EU Data Regulators should endorse Personalized Advertisements as a valid "Legitimate Interest" under the General Data Protection Regulation (GDPR)

EU Data Regulators should endorse Personalized Advertisements as a valid "Legitimate Interest" under the General Data Protection Regulation (GDPR)

In the ever-evolving landscape of data privacy, TikTok, the popular social media platform, has been making waves in Europe. The company had planned to switch its legal basis for processing personal data for targeted ads from consent to legitimate interest under the General Data Protection Regulation (GDPR).

However, as of mid-2025, TikTok has not publicly made this switch. The platform remains under intense scrutiny by European regulators, particularly the Irish Data Protection Commission (DPC), regarding its compliance with GDPR requirements, particularly data transfers to China and other processing practices.

The GDPR clearly states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. However, the use of legitimate interest for personalized ads is complex and requires a rigorous assessment to balance company interests and individual privacy rights, provide clear and transparent notification, and meet high thresholds of necessity and proportionality.

TikTok's planned policy change has sparked opposition from privacy activists, who view consent as the cornerstone of Europe's data protection laws. Swapping between one lawful basis and another for data processing would undermine the transparency expectations of the GDPR.

Authorities need to affirm the legitimacy of TikTok's interpretation of the GDPR to avoid invalidating a key legal mechanism used by businesses to process data under the EU's data protection laws. If regulators reinterpret the GDPR to make it harder for businesses to use data in Europe, it could become an epitaph on the tombstone of innovation.

If TikTok's proposed change is denied, it would create significant legal risk for businesses using legitimate interest as a lawful basis for processing data in the EU. If businesses cannot use the legitimate interest provision of the GDPR, they will be significantly constrained in how they process data, negatively impacting beneficial uses of data and ultimately raising costs for consumers.

It's important to note that when relying on consent, data subjects must provide freely given, specific, informed, and unambiguous consent. TikTok is currently using consent as its basis for lawful processing and is planning to switch to legitimate interest for new data collected after a certain date for delivering personalized ads.

TikTok shares ad revenue with its top content creators, demonstrating a commitment to its creators and users. However, the broader GDPR context underscores the need for careful consideration when making such changes to ensure compliance with the regulation.

In conclusion, TikTok’s GDPR compliance efforts remain dominated by legal disputes and investigations in Europe, with no confirmed move to replace consent with legitimate interest as the basis for processing personalized ad data. Privacy activists, regulators, and businesses must find a balance that upholds privacy rights while allowing for innovation and growth in the digital age.

1. TikTok, under the General Data Protection Regulation (GDPR), aims to switch its legal basis for processing personal data for targeted ads from consent to legitimate interest.
2. The Irish Data Protection Commission (DPC) is intensely scrutinizing TikTok's compliance with GDPR requirements, particularly data transfers to China and other processing practices.
3. The GDPR allows the processing of personal data for direct marketing purposes to be considered as carried out for a legitimate interest, but the use of legitimate interest for personalized ads is complex and requires a thorough assessment.
4. Privacy activists oppose TikTok's planned policy change, viewing consent as the foundation of Europe's data protection laws, and worry that swapping between lawful bases for data processing could undermine transparency expectations.
5. If TikTok's proposed change is denied, it would create significant legal risk for businesses relying on legitimate interest as a lawful basis for processing data in the EU.
6. When relying on consent, data subjects must provide freely given, specific, informed, and unambiguous consent, and TikTok is currently using consent as its basis for lawful processing.
7. Maintaining a balance between upholding privacy rights, allowing innovation, and facilitating growth in the digital age is a challenge for privacy activists, regulators, and businesses alike.

Read also: