TikTok Fined $5.4 Million for Cookie Consent Violations in France

Simon Coulthard January 20, 2023

2-minute read

The French data protection authority fined TikTok for cookie consent violations after ruling that their banner policy fell short of the country's data privacy requirements. The CNIL announced the penalty on Thursday, although it said the sanction itself was issued on December 29.

The regulator claims that the fine was levied because of two issues with the TikTok website and not because of ongoing privacy concerns with its mobile app.

According to the CNIL, the reasons for hitting the social media platform with a $5.4 million sanction were: website users couldn’t reject cookies as easily as accept them, and they were not given enough information about the different cookies' purposes.

Read more about this penalty on the CNIL website.

The Breach of the French Data Protection Act

Cookies are text files that include tiny bits of information, such as a username and password, and are used to recognize your computer when you're connected to a network.

The server creates data in a cookie as soon as you connect. An ID that is specific to you and your computer is used to identify this data. Websites use cookies to streamline the web experience.

Cookie consent pop-ups have become an industry tactic in response to the European Union's ePrivacy Directive and General Data Protection Regulation (GDPR), which gave EU people the ability to revoke their consent to being followed and profiled by advertisers online.

According to the regulation, websites must prevent all marketing cookies and trackers from being downloaded to users' browsers until such users have given their explicit consent. Despite the fact that in practice this is rarely done, websites are not permitted to pre-tick boxes or use "consent toggles" that make accepting cookies easier than declining them.

Through tracking cookies on both its own website and other websites, TikTok, which has around 1 billion average monthly users globally, has become the new advertising behemoth on the internet.

The CNIL observed during the inspection conducted in June 2021 that although the TikTok website offered a button enabling immediate acceptance of cookies, they had not implemented an equivalent solution (button or other) to enable the user to easily reject them.

Instead of one simple click to approve cookies, you had to decline more options in order to stop the website to track your data.

Additionally, neither the first-level information banner nor the context of the choice interface available after clicking on a link in the banner adequately informed users of the objectives of the cookies.

"These findings relate to past practices that we addressed last year, including making it easier to reject non-essential cookies and providing additional information about the purposes of certain cookies. The CNIL itself highlighted our cooperation during the course of the investigation and user privacy remains a top priority for TikTok," a spokesperson for TikTok said.

The CNIL claimed that between May 2020 and June 2022, it conducted a number of inspections of the company's website and that the “Reject All” button was not available until February 2022.

CNIL also fined Google, Microsoft, and Facebook for not having a transparent cookie consent banner.

TikTok is at the center of several privacy debates across the globe, particularly in the United States.

Its use on government equipment is prohibited by the federal government and about 20 states in the United States. In November, FBI Director Christopher Wray stated that the bureau has several issues with TikTok.

"They include the possibility that the Chinese government could use it to control data collection on millions of users or control the recommendation algorithm, which could be used for influence operations if they so chose, or to control software on millions of devices, which gives it an opportunity to potentially technically compromise personal devices," Christopher Wray said.

With GDPR coming into effect along with other data privacy laws, every company should pay attention to its consent cookie banner. Or they should try cookieless tracking to avoid huge fines.