France’s Commission Nationale de L'Informatique et des Libertés (CNIL) has issued TikTok with a fine for €5 million over cookie concerns.

 CONTEXT

Over the course of two years (between May 2020 and June 2022), the CNIL carried out various investigations into TikTok’s website ‘Tiktok.com’ (not the app). The CNIL found that both TikTok UK and TikTok Ireland had failed to comply with the obligations set out in Article 82 of the French Data Protection Act and that both entities were jointly responsible as they both played a part in determining the purpose and means of the cookies in question.

The reason behind the fine of €5 million was twofold: first, users of Tiktok.com could not refuse cookies as easily as they could accept them (several clicks were required to refuse all cookies, as opposed to just one to accept them) and secondly, users were not sufficiently informed of the precise purposes of the different cookies.

There is still ambiguity across Europe about the status of a ‘reject all’ cookie banner button (and while there is guidance from the Information Commissioner’s Office (ICO), there is not an absolute mandate that a reject all button is required). However, France has been very vocal on its expectations for cookie banners; they must include a clear and obvious ‘reject all’ cookie button (see the CNIL fines for Google and Facebook and more recently Apple, as well as the Conseil d'État approved guidance). The CNIL considered that by design, TikTok’s cookie banner was presented in a way that the refusal mechanism was more complex and, therefore, it was easier just to hit ‘accept’. Ultimately, the CNIL found that this process infringed the freedom of consent of internet users.

FURTHER THOUGHTS

This is the latest in a series of cookie fines from the CNIL and is a clear indication of just how seriously the French regulator takes cookie compliance. It is also worth noting it is yet another example where the CNIL asserts its sole jurisdiction stating it is “materially competent to verify and sanction operations related to cookies deposited by the companies on the terminals of Internet users located in France,” and goes on to say the GDPR’s one-stop shop mechanism is “not intended to apply in these procedures insofar as the operations linked to the use of the identifiers fall within the scope of the "ePrivacy" directive, transposed in Article 82 of the French Data Protection Act.” The CNIL also stated that the fine was issued in respect of a “framework of the activities” of TikTok SAS, which is the French establishment of TikTok.

While the CNIL’s focus appears to be large technology companies, this is a salutary reminder to those organisations with online operations in France to ensure their cookies are compliant, especially in light of the European Data Protection Board’s (EDPB) Cookie Banner Taskforce Report. The EDPB’s report states that the “vast majority of authorities considered that the absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner is not in line with the requirements for a valid consent and thus constitutes an infringement.” However it is worth noting the report continues “few authorities considered that they cannot retain an infringement in this case as article 5(3) of the ePrivacy Directive does not explicitly mentioned a “reject option” to the deposit of cookies”. Could this be the Irish Data Protection Commission (IDPC) perhaps? Their approach to date, along with the ICO, has been they do not specifically require a ‘reject all’ button. Will the IDPC update their guidance in light of the CNIL’s continued fines and this report? Only time will tell. However, the ICO in a post-Brexit, data reforming, pro-business UK might be more pragmatic and stick with the status quo and not require a ‘reject all’ button.

€5 million is clearly a message to the world about France’s clear and categorical position about the ‘reject all’ button on the cookie banner but the amount may raise eyebrows as it is pocket change when viewed alongside other recent CNIL fines. The CNIL said the fine was determined “on the basis of the breaches identified, the number of people concerned - including minors - and the numerous previous communications from the CNIL on the fact that it must be as simple to refuse cookies as to accept them.”