Thanks to Alessandra Ruggiero for collaborating on this article

On July 7, 2022, the Italian Data Protection Authority (Garante per la protezione dei dati personali—“Garante”) issued a formal warning to TikTok Italy S.r.l. and TikTok Technology Limited (collectively, “TikTok”) concerning the fact that its intention to process users’ personal data to deliver targeted advertising based on TikTok’s legitimate interest was likely to breach the Italian Data Protection Code[1] provisions implementing the EU ePrivacy Directive[2] on cookie usage.

In June 2022, Tik Tok modified its privacy policy to inform users that, effective July 13, 2022, it would start showing users above age 18 ads personalized on the basis of their behavior on the app based on the legitimate interests vested in Tik Tok and its partners instead of users’ consent.

After being made aware of this, the Garante sent TikTok a request for information and learned the following:

  • Relying on legitimate interest, at least for profiling based on information collected automatically, conflicts with Article 5 ePrivacy Directive and Article 122 Italian Data Protection Code. These provisions state that cookies other than technical cookies (such as profiling cookies) may be used only if users gave their consent.
  • TikTok did not provide details as to the legitimate interest pursued, so it was impossible for the Garante to assess whether the balancing test assessment was carried out in compliance with the criteria provided by the Court of Justice of the EU; in any case, the Garante criticized TikTok’s choice to move from a legal basis (consent) to a different basis (legitimate interest) without a substantial change in processing.
  • Additionally, according to the Garante, processing was likely to include particular categories of personal data, but this circumstance was not taken into consideration by TikTok (which did not specify whether one of the conditions listed under Article 9(2) GDPR applied). Similarly, the Garante put forward the hypothesis that the processing at hand would likely entail automated decision-making falling under Article 22 GDPR.
  • Finally, the protection of minor users remained a concern, considering the risk related to children’s exposure to inappropriate ads (and in light of TikTok’s failure to adopt adequate age verification measures, as highlighted in previous decisions).

In light of the above, the Garante sent a formal warning to the platform under articles 58(2)a GDPR and 154(1)(f) Italian Data Protection Code. The Garante also reserved its right to take additional steps, including urgent ones, if the platform failed to comply with its instructions.

In its warning, the Garante expressly acknowledged that the lead supervisory authority for TikTok is the Irish Data Protection Authority, since the company has its main establishment in Ireland. Nonetheless, the Garante stated that any enforcement of the rules implementing the ePrivacy Directive (such as those regarding cookies) is not subject to the one-stop-shop mechanism, and it reserved the right to take any further action necessary to ensure compliance of the data collected automatically by TikTok.

In any case, the Garante formally notified the Irish Data Protection Authority and the European Data Protection Board of its initiative, while reserving the right to take urgent measures under Article 66 GDPR if this proved necessary.

In response to the Garante’s formal warning, TikTok agreed to suspend reliance on legitimate interest and keep obtaining users’ consent to display targeted advertisements to users aged above 18. However, the Garante showed that it was willing to enter into a dialogue with TikTok for the purpose of striking a balance between the data protection rights of individuals and TikTok’s freedom to conduct business.

[1] Legislative Decree No. 196/2003.

[2] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.