Noyb Complaint Alleges Pinterest Personalized Advertising Violates GDPR

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

EUROPE

Noyb Complaint Alleges Pinterest Personalized Advertising Violates GDPR

Advocacy group noyb filed a complaint in France, alleging that Pinterest violated the GDPR by (a) processing user personal data for personalized advertising based on legitimate interest and not on consent; and (b) providing, in response to user requests, a general list of third parties to whom personal information may have been shared, rather than an individually tailored list of actual recipients of user data.

TAKEAWAY

The concept of legitimate interest as a legal basis has fluctuated in its interpretation across jurisdictions and over the years since GDPR came into effect, due in large part to its somewhat subjective nature. Most recently (on October 9, 2024), the European Data Protection Board (in response to a request from the Danish DPA) issued guidelines currently open for public consultation detailing the criteria necessary to rely on legitimate interest. One example in such guidelines relates specifically to the assessment of a user’s reasonable expectations (as one of multiple factors in a legitimate interest assessment) in the context of personalized advertising by an online social network, specifying, “despite the fact that the services of the online social network are free of charge, the user of that network cannot reasonably expect that the operator of the social network will process that user’s personal data, without his or her consent, for the purposes of personalised advertising.”

However, the EDPB also pointed out that the ultimate determination of legitimate interest is based on a balancing test (taking into account the legitimate interests being pursued, the relevant interests, rights and freedoms of the data subject, the impact of the processing, and the reasonable expectations of the data subject) that remains a case-by-case evaluation.

To comply with the GDPR, a reliable consent management platform is required to collect and manage consumer preferences. Sourcepoint’s Dialogue CMP serves geo targeted integrated privacy notices, and authenticates consent preferences across properties and devices.

LinkedIn IE Fined €310M for Targeted Advertising without Valid Consent

The Irish Data Protection Commission (DPC) announced in a press release its decision to issue a €310 million fine, a reprimand and an order to bring LinkedIn Ireland into compliance, based on an assessment that (a) the consent obtained by LinkedIn for processing third party data for behavioral analysis and targeted advertising was not freely given, sufficiently informed or specific, or unambiguous; (b) LinkedIn could not rely on legitimate interest for processing first party personal data for behavioral analysis and targeted advertising, or third party data for analytics, as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects; and (c) LinkedIn did not validly rely on contractual necessity to process first party data for behavioral analysis and targeted advertising. The DPC also held that LinkedIn Ireland violated GDPR principles of fairness and transparency. According to the press release, the full decision will be published “in due course.”

TAKEAWAY

While the determination of what legal basis can be relied upon for data processing is a case-by-case assessment, and the full factual analysis by the Irish DPC in this case has not yet been made publicly available, this case seems to be drawing some lines in certain instances, but not others, between first party and third party data processing; or at least the DPC seems to make a point to carefully articulate whether each allegation applies to first-party or third-party data in the context of each processing purpose. It will be interesting to see, when the full decision is published, whether and to what extent factual and legal factors contribute to that distinction and how that may impact others’ treatment of first-party vs. third-party data processing.

Learn more about how to examine and monitor your digital properties, websites and apps for 3rd parties with this Sourcepoint on-demand webinar.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.