TikTok has been reprimanded by France’s data protection authority for disregarding cookie consent regulations.
The CNIL has issued a €5 million penalty to TikTok for their cookie consent flow on tiktok.com, which made it easier for users to accept cookies than opt out. Essentially, they were manipulating user consent.
In June 2021, the watchdog found issues with TikTok’s process. However, in February 2022 they introduced a “Refuse all” button which appears to have fixed the problem. This may explain why the fine was relatively small and only related to their website – not their mobile app – along with how few users and minors were affected.
Tracking cookies are used for behavioral advertising and other site activity, like analytics.
In June 2021, the CNIL found that TikTok UK and Ireland only provided a button to accept cookies but not one to easily refuse them. It took several clicks for users to reject cookies, compared with just one click for acceptance – an imbalance highlighted in the watchdog’s press release.
The Restricted Committee found TikTok in breach of Article 82 of the French Data Protection Act, due to its refusal mechanism being more complex than the “Accept all” button; thus, discouraging cookie refusal and favoring ease.
The CNIL found that TikTok had not adequately informed users of the purpose of cookies, both on the cookie consent banner and within the “choice interface” linked from it; thus violating Article 82.
France has implemented the EU’s ePrivacy Directive, which differs from the GDPR in that it does not require complaints concerning users across multiple countries to be referred back to a lead data supervisor based in an EU country (i.e., TikTok’s main establishment in Ireland for GDPR).
Since 2019, France’s regulator has enforced cookie infringements against Big Tech (Amazon, Google, Facebook and Microsoft), fining them hefty amounts and issuing correction orders. This follows an updated guidance on the ePrivacy Directive requiring consent for ad tracking.
France’s moves to improve cookie consent appear as an important supplement to GDPR enforcement that is beginning to affect ad-based business models based on tracking without consent, like the Irish Data Protection Commission’s recent decisions against Facebook and Instagram.
It is essential that user consent for running behavioral advertising be free and fair, not manipulated by deceptive tactics, so the CNIL’s ePrivacy cookie enforcements are significant. Tracking-and-profiling ad giants must rely on this quality of consent to operate.
Last summer, TikTok faced a roadblock when EU data protection authorities intervened to prevent them from switching away from user consent as the legal basis for processing their data in order to run ‘personalized’ ads. This was due to incompatibility with ePrivacy Directive and potential violation of GDPR regulations.
TikTok responded to the CNIL’s sanction, with a spokesperson issuing this statement:
These findings relate to past practices that we addressed last year, including making it easier to reject non-essential cookies and providing additional information about the purposes of certain cookies. The CNIL itself highlighted our cooperation during the course of the investigation and user privacy remains a top priority for TikTok.
Last year, we made it simpler to reject non-essential cookies and provided more info about the purposes of specific cookies. We worked closely with CNIL and continue to prioritize user privacy on TikTok.
