[ad_1]
When it comes to privacy nightmares, Pinterest is unlikely to be the first social app that comes to mind. But the use of a visual discovery engine for tracking ads is the target of a recent complaint from the non-profit European Privacy Rights noybwhich accuses it of violating the bloc’s General Data Protection Regulation (GDPR) by failing to obtain consent from users to track and label them for advertising.
The GDPR allows penalties of up to 4% of total global annual sales for confirmed breaches, so such complaints could result in significant penalties for tech giants.
Although Pinterest has generally remained under the radar, when it comes to online privacy issues — especially compared to other mainstream, ad-funded social services (like Facebook) — it’s worth noting that the company’s tracking and profiling has been pulled to center stage in the tragic case. British schoolgirl Molly Russell committed suicide in 2017. She had pro-suicide content pushed to her social feeds through a number of apps, including Pinterest.
A 2022 Preventing Future Deaths report by a UK coroner found that “the negative effects of online content” were a factor in her death. This was the result of widespread user tracking and profiling on ad-funded platforms.
In the noyb-backed complaint against Pinterest, which was filed with the French data protection authority, the platform was also accused of failing to meet a data access request resulting from the General Data Protection Regulation. No information was provided on the categories of data relating to the complainant that were shared with third parties.
In addition to requiring companies to have a valid legal basis for processing people’s data, the GDPR provides individuals in the EU with a range of access rights, such as the ability to request a copy of their information.
“secret tracking”
Pinterest relies on a legal basis for processing people’s data to target ads known as legitimate interest (LI). However, Noib considers this use to be inconsistent with the GDPR.
This refers to a July 2023 ruling by the EU Supreme Court that denied the ability of Meta, Facebook’s owner, to infiltrate its surveillance advertising business through LI* – asserting that Pinterest must therefore obtain approval from the Europeans to run its “personalized advertising” business. “Her own.
Currently, Pinterest, which has about 130 million regional users, tracks virtually all users to “personalize” ads.
Any Pinterest user in Europe who wishes not to be tracked and categorized in this way should take the active step of objecting to processing (the GDPR requires users to be provided with the ability to object to processing if LI is the legal basis), instead of asking them Positively ask whether they consent to their information being used in this way, as Noib believes that should be the case here.
“Pinterest is secretly tracking European users without asking for their consent,” Klianthi Sardelli, a data protection lawyer at noyb, said in a statement about the complaint. “This allows the social media platform to illegally profit from people’s personal data without them ever finding out.”
“Pinterest appears to be actively ignoring the ruling of the European Court of Justice (CJEU) in order to maximize its profits. The CJEU has made clear that personalized advertising cannot be based on a legitimate interest,” Sardelli added.
Data access problem
noyb’s complaint against Pinterest was filed on behalf of an unnamed user who reportedly did not realize that the platform was tracking her without her consent.
I only discovered Pinterest tracking when I looked at the “Privacy and Data” settings — where I found that “Ad Personalization” was turned on by default. It also found that the platform uses information from “visited websites” and other third parties to serve ads, as well as tracking their activity on the site for this purpose. In short, Pinterest is in the surveillance advertising business.
“This practice has clearly been illegal since the introduction of the GDPR in 2018,” Noib wrote in a press release. “In its ruling in Case C252/21 Bundeskartellamt In 2023, the Court of Justice of the European Union (CJEU) again found that personalized advertising could not be based on a legitimate interest under Article 6(1)(f) of the GDPR.
The complainant also took the step of submitting a data access request to Pinterest. But the copy of her data she received did not include any information about the recipients of her data.
“Even after two additional requests, Pinterest failed to provide details about the categories of data that were shared with third parties,” she wrote, adding: “In other words: Pinterest failed to adequately respond to an access request under Article 15(1).” (c) General Data Protection Regulation.
The complaint calls on Pinterest to delete any data it processed for ads and inform users that it did so. The company must also fulfill the complainant’s data access request. In addition, noyb is pushing for a fine to be imposed at a level that would serve as a deterrent to future GDPR violations.
Pinterest has been contacted to respond to the complaint.
Although noyb has brought this case in France, where the regulatory body (CNIL) has a strong reputation for enforcing privacy complaints – including on the issue of consent – it is possible that it could be passed to the Irish Data Protection Commission given that Pinterest has the status Regional headquarters in Dublin. (And because of the GDPR’s “one-stop-shop” mechanism, which aims to simplify oversight of complaints that extend across EU borders.)
However, noyb told TechCrunch that it had filed a complaint against the US-based Pinterest entity, noting that the company’s privacy policy identifies both Pinterest Europe and Pinterest, Inc (i.e. the US entity) as joint data controllers for the processing.
“The CNIL is the competent authority and should not forward the complaint to Ireland,” she suggested. “But of course we don’t know if they would do it anyway.”
* For its part, Meta has since switched to a consent-based legal basis for its tracking ads. Although it is a version of “consent” that forces users to choose between paying for an ad-free subscription or accepting its tracking ads for free access to its services – this in itself is now also subject to privacy, consumer protection and competition complaints. But that’s a whole other story.
[ad_2]