TikTok recently announced that it was “pausing” planned changes to its privacy policy that would allow the popular video sharing platform to show targeted ads to users in Europe without first asking for their consent. Privacy activists had been aghast at these changes because they believe consent to be the cornerstone of Europe’s data protection laws and are openly hostile to targeted ads. But TikTok appears to be operating firmly within the bounds of the General Data Protection Regulation (GDPR) in its plans. Moreover, it is essential that authorities affirm the legitimacy of TikTok’s interpretation of the GDPR or risk invalidating a key legal mechanism used by many businesses to process data under the EU’s already restrictive data protection laws.
A bit of background is necessary to understand the TikTok debate. Article 6 of the GDPR states that organizations must have a lawful basis for processing personal data. There are six (consent, performance of a contract, legitimate interest, vital interest, legal requirement, and public interest), but the most well-known of these is consent. When relying on consent, data subjects must provide “freely given, specific, informed, and unambiguous” consent. Moreover, the ePrivacy Directive (aka the “cookie law”) requires that users provide affirmative consent before storing cookies on their device. Since most targeted ads on websites involve the use of cookies stored in web browsers, the combined requirements of the ePrivacy Directive and the GDPR has made affirmative consent almost ubiquitous for targeted online ads.
So back to the debate: TikTok was planning to switch from using “consent” as its legal basis for processing data for personalized ads to using “legitimate interest.” Importantly, the company was only going to make this switch for personalized ads that use data about users’ activity on TikTok. For personalized ads that use data about users from outside of TikTok (such as other websites they visit or apps they use) the company would still rely on consent. For users who had already provided affirmative consent to the company processing their data for personalized ads, there would be no effective change. But for users who had not provided this consent, they would start receiving personalized ads based on any new activity they have on TikTok after the policy went into effect. Users would not be able to opt-out of these personalized ads.
Despite the outcry by some privacy activists, it is quite reasonable for a company to invoke “legitimate interest” as a basis for this type of personalized advertising. Businesses can use the legitimate interest provisions of the GDPR when the processing is of clear benefit for them (e.g., commercial benefits) or others, the data processing is necessary to achieve that benefit, and there’s a limited privacy impact on the individual. The GDPR even clearly states that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” The UK’s Information Commissioner’s Office further clarifies that “as long as the marketing is carried out in compliance with e-privacy laws and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest.”
In the case of TikTok, the company has a clear commercial interest in showing personalized ads to its users based on their interests because personalized ads will earn them greater revenue and be more likely to keep their users engaged. TikTok shares ad revenue with its top content creators, so greater ad revenue will boost pay for content creators and incentivize them to invest in more and better content for users. Moreover, there is a limited privacy impact for users because TikTok is already collecting data about what types of videos users watch on its platform to recommend new videos for each user’s feed. TikTok makes clear that the platform’s algorithm recommends videos to users based on what they have watched or interacted with (the content feed is appropriately titled the “For You” page).
Before the announced delay, the privacy activist group Access Now accused the company of not only violating the law by using legitimate interest but also failing to respect human rights and demanded the European Data Protection Board (EDPB) prevent TikTok from implementing its proposed changes. In addition to arguing that TikTok should not be allowed to use legitimate interest as a lawful basis for delivering targeted ads, one of its other main arguments is that because TikTok previously used consent as its basis for lawful processing it cannot now switch to legitimate interest. In many cases, swapping between one lawful basis and another would not be appropriate because it undermines the transparency expectations of the GDPR. For example, it would be inappropriate if TikTok planned to use data collected from before its proposed policy change to deliver personalized ads—data collected while relying on consent—because users had been told that they had the choice on whether to allow this use. But in this case, TikTok is describing using legitimate interest for new data (i.e., data collected after a certain date) collected for a new purpose (i.e., delivering personalized ads across the platform based on in-app behavior for all users).
The impact of denying TikTok’s proposed change would be significant. First, it would create significant legal risk for any business using legitimate interest as a lawful basis for processing data in the EU. If businesses cannot use the legitimate interest provision of the GDPR in good faith, they will be significantly constrained in how they process data, negatively impacting beneficial uses of data and ultimately raising costs for consumers. Second, if European regulators prohibit companies from using legitimate interest as a lawful basis for processing data as their business models evolve, it will significantly impair the ability of many businesses (including European SMEs) to scale in the European market. For example, European startups may be stuck with unworkable consent-based privacy policies designed before their services have matured that unnecessarily constrain their growth and opportunities. Privacy activists like to describe consent as the cornerstone of privacy, but if they are not careful it will become an epitaph on the tombstone of innovation.
European data protection authorities will face significant pressure from privacy activists to oppose TikTok’s planned policy change because of the continued opposition to targeted ads even though the company appears to be operating squarely within the (very narrow) rules of the GDPR. Rather than capitulate to these demands, they should follow the law and avoid reinterpreting the GDPR to make it even harder for businesses to use data in Europe.
Image credit: Solen Feyissa (Unsplash)