For a bit of background, between 2020 and 2022, the CNIL conducted several investigations on the tiktok.com website in an unlogged session, not on the mobile application.
The CNIL found that TikTok UK and Tiktok Ireland failed to comply with their obligations which are set out in Article 82 of the French Data Protection Act.
What does French law say?
Under Article 82 of the DPA, any action through which an electronic communication service accesses or enters information in a user’s terminal equipment (such as the storage of cookies) requires the user’s consent. All users must be “clearly and fully informed” of the purpose of any action AND the means to oppose it.
Article 4 of the GDPR (European Union’s Data Protection Regulation) highlights consent must be specific and manifested as a positive act. Recital 42 of the GDPR states consent is not free if the user cannot “refuse or withdraw consent without suffering prejudice”.
What was breached?
TikTok UK and TikTok Ireland did offer a button allowing immediate acceptance of the cookies. However, the CNIL said that they did not put in place an equivalent solution (button) to allow Internet users to refuse consent just as easily, and several clicks were required to refuse all cookies compared to one just to accept them.
It was considered that the complexities surrounding the refusal mechanism actually discouraged users from refusing cookies and encouraged them to prefer the ease of the “accept all” button.
Thus, TikTok UK and Ireland’s processes infringed on the freedom of consent of Internet users and violated Article 82 of the French DPA.
Refusing cookies should be as easy as accepting them.
Pre-ticked boxes are not allowed!