TikTok Pauses Legitimate Interest for Targeted Ads After Warning from DPAs

Julie Rubash, Chief Privacy Counsel
July 18, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


TikTok Pauses Legitimate Interest for Targeted Ads After Warning from DPAs

TikTok has reportedly agreed to pause planned updates to its privacy policy that would have claimed legitimate interest for targeted advertising without consent.

Italy’s DPA, the Garante, issued a warning to TikTok that the change would violate the ePrivacy Directive and GDPR, and the Irish Data Protection Commission has reportedly engaged with TikTok regarding the change.


Legitimate interest is one legal basis for processing under the GDPR, which can only be relied upon where:

(a) the processing is necessary for legitimate interests pursued by the controller or by a third party; and
(b) such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In determining whether legitimate interest can apply, controllers are expected to carry out a careful assessment, including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.

The GDPR also grants data subjects the right not to be subject to certain decisions based on automated processing, including profiling, without the data subject’s consent, unless necessary for performing a contract or unless authorized by Member State law.

In addition to GDPR, in jurisdictions where the ePrivacy Directive has been adopted, organizations may be unable to rely on legitimate interest as a legal basis for the use of non-strictly-necessary cookies or other local storage, even if legitimate interest would have been an acceptable legal basis under GDPR.

According to the Garante’s warning, TikTok’s administration of personalized commercial advertising, at least to the extent based on information stored on the user’s device, cannot legally be based on legitimate interest under the ePrivacy Directive, and to the extent the processing constitutes automated decision-making or profiling, cannot be based on legitimate interest under the GDPR. 

EU Parliament Holds Hearing on Targeted Political Advertising

The European Parliament’s Committees on Internal Market and Consumer Protection and Civil Liberties Justice and Home Affairs held a joint hearing on transparency and targeting of political advertising.

The purpose of the hearing was to determine how to structure rules around political advertising, including whether to ban targeting outright and the extent to which online platforms should be held accountable.

Testimony in favor of banning or restricting political advertising stressed that political advertisements were malicious and manipulative, that some algorithms were designed with bias to reinforce user views, that Cambridge Analytica operated to rig the Brexit referendum process, and that clear definitions of what data can be stored and used are necessary. 


 The hearing came in response to a proposal for a regulation on the transparency and targeting of political advertising, which proposes rules that would apply to all controllers making use of targeted political advertising.

If approved, the regulation would enter into force by April 2023, a year before the 2024 elections to the European Parliament. 

ICO Rolls Out 3-Year Strategic Plan

The UK Information Commissioner’s Office (ICO) published a report titled ICO25 detailing the ICO’s strategic plan for the next three years.

The plan focuses on empowering people, including looking at predatory marketing calls, algorithms in the benefits system, AI in recruitment, and children’s privacy.

The plan also emphasizes certainty and flexibility for businesses. 


Of note to the digital advertising industry, the plan’s Annual Action Plan for October 2022 to October 2023 includes influencing the phasing out of third-party cookies, working to give web users meaningful control over how they are tracked online, moving away from cookie pop-ups, and exploring the use of targeted advertising of gambling on social media. 


FTC Issues Statement re Sensitive Data / Anonymization / Misuse

post on the Federal Trade Commission’s business blog made clear its commitment to “vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data”.

The post cautioned that making claims about anonymization can be a deceptive trade practice if untrue, for example if the data can be re-identified, especially in the context of location data.

The post also reminded companies of recent cases against OpenX, Weight Watchers and CafePress for, respectively, collecting children’s location data without parental consent, indefinitely retaining sensitive consumer data and failing to respect consumer deletion requests. 


This post is consistent with the FTC’s 2021 resolutions committing to focus its enforcement efforts on certain core areas of focus, including acts or practices affecting children and deceptive and manipulative conduct on the Internet.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Bicameral, bipartisan discussion draft of federal privacy bill announced

April 15, 2024

If passed, the American Privacy Rights Act, a comprehensive...

CPPA issues an enforcement advisory on data minimization

April 9, 2024

Their first "enforcement advisory", reminds companies of their data...

Kentucky sends comprehensive privacy bill to governor

April 1, 2024

Kentucky's privacy bill mirrors Virginia's, is set for 2026....

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]