Why the Privacy Guarantor scrambles TikTok on advertisements by Chiara Rossi

The Italian Privacy Guarantor warns TikTok of the alleged violation of EU privacy rules. Stop "personalized" advertising. Inadequate legal basis and risks that it will also reach minors Altolà of the Privacy Guarantor to "personalized" advertising on TikTok. The Privacy Guarantor with an emergency measure adopted on July 7 warned TikTok that it is illegal to use personal data stored on users' devices to profile them and send them personalized advertising in the absence of explicit consent. In recent weeks - explains a note from the body - the social network had informed its users that, starting from July 13, people over 18 years of age would be reached by "personalized" advertising, based on the profiling of behaviors held when browsing on TikTok. In fact, TikTok had not requested consent for the use of data stored in their devices. Rather, it had modified its privacy policy by providing as a legal basis for the processing of data no longer the consent of the interested parties, but not better specified "legitimate interests" of TikTok and its partners. According to the Privacy Guarantor, with the modification of the policy there is a risk that advertising will also reach minors. TikTok itself has experienced rapid growth around the world particularly among teenagers. All the details. THE INVESTIGATIONS OF THE PRIVACY GUARANTOR ON TIKTOK

The video-sharing platform caught the attention of privacy experts last month when it quietly revealed the aforementioned upcoming change to its privacy policy for users in the European Economic Area, the United Kingdom, and Switzerland. Tiktok would have applied it from July 13. The Guarantor had immediately started an investigation on the change and asked the social network for information. On the basis of the elements provided by the Company, the Authority concluded that this change in the legal basis is incompatible with the European Directive 2002/58, the so-called "ePrivacy" Directive, and with art. 122 of the Code regarding the protection of personal data (which implements it). THE "MINOR" FACTOR After that, the authority chaired by Pasquale Stanzione highlighted an aspect that concerns the protection of minors registered on the platform. The current difficulties shown by TikTok in ascertaining the minimum age for access to the platform – noted the Authority – do not allow to exclude the risk that "personalized" advertising based on legitimate interest reaches the very young, with inappropriate content. And in this regard it is recalled that TikTok has already had to face problems regarding the age of its users. Already in 2020 the Privacy Guarantor had "warned" the company about its inadequate age controls on the platform. Then the authority had ordered TikTok to block users whose age it could not verify. Starting from February 9, 2021 TikTok should have blocked all Italian users and asked to indicate the date of birth again before continuing to use the app, implementing the requests of the authority. A few months later the platform deleted over half a million accounts in Italy of which it could not confirm that they did not belong to minors, recalls TechCrunch. THE WARNING TO THE SOCIAL Returning to today's case, the Italian Authority, using one of the powers provided for by the EU Regulation, has sent a formal "warning" to the Company. With the warning, the Privacy Guarantor has warned TikTok that a processing carried out on the legal basis of the "legitimate interest", at least in relation to the information stored on users' devices, would be outside the regulatory framework in force, with the obvious consequences, even of a sanctioning nature. SANCTIONS The ePrivacy Directive empowers member states' relevant agencies to issue "effective, proportionate and dissuasive" penalties (which, in some recent cases, has led to some notable fines for tech giants such as Facebook and Google of more than €60 million). Unlike the GDPR, which provides for penalties of up to 4% of the total global turnover in the previous year. THE VIOLATION OF THE "EPRIVACY" DIRECTIVE The violation of the "ePrivacy" directive - explains the note - has allowed the Guarantor to intervene directly and urgently against TikTok, outside the cooperation procedure provided for by the Gdpr. The latter would have seen the exercise of the initiative by the Irish Data Protection Authority, the country where TikTok has established its main establishment. In any case, since even the processing of information other than that stored on users' devices on the basis of legitimate interest appears incompatible with the European regulation on the protection of personal data – in this case the one dictated by the Gdpr – the Guarantor has simultaneously informed the European Committee of Personal Data Protection Authorities and the Irish Authority, so that they evaluate the further initiatives to be undertaken. Finally, the Authority has reserved the right to adopt any measures, even urgent, if TikTok does not withdraw from its purpose.