This design behavior was considered a violation of Article 82 of the French Data Protection Act (DPA), a national regulation in line with the GDPR (General Data Protection Regulation) framework applied across Europe .
The €5 million fine was determined based on the seriousness of the violations, including the number of people involved, including children, and the number of times the CNIL had to repeat its warnings to TikTok about the need to comply with French data protection law.
As The CNIL explains in the announcementhe inspected the TikTok website in June 2021. He found that while the platform offered a button to allow users to immediately accept cookies, rejecting them was not so straightforward.
Instead, the CNIL says users would have to make several targeted clicks to decline all cookies, which was discouraging, naturally leading most visitors to the TikTok site to click the “accept all” button.
Article 82 of the French DPA not only requires services to obtain the consent of users for the storage of cookies, but also presupposes the freedom of users to give this consent. Therefore, cookie consent dialogs need to offer a balanced approach to how options are presented to the user, which was not the case on TikTok sites.
Despite repeated warnings from the CNIL to TikTok, it took until February 2022 for the company to implement a “Reject All” button and give it a prominent place in the cookie consent prompt.
The second violation, also a violation of Section 82 of the DPA, is the insufficient description of the purposes of the cookies on the banner. According to the CNIL, users who clicked on the banner link to learn more still did not get enough details about the purpose of the cookies.
It should be noted that aggressive data collection strategies are common across major online platforms, which The CNIL recently sanctioned with heavy fines, including Apple fined $8.5 millionFacebook $68 million and Google $170 million.
A TikTok spokesperson sent BleepingComputer the following comment regarding the CNIL fine:
“These findings relate to past practices that we addressed over the past year, including making it easier to reject non-essential cookies and providing additional information about the purposes of certain cookies.
The CNIL itself highlighted our cooperation during the investigation and user privacy remains a top priority for TikTok.”