the introduction of that part of our privacy policy update. We believe that personalized advertising provides the best in-app experience for our community and brings us in line with industry practices, and we look forward to engaging with stakeholders and addressing their concerns.
We will keep following this story and update as the case evolves.
