To ensure compliance with the terms of the General Data Protection Regulation (GDPR) and the ePrivacy Directive, most companies in the EU that make use of personalized ads first obtain user consent to such tracking. That has been TikTok’s practice as well, but an announced change to its privacy policy that would have opted users in by default appears to have been paused due to a warning from the Italian data protection authority (DPA).
TikTok made the privacy policy announcement last month, and had scheduled the switch for July 13. The video sharing platform claimed a “legitimate interests” exception under the terms of the GDPR, but privacy experts were quick to question the move. In addition to potentially not holding up to GDPR requirements the new privacy policy may well have run afoul of the ePrivacy Directive and the United Kingdom’s Privacy and Electronic Communications Regulations (PECR), which do not have a comparable “legitimate interests” standard.
TikTok new privacy policy proposed to eliminate user tracking consent
TikTok believes that it can stop obtaining user consent for delivery of personalized ads under the “legitimate interests” basis of the GDPR, which mostly allows for collection of sensitive data without consent for the purposes of necessary business protection (things like network security, employee monitoring and debt collection). However, the legitimate interests basis does have a provision for direct marketing, which is the angle TikTok appears to be taking.
This interpretation is legally problematic, to say the least. The GDPR restricts the use of direct marketing under this standard in a number of ways. One is if the marketing conflicts with the terms of other applicable laws, such as the ePrivacy Directive. Another is if the marketing uses personal profiling, which is not generally viewed as “necessary” to business function (as other less invasive ad types, such as contextual, are available).
There is some room for interpretation, however, and TikTok appeared to be willing to test the waters with its new privacy policy until the Italian DPA stepped in last week to issue a warning. The DPA issued a letter to TikTok indicating that it was “immediately” undergoing a fact-finding exercise to determine if dropping consent for personalized ads was legally acceptable within the EU regulatory framework, primarily under the terms of the ePrivacy Directive (which has a specific focus on user tracking technologies). It also warned that it may take direct action under the GDPR Article 66 urgency procedures, which would allow the country to skip the usual logjam created by referring tech cases to the Ireland DPA, citing a special concern about how the privacy policy change could impact minors using the platform (given that age is not strictly verified).
Though the Irish DPA has developed a reputation for being tech-friendly, the sudden change in privacy policy plans appears to have stemmed from involvement from that particular agency. TikTok was publicly defending its right to personalized ads without consent just a day before the announcement of the pause, which came after the Irish DPC indicated it had “engagement” with the company.
TikTok faces “balancing test” in bid to force personalized ads on users
In terms of passing GDPR muster, TikTok will be subject to a “balancing test” that weighs its claims of business necessity for personalized ads against the rights and freedoms of individuals using its service. Even if it were to somehow evade difficulties under the ePrivacy Directive, it would have a very difficult time passing this test.
As Chris Olson, CEO of The Media Trust, observes: “As an app that is continually accused of collecting cross-site advertising data from underaged users, TikTok has been a matter of concern to legislators around the world – moreover its ties to a foreign government have also made it an issue of national security for many countries … Today, most organizations with websites and mobile apps are in violation of GDPR, whether by collecting user data without proper disclosure, or by sharing it with unmonitored third parties.”
Prior cases against the adtech industry, some of which remain underway at present, generally indicate that the new privacy policy is ultimately not going to work for regulators. At least one DPA, the Autoriteit Persoonsgegevens of the Netherlands, has already expressed that a commercial advertising interest cannot ever be used as a GDPR-compliant legitimate interest.
The Italian DPA has asked TikTok to provide certain information before it renders a final decision on the matter: how the data feeding the personalized ads algorithm is collected, and what information from outside sources might be included in this process.
In the meantime, TikTok has two related cases pending in the EU. Both are being handled by the Irish DPC, which has been conducting ongoing investigations since September of last year. One involves the processing of the data of users under the age of 18, and the other involves transfer of personal data to China. TikTok also recently agreed to a set of new commitments to protect the privacy of underage users: adding the ability to report ads that appear to be attempting to manipulate children, prohibiting the promotion of certain services (such as alcohol and “get rich quick” schemes), and a new review process for users that have more than 10,000 followers among the new measures awaiting implementation.