Last June, TikTok publicly announced that it would soon begin sending, to its users over 18 years of age, advertising based on behavioral profiling while browsing on the platform, without requesting consent from the data subjects, using the legal basis of the legitimate interest of the owner (i.e., Dublin-based TikTok Technology Limited itself).

In the measure adopted as a matter of urgency on July 7, the Privacy Guarantor had warned TikTok that such processing activity would be unlawful, not under the GDPR (European Privacy Regulation), but contrary to Article 5(3) of the e-privacy Directive (Directive on privacy and electronic communications) and Article 122 of the (Italian) Privacy Code. In fact, according to the Garante, the storage of information, or access to information already stored, in the terminal equipment of a subscriber or user expressly requires as a legal basis the exclusive consent of the same.

In the notice, the Privacy Guarantor, in light of the inability of TikTok (and other social networks) to identify those of legal age, had highlighted the risk that advertising could also reach minors.

The violation of the ePrivacy Directive allowed the Garante to take direct and urgent action against TikTok, outside of the international cooperation procedure under the GDPR. At the same time, however, the Authority had informed the Data Protection Commission of Ireland (the Irish Privacy Authority), the country where TikTok has its main establishment, and the European Data Protection Board.

TikTok currently indicates in its privacy policy (viewed on September 13) that personalized advertisements based on user activity on and off the platform will be shown with user consent (https://bit.ly/3xkqC5e).

TikTok, responsibly, has therefore deferred personalized advertising based on legitimate interest.