The Italian supervisory authority issues a formal warning after TikTok makes changes to its privacy policy and fails to get data subjects’ consent.
TikTok has recently made changes to its privacy policy stating that users aged above 18 would receive ‘personalised’ ads. From July 13th, users over 18 would receive ads based on profiling of their behavior while using the app. This processing of personal data would be based on ‘legitimate interests’ vested in TikTok and its partners, rather than user consent. According to this report by the EDPB, The authority requested information from TikTok, in order to clarify the facts of the situation and found there to be various violations. This has resulted in the Italian SA issuing a formal warning to the social network.
The Authority concluded that TikTok violated personal data protection law as data subjects’ consent is required for the changes made to its privacy policy.
Upon discovering that changes were made to the social network’s privacy policy, the Italian SA immediately launched an investigation on the modification and requested information from TikTok. Based on the information provided to the Italian SA, the Authority concluded that the change in TikTok‘s legal basis conflicted with article 5(3) of EU directive 2002/58 and section 122 of the Italian personal data protection law (which transposed that directive), both of which explicitly indicate that data subjects’ consent is required. According to both of these legal instruments, for ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’, consent is the only legal basis.
Garante, the Italian SA has also expressed concern over the possible effect this change may have on minors.
The Italian SA has also expressed concern for the protection of child users on the platform. The authority recalls difficulties encountered by TikTok regarding the implementation of sufficient age verification. This has presented risks of not just exposure to personalised ads, but also inappropriate content. According to a report from Garante, this is of particular concern, because TikTok’s difficulty thus far, in “ascertaining the minimum age for access to the platform”, does not allow them to exclude the risk of exposure of personalised ads, as well as inappropriate content to even the very young.
Garante has issued a formal warning to the company, as well as notified the EDPB and Irish DPC of this violation.
Garante has issued a formal ‘warning’ to the company under Article 58(2)a GDPR and Section 154(1)(f) of Italy’s data protection law. The formal warning states that processing data on the basis of its ‘legitimate interest’ would be in conflict with the current regulatory framework, and that this may result in fines, as the Authority reserves the right to take additional measures, including urgent measures, if necessary. While TikTok is based in Ireland, the situation allowed the Italian Authority to step in directly and urgently address the matter due to the violation of the ePrivacy directive. Garante has also informed the EDPB, and Irish Data Protection Commission (DPC) of this decision so that they may consider further action as, according to the Authority, relying on the controller’s legitimate interest to process this data is not in line with the GDPR.