When it comes to privacy nightmares, Pinterest is unlikely to be the first social app that springs to mind. But the visual discovery engine’s use of tracking ads is the target of the latest complaint from European privacy rights non-profit noyb, which accuses it of breaching the bloc’s General Data Protection Regulation (GDPR) by failing […]
© 2024 TechCrunch. All rights reserved. For personal use only.
When it comes to privacy nightmares, Pinterest is unlikely to be the first social app that springs to mind. But the visual discovery engine’s use of tracking ads is the target of the latest complaint from European privacy rights non-profit noyb, which accuses it of breaching the bloc’s General Data Protection Regulation (GDPR) by failing to obtain consent from users to being tracked and profiled for advertising.
The GDPR allows for penalties of up to 4% of global annual turnover for confirmed breaches so such complaints can lead to substantial sanctions for tech giants.
While Pinterest has generally flown under the radar, with regard to online privacy issues — especially compared to other mainstream ad-funded social services (such as Facebook) — it’s worth recalling that the company’s tracking and profiling was pulled center stage in the tragic case of the suicide in 2017 of the U.K. schoolgirl, Molly Russell. She had pro-suicide content pushed into her social feeds by a number of apps, including Pinterest.
A 2022 ‘Prevention of Future Deaths’ report by a U.K. coroner found that “negative effects of online content” were a factor in her death. It was the result of the ad-funded platforms’ pervasive tracking and profiling of users.
In the noyb-backed complaint against Pinterest, which has been filed with France’s data protection authority, the platform is also accused of failing to fulfill a GDPR data access request. It didn’t provide information on the categories of data about the complainant that were shared with third parties.
As well as requiring that companies have a valid legal basis to process people’s data, the GDPR provides individuals in the EU with a suite of access rights, such as the ability to request a copy of their information.
Pinterest is relying upon a legal basis for processing people’s data for ad targeting that’s known as legitimate interest (LI). However, noyb argues this use is non-compliant with the GDPR.
It points to a July 2023 ruling by the EU’s top court which denied Facebook owner Meta’s ability to ram its own surveillance ads business through LI* — asserting that Pinterest must therefore obtain Europeans’ consent to run its own ‘personalized ads’ business.
As it stands, Pinterest, which has some 130 million regional users, tracks all of them by default to “personalize” ads.
Any Pinterest user in Europe who wishes not to be tracked and profiled in this way must take the active step of objecting to its processing (the GDPR requires that users are provided with the ability to object to processing if LI is the legal basis), rather than being affirmatively asked whether they’re okay with their information being used like this, as noyb believes should be the case here.
“Pinterest is secretly tracking European users without asking for their consent,” said Kleanthi Sardeli, a data protection lawyer at noyb, in a statement on the complaint. “This allows the social media platform to unlawfully profit from people’s personal data without them ever finding out.”
“It appears that Pinterest is actively ignoring a European Court of Justice (CJEU) ruling in order to maximise its profits. The CJEU made it clear that personalised advertising cannot be based on legitimate interest,” Sardeli added.
noyb’s complaint against Pinterest has been filed on behalf of an unnamed user who it said had not realized the platform was tracking her without consent.
She only discovered Pinterest’s tracking when she looked at the “privacy and data” settings — where she found that “ads personalization” was turned on by default. She also found that the platform uses information from “visited websites” and other third parties for ads display, as well as tracking her on-site activity for this purpose. In short, Pinterest is in the surveillance ads business.
“This practice is clearly unlawful since the introduction of the GDPR in 2018,” noyb wrote in a press release. “In its ruling in case C252/21 Bundeskartellamt in 2023, the Court of Justice of the European Union (CJEU) found again that personalised advertising cannot be based on legitimate interest under Article 6(1)(f) GDPR.”
The complainant also took the step of filing a data access request to Pinterest. But the copy of her data she received didn’t include any information about the recipients of her data, per noyb.
“Even after two additional requests, Pinterest failed to provide details about the categories of data that were shared with third parties,” it wrote, adding: “In other words: Pinterest failed to adequately respond to the access request under Article 15(1)(c) GDPR.”
The complaint calls for Pinterest to delete any data it has processed for ads and inform users it has done so. The company should also fulfil the complainant’s data access request. Additionally, noyb is pressing for it to be fined at a level that would act as a deterrent for future GDPR breaches.
Pinterest has been contacted for a response to the complaint.
While noyb has filed this case in France, where the regulator (CNIL) has a strong reputation for enforcing on privacy complaints — including around the issue of consent — it’s possible it could be passed to Ireland’s Data Protection Commission on account of Pinterest having its regional HQ in Dublin. (And because of the GDPR’s “one-stop-shop” mechanism for streamlining oversight of complaints that span EU borders.)
However, noyb told TechCrunch it has filed the complaint against Pinterest’s U.S.-based entity, pointing out that the company’s privacy policy names both Pinterest Europe and Pinterest, Inc (i.e. the US entity) as joint data controllers for the processing.
“The CNIL therefore is the competent authority and shouldn’t forward the complaint to Ireland,” it suggested. “But we of course don’t know if they will do so anyway.”
* For its part, Meta has since switched to a consent-based legal basis for its tracking ads. Albeit, it’s a version of ‘consent’ that forces users to choose between paying it for an ad-free subscription or accepting its tracking ads for free access to its services — that’s itself now also subject to privacy, consumer protection and competition complaints. But that’s a whole other story.
Leave a Reply