TikTok has announced that it will change its advertising settings in mid-July: Users of legal age will no longer be able to object to personalized advertising and the associated tracking from then on. Whether such a regulation is legally permissible is unclear.
The change in advertising options applies to the European Economic Area, Switzerland and the United Kingdom. TikTok invokes its legitimate interests to justify the change. In fact, a corresponding clause is included in the GDPR. It states that data processing is permissible if it is “necessary for the purposes of safeguarding the legitimate interests of the controller or a third party”. However, this authorization is restricted at the same time: for example, it only applies “unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data override”. Specifically, this means that TikTok’s legitimate interest in processing the data would have to outweigh the data subject’s interest in not processing it.
However, this is doubted by data protection authorities. The data protection commissioner for Baden-Württemberg, for example, points out on its website that the interest of the data subject prevails when personalized ads are played out. A spokesperson for the data protection commissioner of Lower Saxony has also issued an assessment relating to TikTok – but without examining the service more closely: “In the opinion of the German data protection supervisory authorities, the playout of personalized advertising cannot be based on a legitimate interest. It was not clear what TikTok’s legitimate interest was. Moreover, should the service actually want to rely on legitimate interests, it would not only have to justify them, but also indicate “which conflicting interests of the users have been taken into account in the necessary balancing of interests.” The fact that TikTok only wants to track activities within TikTok for those users who have not explicitly agreed to personalized advertising so far does not change this.
In this context, the way the company behind TikTok has handled sensitive data so far also seems particularly interesting and problematic: In the U.S., for example, biometric data of users was collected and analyzed. Other sensitive data, the collection of which was not permitted, was also collected and sometimes even sold. Due to violations of several U.S. federal laws as well as laws of the state of California, the TikTok company Bytedance was charged and ultimately agreed to a settlement that required it to pay $92 million.
Right to object
According to the GDPR, data subjects whose data is or will be processed must have the opportunity to object to such processing. Consequently, TikTok is also required to provide such an opportunity to object. However, submitting an objection is anything but simple: At the very bottom of the information page on the new advertising settings, there is a link to a page that explains the user’s own data protection rights. There, in turn, is a sub-item explaining how to object to the processing of one’s own personal data. At the same time, there is a link to a form. However, this form is only available in English and does not correspond to the one named in the instructions. In addition, there is no longer any mention of an objection, but only of general information on data protection and the personal data processed.
Complaint can be filed
One way to get TikTok to comply with the law is to file a complaint with the competent body in your own state. The state data protection commissioner or commissioners will receive such complaints and forward them to the European Data Protection Board. The competent Irish authority – TikTok is based in Ireland – is also informed. Such action is also taken in the case of suspected violations of data protection regulations by other large corporations. Most recently, for example, Meta was fined after coordinated action by several EU states.