TikTok: Italian SA warns against 'personalised' ads based on legitimate interest

15 July 2022

Background information

  • Date of final decision: 7 July 2022
  • Cross-border case or national case: National case
  • Controller: TikTok Technology Ltd.
  • Legal Reference: Access to and storage of information on users’ terminal equipment (Article 5(3) of directive 2002/58/EC; Section 122 of Italy’s legislative decree No 196/2003); controller’s legitimate interest (Article 6(1)(f) GDPR)
  • Decision: Issuance of warning to controller that intended processing is likely to infringe national legislation transposing directive 2002/58/EC and Article 6(1)(f) GDPR;  
  • Key words: Personalised advertising; legal basis; legitimate interest; confidentiality of communications; user’s consent; warning to controller; Article 58(2)(a) GDPR; Section 154(1)(f) of Italian personal data protection law.                     

 

Summary of the Decision

 
Origin of the case:

Over the past weeks, Tik Tok had modified its privacy policy to inform users that people aged above 18 would receive ‘personalised’ ads – i.e., based on profiling users’ behaviour during their visits to TikTok – starting from the 13th of July. In the platform’s view, processing of personal data would be based no longer on consent, but on the ‘legitimate interests’ vested in Tik Tok and partners. The Italian SA started a fact-finding exercise regarding the changed privacy policy and requested information from the social network.

 
Key Findings:

Following the information made available by the company, the Italian SA concluded that the change in legal basis was incompatible with Article 5(3) of EU directive 2002/58 as well as with Section 122 of the Italian personal data protection law which transposed that directive. Both legal instruments set out explicitly that the data subjects’ consent is the only legal basis for ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’. The Italian SA was also concerned by the protection of child users registered with the platform since the difficulties encountered by TikTok in implementing adequate age verification measures to access the platform entailed the risk that ‘personalised’ ads including unsuitable contents would be served to children aged below 14 years based on the company’s legitimate interest.

 
Decision:

The Italian SA issued a formal ‘warning’ to TikTok under Article 58(2)a GDPR and Section 154(1)(f) of Italy’s data protection law that processing data on the basis of its ‘legitimate interest’ would be in conflict with the current regulatory framework (Article 5(3) of directive 2002/58/EC and national law transposing it), at least with regard to the information stored in users’ devices,  and would carry all the consequences envisaged in the applicable legislation on the protection of personal data including the imposition of fines. The Italian SA reserved its right to take additional measures, including urgent measures, if this proved necessary.

 

For further information: decision in national language

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.