Contents:
TikTok UK and TikTok Ireland have been fined €5,000,000 by France’s Commission Nationale de l’Informatique et des Libertés (CNIL) for making it impossible for platform users to reject cookies and for failing to adequately explain their function.
Article 82 of France’s data protection regulations (DPA), a national statute that complies with the GDPR (General Data Protection Regulation) framework implemented throughout Europe, was found to be broken by this designed behavior.
CNIL’s Investigation on TikTok
CNIL posted an official statement on their website regarding their decision to fine TikTok and the reasons behind it. The French data protector regulator carried out several online investigations between May 2020 and June 2022 on TikTok’s website and on the basis of documents requested by the CNIL from TikTok. The investigations were carried out only on TikTok’s website, in an unlogged session, and not on the mobile application.
Based on the findings of the investigations, the CNIL body responsible for issuing sanctions considered that the UK and Ireland-based branches of TikTok had failed to comply with the obligations set out in Article 82 of the French Data Protection Act.
The firms TIKTOK UK and TIKTOK IRELAND did offer a button allowing immediate acceptance of cookies, but the CNIL saw during the inspection conducted in June 2021 that they had not implemented an equivalent solution (button or other) to allow the Internet user to immediately reject their deposit. To reject all cookies, more clicks were needed than it took to accept them.
The committee considered that making the refusal mechanism more complex actually discouraged users from refusing cookies and encouraged them to choose the ease of the “accept all” button instead. It was considered that this was a violation of Article 82 since it was not as easy to refuse cookies as to accept them at the time of the investigation.
Additionally, neither the first-level information banner nor the context of the choice interface available after clicking on a link in the banner adequately informed users of the goals (objectives) of the cookies. TikTok finally implemented a “reject all” button in February 2022.
BleepingComputer reached out to TikTok to find more details about the fine. A TikTok spokesperson sent a comment regarding the CNIL fine:
These findings relate to past practices that we addressed last year, including making it easier to reject non-essential cookies and providing additional information about the purposes of certain cookies.
The CNIL itself highlighted our cooperation during the course of the investigation and user privacy remains a top priority for TikTok.
TikTok Spokesperson (Source)
Previously this year, CNIL fined Apple $8.0M for issues breaching Article 82 of the French Data Protection Act.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.