The CNIL has just sentenced TikTok to pay a fine of 5 million euros because of its cookie practices. A very weak condemnation compared to the power of the social network, but which could be the first of a long series…
TikTok, the favorite social network for 16-25 year olds because of its short videos that are “consumed” on the channel, is starting the year 2023 in turmoil! As voices rise more and more to denounce the lack of protection of minors – in particular with the absence of verification of the age of users at the time of registration – and the collection of data by the Beijing government , the National Commission for Computing and Liberties (the CNIL) has just sentenced the platform to a fine of 5 million euros. In a decision made public on January 13, 2023, the commission explains that it looked into the case of the Chinese social network between May 2020 and June 2022 by carrying out several online control missions, not of the mobile application, but of the tiktok.com website – although the social network was specifically designed for smartphones, users can also watch videos from a browser. Two things jumped out at him and didn’t sit well with him at all. Firstly, Internet users could not refuse cookies as easily as accepting them and, secondly, they were not informed with sufficient precision about the objectives of the different cookies. As a result, ByteDance, which owns TikTok, is in violation of the General Data Protection Regulation (GDPR), and more specifically article 82 of the Data Protection Act.
TikTok fine: you have to refuse cookies as easily as you accept them
The digital policeman noticed that the TikTok website did have a button to immediately accept cookies, but it did not offer an equivalent solution – a button, just in case – to allow the user to accept them. refuse so easily. To not consent to the deposit of cookies, several clicks were necessary, against only one to accept them. A maneuver clearly aimed at discouraging users from refusing cookies and encouraging them to take the easy way out by clicking on the consent button in the first window. However, this process violates the freedom of consent of Internet users, enshrined in article 82 of the Data Protection Act. Note that the problem has since been resolved with the implementation of a “Refuse all” button in February 2022, under pressure from the CNIL.
It also criticizes TikTok for not having informed Internet users sufficiently precisely about the objectives of the various cookies, whether in the choice interface or on the information banner – again, this is a breach. in article 82 of the Data Protection Act. As a reminder, cookies are small files responsible for collecting user information, in particular for advertising tracking and online tracking, which allows for example to know exactly which pages he visits and on which advertisements he clicks. Extremely valuable data for advertisers and which represents a real gold mine since it allows them to refine their advertising targeting by deducing the centers of interest of Internet users – and therefore to make a lot of money.
It is regrettable that the fine imposed by the CNIL is ultimately not so high given the immense fortune that TikTok represents as well as its significant influence. The Commission explains that it decided on its amount “in view of the shortcomings identified, the number of people concerned – in particular minors – and the numerous previous communications from the CNIL on the fact that it must be as simple to refuse cookies as to accept them.” To put it simply, the policy that refusing cookies should be as easy as accepting them has been in effect for a while and therefore it is no longer possible to hide behind the excuse of ignorance. In addition, the fact that the majority of the public targeted by TikTok are minors aggravates the case of the platform, given that the youngest do not have sufficient hindsight to know what the acceptance of cookies entails. However, the authority was only able to sanction the breaches in France and took into account the cooperation of the company, which has since corrected what it was accused of. The fact remains that in the end, 5 million euros is half the maximum fine that the CNIL could impose, and that it is a ridiculous sum given the power of the platform and of its financial results…
TikTok: the noose is tightening around digital powers
This condemnation risks being only the beginning of a long series, because it is not only in France that regulators are looking into the case of TikTok. Indeed, several investigations are underway at the request of the European Commission. This has instructed the Data Protection Commission (DPC), the Irish equivalent of the CNIL, to control the way in which TikTok transfers the personal data of its users abroad to China – something that the platform has by the way. recognized under pressure – as well as on the processing of personal data of users under the age of 18, who represent a significant part of its audience. Two investigations were opened in September 2021 and they are expected to be completed by the end of 2023. The social network is already banned in India and is subject to a ban on use among civil servants in the United States. The deputies are also discussing its fate on American soil, accusing TikTok of being a spy tool for Beijing and of endangering the mental health of young users – which various scientific studies confirm.
More generally, this CNIL sanction is part of a larger campaign against tech giants. Thus, in 2021, the digital policeman had looked into the process of accepting cookies from several flagship Web services and had, at the end of the investigations, condemned Google, Meta, and Amazon for not allowing them to simply refuse cookies. deposits of advertising cookies. More recently, she slammed Microsoft for mishandling cookies on its Bing search engine, allowing ad tracking without users’ consent, and privacy king Apple for using ad trackers without explicit consent. iPhone users, which contradicts its policy. Who will be the next one ?