So that's how the cookie crumbles: What the French data protection regulator's fine for TikTok could mean for European and UK cookies

At the end of 2022, the French data protection regulator (the CNIL) issued TikTok Information Technologies UK Limited and Ireland-based TikTok Technology Limited (collectively Tik Tok), with an eye watering €5 million fine (€2.5 million against each entity) for failure to comply with Article 82 of the French Data Protection Act (FDPA).

Why was a fine issued?

In June 2021, the CNIL identified that the cookie consent mechanism on the TikTok website did not include a mechanism that allowed website visitors to easily refuse the deposit of non-essential cookies on their device. Three clicks were required to finally refuse the deposit compared to only one click being required to accept all cookies.

The process of refusing non-essential cookies was deemed as 'complex' and the CNIL found that this mechanism actually discouraged users from refusing cookies and encouraged them to prefer the ease of the 'accept all' button. As a result, website visitors were deemed not to be able to freely give consent, which constituted a breach of the FDPA.

Further breaches of the FDPA were established because TikTok were deemed to have failed to provide clear information, when clicking through the cookie consent mechanism, about the purposes for which the cookies would be used. It also wasn't clear that a website visitor could ignore the banner entirely and that non-essential cookies wouldn't be placed, in such instances the banner would remain for the duration of the browsing session until someone made a choice. This was seen to be promoting the simplest choice of just clicking 'accept all' to get rid of the banner.

How unusual is the approach to cookie compliance that TikTok took?

The backdrop to this case is that:

  • A 2021 study suggests that including a ‘refuse all’ button decreases cookie acceptance rate by 15% – this was referenced in the CNIL decision notice.
  • It is rare that formal enforcement action is taken in relation to cookie compliance (TikTok has arguably been singled out and could consider themselves unlucky here, a pitfall of their website’s success) – typically regulators are tipped off by an unhappy complainant and organisations are told to make changes ‘or else’.

In light of the above, a number of organisations take a commercially balanced view that obtaining valuable data about the users of their website is worth the risks of getting caught, noting that they are normally provided with the option of making a change by a regulator before facing fines.

To put it another way, whilst there is a black and white distinction between compliance and non-compliance in cookie legislation organisations have, in practice, introduced a sliding scale of greys, preferring to obtain as much data as possible and accepting minor breaches of the legislation in doing so.

Does the CNIL's decision apply to the UK?

The UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003, which account for cookie legislation in the UK, are currently aligned with European law. TikTok's failure to comply with the FDPA would therefore also amount to a breach of the current rules in the UK.

Further, the CNIL brought action in France against TikTok as a result of French data subjects accessing the TikTok website. Any UK based organisation offering services to data subjects in France will therefore also be open to challenge from the CNIL if it doesn’t follow the decisions of the regulator.

It is also worth noting that the CNIL is one of the leading data protection authorities in Europe and its decisions are seen to carry weight. The TikTok decision may influence the strategy and future decisions of the UK's Information Commissioner's Office (ICO) and how it chooses to respond to non-compliance with cookie legislation in the UK (not least because it will want to maintain the adequacy decision granted to the UK by the European Commission). At the time of writing, the ICO hasn't conformed to the CNIL decision, however given the high-profile nature of the CNIL's decision, the ICO may feel some pressure to be seen to taking proactive enforcement action to address cookie compliance in the UK.

Proposed cookie reform

The draft Data Protection and Digital Information (No.2) Bill that was published in March included provisions that would deem some analytics cookies as non-essential cookies to help battle ‘cookie fatigue’. This change in perspective would mean that some websites that only use analytics cookies won’t need to obtain cookie consent.

However, there are no known plans for the requirement for cookie consent for other non-essential cookies to be completely abolished in the UK, meaning all websites deploying non-essential cookies will have to continue obtaining consent in accordance with relevant legislation.

What does this mean for me and my business?

Until we see how or if the ICO responds to the TikTok decision, there is no clear need for urgent action. However, organisations may want to consider reviewing their cookie consent and transparency practices. We anticipate that some organisations (in particular those with a cross-European reach) will take notice of this decision and make tweaks to their cookie consent practices to reduce the risk of a regulator bringing enforcement action.

If you would like to talk about your organisation's compliance with cookie legislation, please get in touch with Mark Searle or Ashley Avery.