The CNIL carried out online investigations on the “tiktok.com” website between May 2020 and June 2022 and found that TIKTOK Information Technologies UK LIMITED (TIKTOK UK) and TIKTOK Technology Limited (TIKTOK Ireland) failed in complying with the obligations of the French Data Protection Act, namely Article 82, (requirement transposed from the “ePrivacy directive) wherein it was not as simple to refuse cookies as to accept them.
📌 The background
The CNIL conducted a number of online investigations between May 2020 and June 2022 using the “tiktok.com” website and the company’s response to document requests from the CNIL. The investigations weren’t conducted on the mobile application, simply on the TIKTOK website, in an unlogged session.
🔎 What did they find?
The restricted committee, a CNIL body in charge of imposing sanctions, determined that TIKTOK INFORMATION TECHNOLOGIES UK LIMITED (TIKTOK UK) and TIKTOK TECHNOLOGY LIMITED (TIKTOK IRELAND) had violated the requirements outlined in Article 82 of the French Data Protection Act based on the findings from the inspections.
The severity of this consequence was determined based on the documented violations, the number of individuals affected, including children, and the numerous prior communications from the CNIL stressing the requirement that rejecting cookies be just as easy as accepting them.
The firms TIKTOK UK and TIKTOK IRELAND did offer a button allowing immediate acceptance of cookies, but the CNIL saw during the inspection conducted in June 2021 that they had not implemented an equivalent solution (button or other) to allow the Internet user to immediately reject their deposit. To reject all cookies, more clicks were needed than it took to accept them.
The restricted committee believed that making the refusal mechanism more difficult actually drove users to favor the simplicity of the “accept all” button and discouraged them from utilizing the refusal mechanism at all. When the online investigation was conducted in June 2021 and up until the deployment of a “Reject all” button in February 2022, it was determined that this method violated Internet users’ rights to free consent and constituted a violation of Article 82 of the French Data Protection Act.
Additionally, neither the first-level information banner nor the context of the choice interface available after clicking on a link in the banner adequately informed users of the goals (objectives) of the cookies.
As a result, multiple violations of Article 82 of the Data Protection Act were discovered by the restricted committee.
CNILs response
The CNIL has the necessary authority to investigate and punish activities using cookies that businesses place on the computers of French Internet users. Since the operations associated with the use of the identifiers are outside the purview of the “ePrivacy” directive, as implemented in Article 82 of the French Data Protection Act, the GDPR’s “one-stop shop” mechanism is not intended to apply in these procedures.
Due to the fact that the use of cookies occurs inside the “context of the activities” of TIKTOK SAS, which serves as the “establishment” of TIKTOK UK and TIKTOK IRELAND on French soil, the restricted committee believed that the CNIL also possesses territorial competence.
🇬🇧Read about the Decision in English
🇫🇷 Access the Official text in French
