On July 7, 2022, the Italian Data Protection Authority (Garante per la protezione dei dati personali—“Garante”) issued a formal warning to TikTok Italy S.r.l. and TikTok Technology Limited (collectively, “TikTok”) concerning the fact that its intention to process users’ personal data to deliver targeted advertising based on TikTok’s legitimate interest was likely to breach the Italian Data Protection Code provisions implementing the EU ePrivacy Directive on cookie usage.
After being made aware of this, the Garante sent TikTok a request for information and learned the following:
- Relying on legitimate interest, at least for profiling based on information collected automatically, conflicts with Article 5 ePrivacy Directive and Article 122 Italian Data Protection Code. These provisions state that cookies other than technical cookies (such as profiling cookies) may be used only if users gave their consent.
- TikTok did not provide details as to the legitimate interest pursued, so it was impossible for the Garante to assess whether the balancing test assessment was carried out in compliance with the criteria provided by the Court of Justice of the EU; in any case, the Garante criticized TikTok’s choice to move from a legal basis (consent) to a different basis (legitimate interest) without a substantial change in processing.
- Additionally, according to the Garante, processing was likely to include particular categories of personal data, but this circumstance was not taken into consideration by TikTok (which did not specify whether one of the conditions listed under Article 9(2) GDPR applied). Similarly, the Garante put forward the hypothesis that the processing at hand would likely entail automated decision-making falling under Article 22 GDPR.
- Finally, the protection of minor users remained a concern, considering the risk related to children’s exposure to inappropriate ads (and in light of TikTok’s failure to adopt adequate age verification measures, as highlighted in previous decisions).