TikTok’s new policy of targeting advertising without consent must be stopped
In February last year, Euroconsumers’ members Test Achats/Test Aankoop, Altroconsumo and OCU filed a complaint with their national authorities about unfair terms, hidden advertising, and misleading data collection practices on TikTok. This was part of a coordinated action by BEUC towards the EC’s Consumer Protection Network (known as a “CPC alert”).
TikTok makes changes to its data processing
On June 8, TikTok announced an important change of policy on targeted advertising. From July 13 2022, for all adult users residing in one of the countries of the European Economic Area, in the UK and in Switzerland, the legal basis for the processing of personal data aimed at promoting personalized advertisements will no longer be represented by the consent of the interested party but by the legitimate interest of the data controller.
This is a significant choice, and one which Data Protection Authorities will no doubt look at in detail. Here, we reflect both general compatibility with the EU GDPR, and, more pragmatically, on the actual methods adopted for the practical exercise of rights by users.
Let's proceed with the key questions in order, but first a reminder of the key terms and concepts involved:
Legitimate interests is one of the legal bases on which data can be processed, it is a broad term but there must be a clear and reasonable purpose for the processing
Consent is another of the legal bases, meaning that a person has given their consent for their data to be processed in a particular way by the controller
Data subject is the person who the personal data relates, usually a user or consumer
Data controller the organization in charge of the purposes and means of personal data processing, in this case, TikTok
Targeter in this case, the advertiser who target users with its adverts on the basis of their personal data
Question 1: Is it possible for social media companies to refer to Legitimate interest instead of consent for data processing?
My first question is whether it is possible to refer to Article 6, letter (f) legitimate interest of the GDPR instead of letter (a) consent of the interested party for this type of processing? Theoretically, yes, however, with some cautions.
The EPDB 8/2020, version 2.0 guidelines, adopted on April 13, 2021, distinguish three types of data regarding social media targeting activity: the data provided, those observed and those inferred (including the possible combinations of all of these three types).
The provided data are those actively made available to the social media provider and/or targeter by the interested party. For example, the age that the user puts on their profile.
The observed data are those provided by the interested party by virtue of the use of the platform (for example the contents that the user has shared, looked at, or engaged with through ‘likes’ or similar buttons)
Finally, the inferred data or derived data are those created by the data controller based on the data provided by the data subject or observed by the data controller. So, a social media provider or a targeter could deduce that a person is likely to be interested in a certain activity or product on the basis of their internet browsing behavior and/or their network connections.
Question 2: Which of the three categories of data does the TikTok policy change refer to?
Here the first problem arises, because the communication received through the app by the users of the platform appears contradictory: on the one hand it is said that "starting from July 13 we will rely on our legitimate interests instead of your consent to show you personalized ads based on your data on TikTok”,
Therefore it would seem to refer only to the data provided by the interested party. Immediately after, however, it says "From that day you could start receiving personalized advertisements based on your activity on TikTok, for example keywords you have searched for, videos you have watched and accounts you follow", so it is evident that the observed data are also included.
This information is not exactly clear, and considering that we know regular users tend to scan such information quickly in a superficial way, it could be said to be a deliberate attempt to deceive or distract: the first lines will be read, ignoring the subsequent ones.
So a user could reasonably assume that legitimate interest, instead of consent, represents the legal basis for the categories of provided data and observed data (but not for the third category of inferred or derived data).
Question 3: Is this change compatible with the GDPR?
Let's start from the case of data provided by the user.
With respect to the latter, the European Data Protection Board (EDPB) guidelines generally identify two possible legal bases: the consent of the interested party or legitimate interests, leaving to the data controller the most appropriate choice in the specific circumstances.
However, as clarified by the Court of Justice of the European Union in the Fashion ID judgment, in order for a processing to be based on legitimate interest, three cumulative conditions must be met – purpose, necessity and balance (ie is the legitimate interest overridden by the individual’s interests, rights or freedoms?).
the pursuit of the legitimate interest of the data controller or of the third party or parties to whom the data are communicated;
the need for the processing of personal data for the pursuit of legitimate interest; and
the condition that the fundamental rights and freedoms of the data protection data protection person do not prevail.
Regarding "necessity" under the second condition, the EDPB guidelines have clearly highlighted how the assessment must be particularly careful "to ensure that the processing of data based on legitimate interests does not involve an unduly broad interpretation of the need to process data... this means that it is necessary to assess whether there are other, less invasive means of achieving the same objective".
The reference to the legitimate interest of the data controller is also not sufficient in the absence of a comparative test aimed at determining whether it prevails over the interests or fundamental rights and freedoms of the data subject.
Are all the conditions for legitimate interest met?
However, in the information provided to users there is no explanation as to why the change in force since 13 July 2022 is necessary for the platform and, at the same time, why the user's consent is a method that is not proportionate to the objective pursued.
Moreover, if such a need really existed, the consequence on the logical level would be disruptive: in essence, TikTok would affirm that personalized advertising is the only way through which it can provide the service, while keeping it free. This would highlight in the clearest terms what economic value the user data have and how the provision of the service represents the counter-performance with respect to the monitoring of the behavior of the users themselves on the platform.
Without prejudice to the above, there is a further critical profile: even where the path of legitimate interest is viable, the EDPB guidelines recall that, "in this case, the duties of transparency and the right to object require careful consideration. Data subjects should have the possibility to object to the processing of their data for specific purposes before the processing is initiated. Users should not only have the possibility to object to the display of targeted advertising when accessing the platform, but also have controls in place to ensure that the underlying processing of their personal data for the purpose of targeting no longer takes place following their objection."
Question 4: Are consumers able to control their data and exercise the right to object?
In the present case, the exercise of the right to object appears cumbersome and far from intuitive. Following the link provided in the communication, the user is redirected to a procedure where their complaint can be rejected for not objecting to the right thing. In essence, it is not clear what you have to prove to be successful.
In this regard, the EPDB considers that "legitimate interest cannot constitute an appropriate legal basis, given that targeting is based on monitoring the behavior of natural persons through websites and locations using tracking technologies".
It can be concluded by saying that TikTok, melius re perpensa, would do well to review its decision or, at least, to rethink how it is implemented.