A long-running EU engagement with TikTok — initiated following a series of complaints over child safety and consumer protection complaints filed back in February 2021 — has ended, for now, with the video sharing platform offering a series of commitments to improve user reporting and disclosure requirements around ads/sponsored content; and also to boost transparency around its digital coins and virtual gifts.
“Thanks to our dialogue, consumers will be able to spot all kinds of advertisement that they are exposed to when using this platform,” said the EU’s commissioner for justice, Didier Reynders, in a statement yesterday.
“Despite today’s commitment, we will continue to monitor the situation in the future, paying particular attention to the effects on young users,” he added.
TikTok was contacted for comment.
In its press release announcing the development, the Commission summarized the “main commitments” TikTok has agreed to — which are that:
- Users can now report ads and offers that could potentially push or trick children into buying goods or services.
- Branded content now abides by a policy protecting users, which prohibits the promotion of inappropriate products and services, such as alcohol, “get rich quick” schemes and cigarettes.
- Users are prompted to switch on a toggle when they publish content captioned with specific brand-related keywords such as #ad or #sponsored.
- If a user has more than 10,000 followers, their videos are reviewed by TikTok against its Branded Content Policy and Community Guidelines to ensure that the content is appropriate.
- Policies clarify how to purchase and use coins, and pop-up windows will provide the estimated price in local currencies. Consumers are allowed to withdraw within 14 days from the purchase, and their purchase history is also available.
- Policies also clarify how to get rewards from TikTok and how to send gifts, for which users will be able to easily calculate their price.
- Paid advertisement in videos will be identified with a new label, which will be tested for effectiveness by a third party.
- Users are able to report undisclosed branded content, and new rules for hashtags and labels will be implemented.
However European consumer organization, BEUC — which originated the complaint — has warned “significant concerns” remain over how TikTok operates its platform that raises questions over the decision, at the EU level, to accept TikTok’s commitments and monitor implementation — rather than take tougher enforcement action.
“We welcome that TikTok has committed to improve the transparency of marketing on their platform but the impact of such commitments on consumers remains highly uncertain. Despite over a year of dialogue with TikTok, the investigation is now closed, leaving significant concerns that we raised unaddressed,” warned BEUC’s deputy director general, Ursula Pachl, in a statement.
“We are particularly worried that the profiling and targeting of children with personalised advertising will not be stopped by TikTok. This is in contradiction with the five principles on advertising towards children adopted by the data protection and consumer protection authorities last week.”
“We now urge the authorities to closely monitor TikTok’s activities and to take national enforcement actions if commitments do not deliver. This must not be the end of the story. BEUC and our members will keep a close eye on the developments,” she added.
The Commission’s own press release — which kicks off with a headline claim that TikTok has agreed to align its rules with the EU’s on consumer protection — can’t avoid sounding doubtful that the full series of concerns has, in fact, been addressed by this grab bag of policy tweaks. Especially in the case of children — which is the group of most concern here, given the platform’s overriding popularity with younger internet users and children’s relative vulnerability to ‘sharp’ commercial practices vs. adults.
The Commission PR acknowledges that Member State level consumer protection agencies may end up taking action at a national level to address remaining concerns.
If that happens the whole saga will have (very slowly) come full circle, since a series of national consumer protection bodies fed the original complaint series that triggered the Commission coordinating the year+ long dialogue with TikTok in the first place — raising questions about how effective the EU’s modernization of its consumer protection framework has been for co-ordinating meaningful action where concerns are wide-ranging/cut across national borders.
If EU lawmakers’ strategy is to soft peddle on hard consumer complaints to encourage platforms to serve up a minimum of operational changes without the need for local bodies to resort to a patchwork of enforcement then perhaps the increased co-ordination — and expanded role for the Commission itself in the process — is working as intended.
But, well, that scenario would suggest it’s EU citizens who are losing out in this ‘modernization’ as enforcement seems to have been de-emphasized — despite a parallel adoption by the bloc of more dissuasive penalties for widespread consumer protection infringements which have empowered national authorities to be able to issue fines of at least up to 4% of global annual turnover.
“The Consumer Protection Cooperation Network (CPC) will actively monitor the implementation of these commitments, in 2022 and beyond,” writes the EU’s executive of TikTok’s commitments. “CPC authorities will, in particular, monitor and assess compliance where concerns remain, such as whether there is sufficient clarity around children’s understanding of the commercial aspects of TikTok’s practices. For example, for what concerns personalised advertising, in light of the recently published ‘5 key principles of fair advertising to children.’”
“The CPC will also carefully check the outcome of the testing of labels, as well as their implementation, and the adequacy of the display of the estimated unit price per coin in local currency when sending a gift,” it adds. “In addition, actions at national level may be launched to ensure that EU standards are respected and to guarantee that all platforms abide by the same rules.”
So, while further action could come at a national level to address remaining concerns — or, indeed via the monitoring process, if TikTok is found failing to live up to its commitments, for now, it appears to have escaped tougher action over EU consumer protection concerns.
