TikTok postpones a controversial privacy policy change following European regulatory pushback.
TikTok has agreed to postpone a controversial privacy policy update in Europe that would have enabled the platform to stop asking users for consent to be tracked for targeted advertising. The Irish Data Protection Commission (DPC), the lead privacy regulator that oversees TikTok for the European Union’s General Data Protection Regulation (GDPR), says the “pause” follows engagement between TikTok and the oversight office.
“Further to engagement with the DPC yesterday, TikTok has now agreed to pause the application of the changes to allow for the DPC to carry out its analysis,” a spokesperson for the DPC told TechCrunch.
“While we engage on the questions from stakeholders about our proposed personalized advertising changes in Europe, we are pausing the introduction of that part of our privacy policy update,” says a company statement from TikTok. “We believe that personalized advertising provides the best in-app experience for our community and brings us in line with industry practices, and we look forward to engaging with stakeholders and addressing their concerns.”
The DPC’s concern follows a formal warning issued to TikTok from Italy’s data protection watchdog that the company’s proposed switch would breach the ePrivacy Directive and potentially the GDPR. TikTok claims it could process user data to run “personalized” ads without obtaining consent under a legal ground known as “legitimate interest.” Privacy experts question the appropriateness of using legitimate interest as grounds to run behavioral advertising, but TikTok continues to defend its plan.
Regarding the formal warning from the Italian DPA, a TikTok spokesperson says the company is evaluating the notice while also claiming to be “committed to respecting the privacy of our users, being transparent about our privacy practices, and operating in compliance with all relevant regulations.”
For legitimate interest to be considered a valid legal foundation on which to process personal data under European law, a data processor must first conduct a series of tests. Those tests assess whether it has a legitimate cause for the processing and that the processing is necessary for the stated purpose. A third test also considers the rights and freedoms of the individuals whose information is involved.
While the UK’s data protection watchdog, the ICO, offers some cautionary guidelines for the first two tests, the third will likely be TikTok’s biggest hurdle. The third test requires the company to justify any impact on individuals, which includes the users’ ability to exercise their data protection rights per the ICO guidelines.
Notably, the Dutch DPA takes the stance that legitimate interest cannot be used as a legal basis for commercial interests, period. Should the Irish DPC take a similar view, TikTok would be hard-pressed to have its cake and eat it too.