Cookies: the CNIL fines TIKTOK 5 million euros
Between May 2020 and June 2022, the CNIL carried out several online investigations on the "tiktok.com" website and on the basis of documents requested from the company by the CNIL.
The investigations were carried out only on the TIKTOK website, in an unlogged session, and not on the mobile application.
On the basis of the findings following the inspections, the restricted committee - the CNIL body responsible for issuing sanctions - considered that TIKTOK INFORMATION TECHNOLOGIES UK LIMITED (TIKTOK UK) and TIKTOK TECHNOLOGY LIMITED (TIKTOK IRELAND) had failed to comply with the obligations set out in Article 82 of the French Data Protection Act.
The breaches of the French Data Protection Act
During the inspection carried out in June 2021, the CNIL noted that although the companies TIKTOK UK and TIKTOK IRELAND did offer a button allowing immediate acceptance of cookies, they did not put in place an equivalent solution (button or other) to allow the Internet user to refuse their deposit as easily. Several clicks were required to refuse all cookies, as opposed to just one to accept them.
In addition, users were not informed in a sufficiently precise manner of the purposes (objectives) of the cookies, either on the first-level information banner or in the context of the choice interface accessible after clicking on a link in the banner.
The restricted committee therefore found several breaches of Article 82 of the Data Protection Act.
Jurisdiction of the CNIL
The CNIL is materially competent to verify and sanction operations related to cookies deposited by the companies on the terminals of Internet users located in France. The cooperation mechanism provided for by the GDPR (the “one-stop shop” mechanism) is not intended to apply in these procedures insofar as the operations linked to the use of the identifiers fall within the scope of the "ePrivacy" directive, transposed in Article 82 of the French Data Protection Act.