TikTok’s new policy of targeting advertising without consent must be stopped
In February last year, Euroconsumers’ members Test Achats/Test Aankoop, Altroconsumo and OCU filed a complaint with their national authorities about unfair terms, hidden advertising, and misleading data collection practices on TikTok. This was part of a coordinated action by BEUC towards the EC’s Consumer Protection Network (known as a “CPC alert”).
TikTok makes changes to its data processing
On June 8, TikTok announced an important change of policy on targeted advertising. From July 13 2022, for all adult users residing in one of the countries of the European Economic Area, in the UK and in Switzerland, the legal basis for the processing of personal data aimed at promoting personalized advertisements will no longer be represented by the consent of the interested party but by the legitimate interest of the data controller.
This is a significant choice, and one which Data Protection Authorities will no doubt look at in detail. Here, we reflect both general compatibility with the EU GDPR, and, more pragmatically, on the actual methods adopted for the practical exercise of rights by users.
Let’s proceed with the key questions in order, but first a reminder of the key terms and concepts involved:
Question 1: Is it possible for social media companies to refer to Legitimate interest instead of consent for data processing?
My first question is whether it is possible to refer to Article 6, letter (f) legitimate interest of the GDPR instead of letter (a) consent of the interested party for this type of processing? Theoretically, yes, however, with some cautions.
The EPDB 8/2020, version 2.0 guidelines, adopted on April 13, 2021, distinguish three types of data regarding social media targeting activity: the data provided, those observed and those inferred (including the possible combinations of all of these three types).
Question 2: Which of the three categories of data does the TikTok policy change refer to?
Here the first problem arises, because the communication received through the app by the users of the platform appears contradictory: on the one hand it is said that “starting from July 13 we will rely on our legitimate interests instead of your consent to show you personalized ads based on your data on TikTok”,
Therefore it would seem to refer only to the data provided by the interested party. Immediately after, however, it says “From that day you could start receiving personalized advertisements based on your activity on TikTok, for example keywords you have searched for, videos you have watched and accounts you follow“, so it is evident that the observed data are also included.
This information is not exactly clear, and considering that we know regular users tend to scan such information quickly in a superficial way, it could be said to be a deliberate attempt to deceive or distract: the first lines will be read, ignoring the subsequent ones.
So a user could reasonably assume that legitimate interest, instead of consent, represents the legal basis for the categories of provided data and observed data (but not for the third category of inferred or derived data).
Question 3: Is this change compatible with the GDPR?
Let’s start from the case of data provided by the user.
With respect to the latter, the European Data Protection Board (EDPB) guidelines generally identify two possible legal bases: the consent of the interested party or legitimate interests, leaving to the data controller the most appropriate choice in the specific circumstances.
However, as clarified by the Court of Justice of the European Union in the Fashion ID judgment, in order for a processing to be based on legitimate interest, three cumulative conditions must be met – purpose, necessity and balance (ie is the legitimate interest overridden by the individual’s interests, rights or freedoms?).
Regarding “necessity” under the second condition, the EDPB guidelines have clearly highlighted how the assessment must be particularly careful “to ensure that the processing of data based on legitimate interests does not involve an unduly broad interpretation of the need to process data… this means that it is necessary to assess whether there are other, less invasive means of achieving the same objective”.
The reference to the legitimate interest of the data controller is also not sufficient in the absence of a comparative test aimed at determining whether it prevails over the interests or fundamental rights and freedoms of the data subject.
Are all the conditions for legitimate interest met?
However, in the information provided to users there is no explanation as to why the change in force since 13 July 2022 is necessary for the platform and, at the same time, why the user’s consent is a method that is not proportionate to the objective pursued.
Moreover, if such a need really existed, the consequence on the logical level would be disruptive: in essence, TikTok would affirm that personalized advertising is the only way through which it can provide the service, while keeping it free. This would highlight in the clearest terms what economic value the user data have and how the provision of the service represents the counter-performance with respect to the monitoring of the behavior of the users themselves on the platform.
Without prejudice to the above, there is a further critical profile: even where the path of legitimate interest is viable, the EDPB guidelines recall that, “in this case, the duties of transparency and the right to object require careful consideration. Data subjects should have the possibility to object to the processing of their data for specific purposes before the processing is initiated. Users should not only have the possibility to object to the display of targeted advertising when accessing the platform, but also have controls in place to ensure that the underlying processing of their personal data for the purpose of targeting no longer takes place following their objection.”
Question 4: Are consumers able to control their data and exercise the right to object?
In the present case, the exercise of the right to object appears cumbersome and far from intuitive. Following the link provided in the communication, the user is redirected to a procedure where their complaint can be rejected for not objecting to the right thing. In essence, it is not clear what you have to prove to be successful.
In this regard, the EPDB considers that “legitimate interest cannot constitute an appropriate legal basis, given that targeting is based on monitoring the behavior of natural persons through websites and locations using tracking technologies”.
It can be concluded by saying that TikTok, melius re perpensa, would do well to review its decision or, at least, to rethink how it is implemented.