The Commission PR does point out that the EU’s network of data protection authorities “remain competent” to assess compliance of TikTok’s new policies and practices with the bloc’s data protection rules. However that’s a line doing a lot of heavy lifting given a mechanism within the EU’s General Data Protection Regulation (GDPR) that’s intended to streamline investigations of cross-border issues by funnelling complaints through a lead DPA that has been accused of contributing to major enforcement bottlenecks.
Ireland’s Data Protection Commission (DPC), which is TikTok’s lead EU DPA — and also happens to be one of the most complained about DPAs when it comes to cross-border GDPR enforcement — opened two investigations into the platform in September 2021, one of which explicitly concerns how it processes children’s data. Both those probes remain ongoing.
On the children’s data inquiry, the DPC told TechCrunch today that it expects to send a draft decision to other interested EU DPAs to review (and potentially object to) by the end of August — suggesting a final decision on the kids’ data inquiry is not imminent.
This is because the (GDPR Article 60) review stage can take several months to play through. Plus, if objections are lodged by other DPAs, it may add many more months before a final decision is arrived at (either by majority consensus; or, if that can’t be found, by the EDPB stepping in) — which means there may not be a final call on whether TikTok’s processing of children’s data complies with EU data protection law until well into 2023.
In another cross-border GDPR case, for example — related to Twitter — it took from May 2020, when the DPC submitted its draft decision for review, to December 2020 for consensus to be reached, via a majority voting decision (following objections).
Additionally, in the case of the DPC’s GDPR transparency probe of WhatsApp, its draft decision was sent to other DPAs in late December 2020 — but a final decision wasn’t handed down until September 2021 after unreconcilable disputes between DPAs required the EDPB to step in and issue a binding decision on the DPC to substantially revise upward the size of the penalty, adding around six months extra to the process.
So it’s a safe bet that TikTok’s processing of children’s data for ads isn’t facing immediate action from “competent” data protection authorities in the EU.
Nor, seemingly, is this issue compelling any of the bloc’s consumer protection authorities to act — despite all their months of concerns about TikTok’s practices. (Which includes the CPC Network endorsing the aforementioned ‘fair advertising’ principles for kids — which stipulate that: “Certain marketing techniques, e.g., personalised marketing, could be inappropriate to use due to the specific vulnerabilities of children.”)
The problem on the consumer protection agency front is likely down to regulators needing to ‘stay in their lane’ — or, basically, the CPC Network is waiting on Ireland’s DPC and the GDPR’s cross-border joint-working processes to do the work and reach a decision.
But while EU regulators play pass the parcel on child protection issues, TikTok gets to keep processing kids’ data for ads.
The platform is also evolving its legal terms — recently announcing an incoming change which will apply to (all) users in the region from July 13 that means it’s switching from relying on consent to process user data for targeted ads to claiming a legal basis known as ‘legitimate interests.’
So, basically, TikTok won’t be asking for EU users’ consent to process their data to run ‘personalized ads’ from next month.
Since the platform announced the planned switch, EU data protection experts have been raising reg flags — querying the viability of TikTok using the LI legal base for such a purpose; and suggesting the change may mean TikTok won’t provide users with any choice but to accept behavioral advertising if they want to use its platform.
4/ it seems to me that you'll have no choice over the use of your on TikTok behavioural data for the purpose of personalised advertising unless TikTok will respect the right to object to the processing of personal data under the legal basis of 'legitimate interests'.
Will it?— Privacy Matters (@PrivacyMatters) June 19, 2022
It’s not clear whether TikTok’s lead EU data protection regulator, Ireland’s DPC, has been consulted on these incoming changes which look extremely material to the data protection rights of all EU citizens.
Under EU law, legitimate interest as a legal basis is intended for ‘necessary’ processing — meaning if there’s a less intrusive way of achieving an outcome (serving non-personalized ads to uses, say) then LI would not apply. It also requires data controllers carry out a balancing test that considers the impact on individual’s interests, rights and freedoms — and, again, for a purpose as extraneous as ‘personalized advertising,’ it’s hard to see how TikTok could claim its interests can override individuals’ rights.
Moreover, as data protection experts have also pointed out, TikTok’s ad processing activities may well fall under the EU’s ePrivacy Directive — which would require user consent.
We asked the DPC about TikTok’s planned change of legal base but at the time of writing we were still waiting on a response to a series of questions.
Given all the delay to cross-border GDPR enforcement, TikTok may feel it has little to lose — and much time to gain — by chancing a switch to its legal basis while EU regulators continue to plod through their existing case backlog.
We also asked the Commission about the decision — taken via the coordinated consumer protection process it led — to accept TikTok’s commitments, despite consumer groups continuing to warn of significant concerns. But, again, at press time we were still waiting for comment.
Update: The Commission did not provide a statement on the record but in background remarks it told us that the decision to provisionally close the dialogue with TikTok was taken by the co-lead authorities based on what it summarized as the positive and numerous commitments achieved along with a common understanding the changes TikTok has committed to will be carefully monitored and assessed in the coming months by the CPC Network.
It added that the enforcement has not tackled the copyright clause concerns issue because the co-leading consumer authorities (in Ireland and Sweden) had decided to focus on many, more urgent issues where there were clear concerns related to unfair commercial practices — especially the risks to consumers posed by hidden advertising.
TikTok hit with consumer, child safety and privacy complaints in Europe
Comment