France’s lead data protection regulator, CNIL, has issued fines to TikTok for cookie consent issues observed in 2021 and 2022. However, the penalty does not involve the mobile app. The regulator found that the “tiktok.com” website, which allows users to view content via a web browser without logging in, did not have an adequate process for refusing cookies in place and was not sufficiently transparent about how the cookies were used.
France continues with string of cookie consent fines under national data protection law
CNIL has been highly active as of late with fines of this nature for big tech and social media platforms, wielding the power of its national Data Protection Act (underpinned by the EU’s ePrivacy Directive) to directly issue penalties without entering the usually lengthy and contentious General Data Protection Regulation (GDPR) process. Article 82 of the national law can be invoked for this purpose when French citizens are impacted by a cookie consent issue, and when the tech firm keeps a business office in the country.
The fines stem from a CNIL investigation that spanned from May 2020 to June 2022. The primary issue was similar to that of the other cookie consent penalties that the regulatory body has recently issued: TikTok provided website users with a one-click “accept all” button for tracking cookies, but did not offer an equally easy means of rejecting them. The website put users through several additional clicks if they wanted to reject all optional and non-essential cookies. TikTok did remedy the issue by adding a “reject all” button to the site in February 2022.
The regulator also found that the TikTok website did not do enough to inform users of what the purpose of its cookies was. The national cookie consent law requires a certain level of transparency in both the first-level information banner displayed when users arrive at the site, and the interface that appears when users opt for more granular control of what cookies they would like to accept and reject.
Though not as large as the fines that some tech platforms have experienced in the EU, the amount is one of the larger penalties that TikTok has thus far been handed in the region. CNIL arrives at penalty totals by considering a broad range of factors, in this case taking into account the amount of people impacted and the fact that minors were involved. The company’s voluntary cooperation in the midst of the investigation also likely reduced the fine amount.
French focus on cookie consent flows speeds up pace of “dark pattern” elimination
EU regulators have demonstrated an interest in cracking down on so-called “dark patterns,” or interface design elements meant to subtly steer users into particular choices, for some years now. Unfortunately, the process usually gets bogged down in GDPR proceedings, in some cases for years. Direct action by France may be accelerating the process, as changes made for the sake of compliance with the country’s Data Protection Act also roll out to other territories.
The ePrivacy Directive has provided individual nations with an assortment of tools to directly address cookie consent issues, dating back years before the GDPR was implemented. France updated its national law in 2019, and has been issuing penalties related to tracking cookies since 2020. The offenders often make the requisite changes to notifications and click patterns in the midst of the investigation, as it tends to reduce the ultimate fine amount. Compare that to GDPR actions specifically related to cookie consent, which only recently began rolling out to Facebook and Instagram under the authority of the Irish Data Protection Commission.
The video sharing app, most popular with younger users (who are often not of legal age), is under continuing scrutiny in the EU for a variety of issues. Two prior investigations being headed up by Ireland’s DPC remain ongoing, into its child protection practices and transfers of EU citizen data to China. The European Commission also very recently issued a statement warning TikTok that it would need to “go the extra mile” to demonstrate to EU regulators that it was respecting the bloc’s privacy laws.