The Italian data protection authority (DPA) said TikTok’s new policy of denying users the ability to opt out of personalized advertising is a breach of the GDPR, considering it collects user data without consent. Furthermore, the DPA expressed concern about the negative impact the policy could have on “unsuitable” advertising to children, considering TikTok’s history of failing to properly monitor underage users registering as adults.
TikTok and Personalized Ads
Last month, TikTok announced changes to its privacy policy in the EU region. These changes were specifically aimed at its personalized ad settings, and the video-sharing app said it would no longer give users (age 18 and above) the opportunity to opt out of personalized ads. To do so, TikTok said it would change its legal basis for processing personal data. Under the GDPR, any entity which seeks to process EU citizens’ data must have an acceptable legal basis to do so. The GDPR also stipulates what these legal bases can be. Prior to the announcement, TikTok relied on users’ consent to process personal data. However, it decided to change its legal basis to “legitimate interest.” In simple terms, TikTok claims that it has a legitimate interest in collecting personal data from and providing personalized ads to its user base, and said that doing so allows it to offer users a more personal experience. Furthermore, it allows TikTok to continue to offer its services for free.
Italian Data Watchdog Issues Formal Warning
Not long after TikTok announced its decision, the Italian DPA started to dig deeper to determine its validity. The DPA has since concluded that TikTok’s change of legal basis does not comply with an EU-wide privacy directive or Italy’s personal data law. The privacy directive, titled EU directive 2002/58, only allows entities to store and access information from user devices with their express consent. “Following the information made available by the company, the Italian SA drew the conclusion that the change in legal basis was incompatible with EU directive 2002/58, i.e., the so-called ePrivacy directive, as well as with Section 122 of the Italian personal data protection law (the ‘Code’) which transposed that directive,” the DPA’s statement reads. “Both legal instruments set out explicitly that the data subjects’ consent is the only legal basis for ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user,’” it added.
Concerns About Impact on Children
Furthermore, the DPA said it was concerned about child users on TikTok. It pointed to the fact that TikTok was facing difficulties in ensuring children comply with age requirements. This leaves open the possibility of children being targeted with personalized ads which have “unsuitable content.” Last year, TikTok faced several complaints over child safety and data protection. In April, it was hit with a lawsuit in the UK over its data collection practices. Authorities in the EU and the US have also pulled up the company because of fears over their vague privacy policies, as well as the impact the platform has on young minds. “At TikTok, we strive to build a personalized experience for our community, and at the same time we are committed to respecting the privacy of our users, being transparent about our privacy practices, and operating in compliance with all relevant regulations,” a TikTok spokesperson said in a statement to several media outlets following the DPA’s announcement. “While our evaluation of the Italian Data Protection Agency’s recent notice is still ongoing, we cannot comment further.” If you’re looking to take a deep dive into TikTok, user privacy, and whether or not it’s safe for underage users, make sure check out our full TikTok safety guide.