TikTok has been hit with a €5 million (around AU$7.8 million) penalty by the French data protection watchdog CNIL over cookie consent flow on its tiktok.com website.
The regulator said that the website did not make it as easy for users to refuse cookies as to accept them — essentially manipulating consent by making it easier for visitors to accept tracking than to opt out.
The offending cookie notice appeared in June 2021 but was replaced by a “Refuse All” button on the site in February 2022.
“During the check carried out in June 2021, the CNIL noted that while the companies TikTok United Kingdom and TikTok Ireland did offer a button allowing cookies to be accepted immediately, they did not put in place an equivalent solution (button or other) to allow the Internet user to refuse their deposit just as easily. Several clicks were necessary to refuse all cookies, against only one to accept them,” the watchdog notes in a press release (translated by Google).
“The Restricted Committee considered that making the refusal mechanism more complex actually amounts to discouraging users from refusing cookies and encouraging them to favor the ease of the ‘Accept all’ button,” it added, saying it found TikTok had therefore breached a legal requirement for freedom of consent — a violation of Article 82 of the French Data Protection Act “since it was not as simple to refuse cookies as to accept them.”
Plus, CNIL found that TikTok had not informed users in a “sufficiently precise manager” about the purpose of the cookies on either the information banner and within the “choice interface” that was accessible after clicking on a link in the banner.
“These findings relate to past practices that we addressed last year, including making it easier to reject non-essential cookies and providing additional information about the purposes of certain cookies. The CNIL itself highlighted our cooperation during the course of the investigation and user privacy remains a top priority for TikTok,” said a TikTok spokesperson.