Product reviews, deals and the latest tech news

French authorities fine TikTok for its deceptive cookie consent flow

When it comes to cookie permission, TikTok is the latest internet company to get a lecture from France’s data protection authorities.

TikTok’s ( cookie consent flow was the subject of the CNIL’s announcement of a €5 million fine today; the regulator found that it was not as easy for users to refuse cookies as it was to accept them, so TikTok was essentially manipulating consent by making it easier for site visitors to accept its tracking than to opt out.

This was the situation in June2021, when the watchdog examined TikTok’s procedure, and remained thus until February2022, when a “Refuse all” option was added to the website, at which point the problem seemed to be fixed. Given the amount of users and children impacted by this case (as well as the fact that enforcement was limited to the website and not the mobile app), the relatively modest punishment issued in this instance seems sense.

While tracking cookies are most often used to provide targeted advertisements based on a user’s browsing habits, they may also be used for analytics and other purposes.

While TikTok UK and TikTok Ireland did give a button to accept cookies instantly, the CNIL found that neither company had implemented a mechanism (button or otherwise) to enable the Internet user to deny their deposit in the same straightforward manner. The watchdog noted in a news statement [from French with machine translation] that “refusing all cookies required several clicks, but accepting them required just one.”

“The Restricted Committee considered that making the refusal mechanism more complex actually amounts to discouraging users from refusing cookies and encouraging them to favor the ease of the “Accept all” button,” it added, saying it found TikTok had therefore breached a legal requirement for freedom of consent — a violation of Article 82 of the French Data Protection Act “since it was not as simple to refuse cookies as to accept them”.

Furthermore, the CNIL determined that TikTok had not informed users of the aims of the cookies “in a sufficiently specific way,” both on the information banner displayed at the first level of the cookie consent and within the context of the “choice interface” that was available after clicking a link offered in the banner. Therefore, multiple violations of Article 82 were discovered.

Unlike the EU’s General Data Protection Regulation (GDPR), which mandates that complaints affecting users across the bloc be referred back to a lead data supervisor in an EU country of main establishment (if a company claims that status, as TikTok does with Ireland for the GDPR), France has taken enforcement action under the EU’s ePrivacy Directive.

Due to this, the French regulator has issued a number of enforcements over Big Tech cookie infringements in recent years, including hitting companies like Amazon, Google, Facebook, and Microsoft with some hefty fines (and correction orders) since 2020, following a 2019 update to its guidance on the ePrivacy Directive that stipulated that consent is necessary for ad tracking.

France’s efforts to clean up cookie consent appear to be a useful supplement to the more leisurely pace of cross-border GDPR enforcement, which is only now beginning to have an effect on ad-based business models centred on consent-less tracking (see, for example, the final decisions against Facebook and Instagram issued by the Irish Data Protection Commission this month).

The CNIL’s ePrivacy cookie enforcements are crucial since they ensure that the quality of consent acquired is free and fair, rather than influenced by applying deceptive design methods as has traditionally been the case when collecting user information for tracking and profiling purposes.

In the summer of 2018, for instance, EU data protection authorities intervened to prevent TikTok from shifting its legal basis for processing people’s data to run “personalised” ads from relying on user consent to a claim of legitimate interest (implying it intended to stop asking users for consent) (and likely breach the GDPR too).

ePrivacy regulations are only enforceable inside the regulator’s home market (France), but their reach may extend beyond the country’s borders. Following a CNIL fine, Google, for one, updated its cookie consent procedures throughout the European Union. Applying a variety of compliance configurations for various EU markets may not be the best response for every business, but it’s more expensive than using a single (high) standard across the board. As a result, the EU may use ePrivacy enforcement to establish standards.

To get their take on the CNIL’s punishment, we reached out to TikTok. Statement from the corporation supplied to us by a spokesperson:

These findings relate to past practices that we addressed last year, including making it easier to reject non-essential cookies and providing additional information about the purposes of certain cookies. The CNIL itself highlighted our cooperation during the course of the investigation and user privacy remains a top priority for TikTok.