Woman pointing finger on smartphone showing privacy complaint for user tracking

Pinterest Privacy Complaint Targets Platform for Familiar User Tracking Issues

Just days after the Irish Data Protection Commission (DPC) ruled against LinkedIn in a similar user tracking case, Pinterest has been hit by a privacy complaint from Max Schrems and his activist group noyb. The complaint is very similar in that it focuses on Pinterest’s “on by default” consent mechanism that requires users to proactively plumb through menu settings to change.

The noyb privacy complaint also notes that Pinterest does not provide required information about personal data that it processes, something required by General Data Protection Regulation (GDPR) rules. Prior rulings in this area in very similar ad tracking cases, both by data protection authorities and the Court of Justice of the European Union (CJEU), point to Pinterest likely facing a substantial fine at some point.

Pinterest privacy complaint follows similar decisions against other social media platforms

The noyb privacy complaint notes that Pinterest has invoked the “legitimate interest” exception to user consent for ad tracking, one of a small handful of such exceptions provided for by the GDPR. The problem for the company is that Meta has already tried this tack and failed, as has LinkedIn now with the recent Irish DPC decision.

Pinterest has over 130 million users across the EU, and the service is monetized in no small part by personalized ads. The GDPR requires these services to obtain affirmative user consent, but Pinterest opts users in to data collection for ad tracking by default and requires them to go through a menu to opt out.

In addition to the recent LinkedIn ruling out of Ireland, in 2023 the Court of Justice of the European Union (CJEU) found that Meta’s attempts to invoke “legitimate interest” as a consent alternative was in violation of the GDPR. That set a firm standard that the exception could not be used in situations involving personalized ad tracking.

The privacy complaint also flags Pinterest for transparency violations under Article 15 of the GDPR. It notes that the complainant filed a data access request, which the GDPR provides for as a data subject right, and received a limited copy of her collected data that did not include details about third party recipients. Two subsequent requests did not rectify the situation.

Apps running out of options for consent-free user tracking in EU

Meta has been at the forefront of regulatory action over ad tracking since the GDPR went into force in 2018, and data authorities now seem to be be using precedents established in its cases to catch up with other apps and platforms. After Meta failed to make any of its claims to GDPR exceptions legally stick, it turned to the “pay or OK” model; either pay a monthly subscription fee for no advertising, or implicitly consent to whatever ad tracking the company wants to do.

There hasn’t yet been any word of Pinterest considering a similar “premium” subscription scheme. It (and similar companies) may be hanging back and watching Meta go first into the trenches once again, as its version of the scheme is facing both privacy complaints and antitrust actions that remain unresolved at present. European authorities have signaled some support for the idea so long as it retains a GDPR-compliant free version of the service as an alternative and keeps its prices reasonable, but it remains to be seen how the public will receive the idea if it is picked up by more major services than just those belonging to Meta.

The noyb privacy complaint is in its early stages, but the aftermath of the similar LinkedIn case may demonstrate what to expect. LinkedIn was fined €310 million and given a deadline to get its ad tracking programs into compliance; noyb has additionally requested that Pinterest be ordered to delete all of its collected personal data. Resolution may well be quicker in the Pinterest case, however, with the initial LinkedIn complaint filed in 2018. While the Irish DPC certainly took its time resolving the LinkedIn case, the fine amount it eventually handed down has become the sixth-largest of all time among GDPR actions and was just behind the TikTok penalty for privacy violations involving minors.

Pinterest has issued a statement maintaining that its ad tracking practices are GDPR compliant. It remains unclear which DPA will end up handling its case. noyb filed their privacy complaint in France, but it may well be handed off to the Irish DPC due to Pinterest’s physical location. However, noyb thinks it may be able to keep the case in France (which has shown quicker GDPR action and a greater appetite for fines) by naming Pinterest’s United States headquarters as a joint data processor. That could allow France to act directly under its own data privacy law.

 

Senior Correspondent at CPO Magazine