Popular short-form video hosting service TikTok has been fined €5 million (about $5.4 million) by the French data protection watchdog for breaking cookie consent rules, making it the latest platform to face similar penalties after Amazon, Google, Meta, and Microsoft since 2020.
The regulator said it conducted several audits between May 2020 and June 2022, finding that the ByteDance-owned company did not offer a straightforward option to refuse all cookies as opposed to just one click for accepting them. The option to "refuse all" cookies was introduced by TikTok in February 2022.
"Making the opt-out mechanism more complex is in fact discouraging users from refusing cookies and encouraging them to prefer the ease of the 'Accept All' button," the CNIL argued, calling it a breach of the French Data Protection Act.
It further called out TikTok for not informing users of the purposes behind depositing such cookies on users' systems when visiting tiktok[.]com. The company has since rectified the issues.
While cookie consent banners have become increasingly common in the wake of the E.U. General Data Protection Regulation (GDPR) in May 2018, it has been repeatedly observed that companies resort to illegal dark patterns to trick users into sharing more information.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Under the laws, websites are required to withhold all third-party cookies and trackers – which could be used for behavioral advertising or gathering analytics information – until explicit permission from users is obtained.
The development also comes weeks after the CNIL penalized Apple for not obtaining iPhone users' consent in iOS 14.6 prior to using identifiers to present targeted ads on the App Store in violation of the E.U. ePrivacy Directive.