The French Data Protection Authority (“CNIL“) has recently passed a decision by which the social network TikTok is fined with 5 million euros for violation of provisions of the French Law on Data Protection (“the Law“) and GDPR. The fine was imposed for unlawful use of cookies, i.e., collection of data on users’ online activities without previous obtaining of their valid consent for such personal data processing.

Circumstances of the case

 CNIL conducted investigation of the use of cookies on TikTok website, which is a social network designed for video content sharing, owned by the Chinese company ByteDance. During the investigation, the authority established:

• that certain marketing cookies were nevertheless used in situations where users failed to give consent to cookie activation;
• that cookie banner on TikTok website enabled users to accept all cookies by one “click”, while their refusal implied a more complicated procedure, i.e., undertaking several steps;
• that when users consented to use the cookies on the main website, the cookies were automatically used when entering some of TikTok sub-domains without repeated request for consent, i.e., users’ approval; and
• that TikTok failed to clearly and comprehensively notify the users which cookies were used, for which purposes and which personal data were collected through them.

Breach of provisions of GDPR and the Law

The Law stipulates data controller’s obligation to provide consent of the data subject, i.e., a person whose data are processed through cookies, except in two cases:

• if the sole purpose of data collection is to enable and simplify electronic communication; or
• when this is necessary for providing online communication service upon user’s request.

Therefore, if data collection has a different purpose from the above-mentioned exceptions, the controller may only use cookies if he has provided previous consent from the data subject and for each particularly defined purpose.

In relation thereto, it was established during the investigation that TikTok violated the stated provisions of the Law, considering that the cookies used do not fall under the stated exceptions and the controller was therefore obliged to provide the consent from the subject of thus collected, i.e., processed data for each particular purpose.

In addition, the provisions of GDPR stipulate that the data subject shall have the right to withdraw consent at any time and to be informed of such possibility prior to giving consent; in this regard, the CNIL established that TikTok users were not clearly and comprehensively informed. CNIL also noted in its decision that consent withdrawal needs to be equally simple as its giving, which was also inadequately implemented by TikTok.

It was also established that TikTok did not clearly and comprehensively inform the users, i.e., data subjects which cookies were used, for which purposes and which personal data were subject to processing; it used general and imprecise formulations, which prevented the provision of clear, free and informed consent.

Outcome and significance of the procedure

CNIL found that this case represented unlawful personal data processing and, for establishment of the fine amount, it considered mitigating and aggravating circumstances and fined TikTok with 2.5 million euros for personal data processing without valid consent, and additional 2.5 million euros for insufficiently clear and comprehensive information on the cookie banner.

In addition to the stated decision, the French regulator passed another two decisions in the same month and fined Apple with 8 million euros and Microsoft with 60 million euros for violation of the same provision, with similar reasoning, hence it can be expected that CNIL will continue with such practice in the future.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.