CNIL fines TIKTOK 5 million euros

On 29 December 2022, the CNIL in France sanctioned the social network TIKTOK for a total amount of 5 million euros for two reasons: users of "tiktok.com" could not refuse cookies as easily as they accept them. Also, they were not informed in a sufficiently precise manner of the purposes of the different cookies.

Between May 2020 and June 2022, the Commission Nationale de l'Informatique et des Libertés (CNIL) carried out several online investigations on the "tiktok.com" website and on the basis of documents requested from the company by the CNIL.

The investigations were carried out only on the TIKTOK website, in an unlogged session, and not on the mobile application.

On the basis of the findings following the inspections, the restricted committee -  the CNIL body responsible for issuing sanctions - considered that TIKTOK INFORMATION TECHNOLOGIES UK LIMITED (TIKTOK UK) and TIKTOK TECHNOLOGY LIMITED (TIKTOK IRELAND) had failed to comply with the obligations set out in Article 82 of the French Data Protection Act.

The amount of this fine was decided on the basis of the breaches identified, the number of people concerned - including minors - and the numerous previous communications from the CNIL on the fact that it must be as simple to refuse cookies as to accept them.


The breaches of the French Data Protection Act

During the inspection carried out in June 2021, the CNIL noted that although the companies TIKTOK UK and TIKTOK IRELAND did offer a button allowing immediate acceptance of cookies, they did not put in place an equivalent solution (button or other) to allow the Internet user to refuse their deposit as easily. Several clicks were required to refuse all cookies, as opposed to just one to accept them.

The restricted committee considered that making the refusal mechanism more complex actually discouraged users from refusing cookies and encouraged them to prefer the ease of the "accept all" button. It concluded that this process infringed the freedom of consent of Internet users and constituted a violation of Article 82 of the French Data Protection Act, since it was not as easy to refuse cookies as to accept them at the time of the online investigation carried out in June 2021 and until the implementation of a "Reject all" button in February 2022.

In addition, users were not informed in a sufficiently precise manner of the purposes (objectives) of the cookies, either on the first-level information banner or in the context of the choice interface accessible after clicking on a link in the banner.

The restricted committee therefore found several breaches of Article 82 of the Data Protection Act.


Jurisdiction of the CNIL

The CNIL is materially competent to verify and sanction operations related to cookies deposited by the companies on the terminals of Internet users located in France. The cooperation mechanism provided for by the GDPR (the “one-stop shop” mechanism) is not intended to apply in these procedures insofar as the operations linked to the use of the identifiers fall within the scope of the "ePrivacy" directive, transposed in Article 82 of the French Data Protection Act.

The restricted committee considered that the CNIL is also territorially competent because the use of cookies is carried out within the "framework of the activities" of TIKTOK SAS, which constitutes the "establishment" on French territory of TIKTOK UK and TIKTOK IRELAND.

It also found that they are jointly responsible since they both determine the purposes and means of the use of cookies.