TikTok is the latest tech giant to be schooled by France’s data protection watchdog for breaking rules on cookie consent.
The €5 million penalty announced today by the CNIL relates to a cookie-consent flow TikTok had used on its website (tiktok.com) until early last year — in which the regulator found it was not as easy for users to refuse cookies as to accept them — so it was essentially manipulating consent by making it easier for site visitors to accept its tracking than to opt out.
This was the case when the watchdog checked in on TikTok’s process, in June 2021, until the implementation of a “Refuse all” button on the site in February 2022 — which appears to have resolved the matter. (And may explain the relatively small fine levied in this case, along with the number of users and minors affected — as well as the enforcement relating only to its website, not its mobile app.)
Tracking cookies are typically used to serve behavioral advertising but can also be used for other site activity, such as analytics.
“During the check carried out in June 2021, the CNIL noted that while the companies TikTok United Kingdom and TikTok Ireland did offer a button allowing cookies to be accepted immediately, they did not put in place an equivalent solution (button or other) to allow the Internet user to refuse their deposit just as easily. Several clicks were necessary to refuse all cookies, against only one to accept them,” the watchdog notes in a press release [translated from French with machine translation].
“The Restricted Committee considered that making the refusal mechanism more complex actually amounts to discouraging users from refusing cookies and encouraging them to favor the ease of the ‘Accept all’ button,” it added, saying it found TikTok had therefore breached a legal requirement for freedom of consent — a violation of Article 82 of the French Data Protection Act “since it was not as simple to refuse cookies as to accept them.”
In addition, the CNIL found that TikTok had not informed users “in a sufficiently precise manner” of the purposes of the cookies — both on the information banner presented at the first level of the cookie consent and within the framework of the “choice interface” that was accessible after clicking on a link presented in the banner. Hence finding several breaches of Article 82.
The French enforcement has been taken under the European Union’s ePrivacy Directive — which, unlike the EU’s General Data Protection Regulation (GDPR), does not require complaints that affect users across the bloc to be referred back to a lead data supervisor in an EU country of main establishment (if a company claims that status — as TikTok does with Ireland for the GDPR).
This has enabled the French regulator to issue a series of enforcements over Big Tech cookie infringements in recent years — hitting the likes of Amazon, Google, Facebook and Microsoft with some hefty fines (and correction orders) since 2020, following a 2019 update to its guidance on the ePrivacy Directive which stipulated that consent is necessary for ad tracking.
France’s activity to clean up cookie consent looks like an important adjunct to slower paced cross-border GDPR enforcement — which is only just starting to have an impact on ad-based business models centered on consent-less tracking, such as the final decisions against Facebook and Instagram issued by the Irish Data Protection Commission earlier this month.
If tracking-and-profiling ad giants are forced to rely on gaining user consent to run behavioral advertising it’s critical that the quality of consent gathered is free and fair — not manipulated by deploying deceptive design tricks, as has typically been the case — so the CNIL’s ePrivacy cookie enforcements look important.
Only last summer, for instance, TikTok was prevented from switching away from relying on user consent as its legal basis for processing people’s data to run ‘personalized’ ads to a claim of legitimate interest as the legal basis (implying it intended to stop asking users for their consent) after intervention by EU data protection authorities who warned it such a move would be incompatible with the ePrivacy Directive (and likely breach the GDPR too).
While enforcements under ePrivacy only apply in the regulator’s own market (France, in this case), the impact of these decisions may be wider. Google, for example, followed a sanction from the CNIL by revising how it gathers consent to cookies across the EU. That may not be how every company responds but there is a likely to be a cost associated to applying different compliance configurations for different EU markets — vs. just applying one (high) standard in all EU markets. So ePrivacy enforcement may help set the EU bar.
TikTok was contacted for comment on the CNIL’s sanction. A spokesperson for the company sent us this statement:
These findings relate to past practices that we addressed last year, including making it easier to reject non-essential cookies and providing additional information about the purposes of certain cookies. The CNIL itself highlighted our cooperation during the course of the investigation and user privacy remains a top priority for TikTok.