Popular video-sharing platform TikTok agreed on Tuesday to postpone a controversial privacy policy update. This update would have allowed the platform to show targeted ads based on users’ activity on TikTok without their permission to do so.
According to reports by TechCrunch, this reversal came one day after Italy’s data protection authority, the Garante per la Protezione dei Dati Personali (GDPR), warned TikTok against the update. The GDPR also noted that this privacy policy switch by the video-sharing platform would have violated data protection laws.
“The personal data stored in users’ devices may not be used to profile those users and send personalized ads without their explicit consent,” the GDPR said on Tuesday.
The regulator’s warning came in response to a privacy policy revision that noted it would historically ask users’ “consent” to their on-TikTok activity and off-TikTok activity to show personalized ads. Therefore, the video-sharing platform planned to stop asking users for their permission to profile their behavior and process their personal data.
“From July 13, 2022, TikTok will rely on its ‘legitimate interests’ as its legal basis to use on-TikTok activity to personalize the ads of users who are 18 or over,” TikTok said in a notice announcing the proposed changes.
The update to its privacy policy would have covered users who live in the European Economic Area (EEA), the U.K., and Switzerland.
The GDPR added that TikTok’s proposed policy update is incompatible with the Italian personal data protection law, along with the EU ePrivacy Directive. This directive regulates cookie usage, email marketing, data minimization, and other aspects of data privacy by mandating user consent before processing this information.
“Both legal instruments set out explicitly that the data subjects’ consent is the only legal basis for ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user,” said the regulator.
The GDPR also pointed out that “processing data on the basis of its ‘legitimate interest’ would be in conflict with the current regulatory framework, at least with regard to the information stored in users’ devices, and would entail all the relevant consequences also in terms of corrective measures and fines.”