This design behavior was deemed a violation of Article 82 of France’s data protection laws (DPA), a national regulation that conforms with the GDPR (General Data Protection Regulation) framework enforced throughout Europe.
The €5 million fine was determined by the severity of the violations, including the number of impacted individuals, which include children, and the number of times CNIL had to repeat its warnings to TikTok on the need to adhere to France’s Data Protection Act.
As CNIL explains in the announcement, it inspected the TikTok website in June 2021. It found that while the platform offered a button to allow users to immediately accept cookies, rejecting them wasn’t as easy.
Instead, CNIL says users would have to perform several targeted clicks to refuse all cookies, which was discouraging, naturally leading to most visitors on the TikTok site clicking on the “Accept all” button.
Article 82 of France’s DPA not only requires services to secure users’ consent for the storage of cookies but also presupposes the users’ freedom to give that consent. Hence, the cookie consent dialogs must offer a balanced approach to how the options are presented to the user, which wasn’t the case on TikTok sites.
Despite CNIL’s repeated warnings to TikTok, it took the company until February 2022 to implement a “Reject all” button and give it a prominent position in the cookie consent prompt.
The second violation, also a breach of Article 82 of the DPA, is the insufficient description of the objectives of the cookies on the banner. CNIL says users who clicked on the banner link to learn more still didn’t get enough details about the purpose of the cookies.
It’s worth noting that aggressive data collection strategies are common among major online platforms, which CNIL recently penalized with heavy fines, including Apple receiving an $8.5M fine, Facebook $68M, and Google $170M.
A TikTok spokesperson sent BleepingComputer the following comment regarding the CNIL fine:
“These findings relate to past practices that we addressed last year, including making it easier to reject non-essential cookies and providing additional information about the purposes of certain cookies.
The CNIL itself highlighted our cooperation during the course of the investigation and user privacy remains a top priority for TikTok.”