Prestigious social media platform and the latest internet giant TikTok have received a warning for breaking cookie consent requirements. According to France’s data protection regulators, TikTok UK and TikTok Ireland have been fined over €5.4 million by France’s data protection regulator (CNIL) for making it impossible for platform users to reject cookies and for failing to explain their function adequately.
Article 82 of France’s data protection regulations (DPA), a national statute that complies with the GDPR (General Data Protection Regulation) framework implemented throughout Europe, was found to be broken by this designed behavior. The seriousness of the infractions, including the number of people affected, including children, and the number of times CNIL had to remind TikTok that it needed to abide by France’s Data Protection Act, led to the €5.4 million punishment.
TikTok’s Data Gathering Techniques
In June 2021, CNIL conducted an inspection of the TikTok website, as stated in the announcement. While the platform provided a button for users to accept cookies instantly, it was discovered that rejecting them wasn’t as straightforward. Instead, according to CNIL, users would have to make multiple specific clicks to reject all cookies, which was discouraging. Consequently, it is only reasonable that the majority of visitors to the TikTok website will pick the “Accept all” button.
In addition to requiring services to obtain users’ consent for the storage of cookies, Article 82 of France’s DPA also assumes the users’ freedom to do so. Because of this, the cookie consent dialogs must give the options to the user in a balanced manner, which wasn’t the case on TikTok sites. Despite several warnings from CNIL, TikTok didn’t add a “Reject all” button or give it a prominent location in the cookie consent prompt until February 2022.
The second infraction, which also violates Article 82 of the DPA, is the banner’s inadequate description of the cookies’ goals. Users that clicked on the banner link to learn more, according to CNIL, still didn’t receive adequate information about the goal of the cookies.
It’s important to note that large online platforms frequently use aggressive data-gathering techniques. The CNIL recently punished these sites with hefty fines, with Apple receiving an $8.5M punishment, Facebook receiving $68M, and Google receiving $170M.
“These results are related to historical practices that we addressed last year, such as making it simpler to reject cookies that are not strictly necessary and giving more details about the functions of specific cookies. The CNIL itself emphasized our cooperation throughout the investigation, and TikTok continues to place a high focus on user privacy.”
E-Privacy Enforcements In The Market
Additionally, the CNIL determined that TikTok failed to provide users with “sufficiently precise” information about the purposes of the cookies, both on the information banner displayed at the first level of cookie consent and within the parameters of the “choice interface” that was accessible after clicking on a link presented in the banner. Multiple violations of Article 82 were, as a result, found.
For instance, EU data protection authorities intervened last summer to stop TikTok from using a claim of legitimate interest as the legal basis for processing people’s data to run “personalized” ads (implying it intended to stop asking users for consent) instead of user consent. They cautioned TikTok that such a move would be incompatible with the ePrivacy Directive (and likely breach the GDPR too).
Although ePrivacy enforcements only apply in the regulator’s home market (in this case, France), the effects of these decisions could be widespread. In response to a CNIL fine, Google, for instance, altered its cookie consent collection procedures throughout the EU. The use of several compliance configurations for various EU countries – as opposed to utilizing a single (high) standard in all EU markets – is likely to come at a cost. That may not be how every company available responds to such. Therefore, ePrivacy enforcement might help establish the EU standard.
A response from TikTok addressing the CNIL’s punishment was requested. We were given the following quote from a company spokeswoman: These results are connected to other practices discussed last year, like making it simpler to reject cookies that aren’t necessary and giving more details about the objectives of particular cookies. The CNIL stressed our cooperation throughout the investigation, and TikTok continues to place a high focus on user privacy.
Conclusion
TikTok, a popular short-form video hosting service, has been fined €5 million (about $5.4 million) by the French data protection authorities for violating cookie consent laws, making it the latest platform to suffer such penalties since 2020, following Amazon, Google, Meta, and Microsoft. “Users of ‘tiktok[.]com’ could not refuse cookies as readily as they could accept them, and they were not adequately informed of the aims of the different cookies,” said the Commission Nationale de l’informatique et des libertés (CNIL) in a statement.
