France’s Commission Nationale de L'Informatique et des Libertés (CNIL) has issued TikTok with a fine for €5 million over cookie concerns.
Over the course of two years (between May 2020 and June 2022), the CNIL carried out various investigations into TikTok’s website ‘Tiktok.com’ (not the app). The CNIL found that both TikTok UK and TikTok Ireland had failed to comply with the obligations set out in Article 82 of the French Data Protection Act and that both entities were jointly responsible as they both played a part in determining the purpose and means of the cookies in question.
There is still ambiguity across Europe about the status of a ‘reject all’ cookie banner button (and while there is guidance from the Information Commissioner’s Office (ICO), there is not an absolute mandate that a reject all button is required). However, France has been very vocal on its expectations for cookie banners; they must include a clear and obvious ‘reject all’ cookie button (see the CNIL fines for Google and Facebook and more recently Apple, as well as the Conseil d'État approved guidance). The CNIL considered that by design, TikTok’s cookie banner was presented in a way that the refusal mechanism was more complex and, therefore, it was easier just to hit ‘accept’. Ultimately, the CNIL found that this process infringed the freedom of consent of internet users.
This is the latest in a series of cookie fines from the CNIL and is a clear indication of just how seriously the French regulator takes cookie compliance. It is also worth noting it is yet another example where the CNIL asserts its sole jurisdiction stating it is “materially competent to verify and sanction operations related to cookies deposited by the companies on the terminals of Internet users located in France,” and goes on to say the GDPR’s one-stop shop mechanism is “not intended to apply in these procedures insofar as the operations linked to the use of the identifiers fall within the scope of the "ePrivacy" directive, transposed in Article 82 of the French Data Protection Act.” The CNIL also stated that the fine was issued in respect of a “framework of the activities” of TikTok SAS, which is the French establishment of TikTok.
While the CNIL’s focus appears to be large technology companies, this is a salutary reminder to those organisations with online operations in France to ensure their cookies are compliant, especially in light of the European Data Protection Board’s (EDPB) Cookie Banner Taskforce Report. The EDPB’s report states that the “vast majority of authorities considered that the absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner is not in line with the requirements for a valid consent and thus constitutes an infringement.” However it is worth noting the report continues “few authorities considered that they cannot retain an infringement in this case as article 5(3) of the ePrivacy Directive does not explicitly mentioned a “reject option” to the deposit of cookies”. Could this be the Irish Data Protection Commission (IDPC) perhaps? Their approach to date, along with the ICO, has been they do not specifically require a ‘reject all’ button. Will the IDPC update their guidance in light of the CNIL’s continued fines and this report? Only time will tell. However, the ICO in a post-Brexit, data reforming, pro-business UK might be more pragmatic and stick with the status quo and not require a ‘reject all’ button.
“The CNIL is materially competent to verify and sanction operations related to cookies deposited by the companies on the terminals of Internet users located in France.”