The Italian data protection authority, the Garante, ruled that profiling through cookies by a famous social network cannot be based on the legitimate interest of users.
The Garante’s recent decision, adopted as a matter of urgency, is the result of the investigation initiated following the social network’s announcement about the future modification of its privacy information notice concerning the use of personalized advertising through profiling exclusively aimed at users over 18 years of age and based on “information you provide us, automatically collected information and information from other sources,” having the purpose of showing advertisements tailored to the personal interest of users; such data processing activities, in the social network’s opinion, would find the legal basis in the legitimate interest referred to in Art. 6(1)(f) of the GDPR.
However, in light of the critical issues that emerged, the Garante held that it would have been difficult to prove age verification by the social network. The well-known social network, moreover, had pledged to resolve the issue of age ascertainment. However, given the manner and mechanisms by which such ascertainment occurs, the Italian data protection authority considered that the risk of profiling even those between the ages of 13 and 14 could not be ruled out. In this sense, for those under the age of 14, the consent of those exercising parental authority is required to access the platform, while for those under the age of 13, access is precluded altogether.
The Italian data protection authority deemed that legitimate interest, as a legal basis for the data processing, cannot justify user profiling through cookies. However, it is equally relevant to point out that according to the decision, this principle does not apply to all profiling but only to cookie-based profiling. Furthermore, the ePrivacy Directive states that information stored on the device (also used in the context of profiling) can only be processed with the consent of the data subject. Thus, the Garante adopted a decision that does not need the approval of other European privacy authorities, since the latter mechanism does not apply within the scope of the ePrivacy Directive.
Following the measure, the social network followed Garante’s indications by postponing the modification of the information notice and, therefore, the shift to legitimate interest as the legal basis for “personalized” advertising aimed only at adults.
On a similar topic, the article “Infographic – New obligations on cookies under Italian data protection law” may be of interest.