CNIL (France) - SAN-2022-027

From GDPRhub
CNIL - Délibération SAN-2022-027 du 29 décembre 2022
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law:
Article 82 of the French Data Protection Act
Type: Investigation
Outcome: Violation Found
Started: 14.05.2020
Decided: 29.12.2022
Published: 12.01.2023
Fine: 5,000,000 EUR
Parties: TikTok
National Case Number/Name: Délibération SAN-2022-027 du 29 décembre 2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: n/a

The French DPA fined TikTok €5,000,000 for implementing advertising identifiers on users' devices without prior consent. TikTok's cookie banner was also found insufficiently informative.

English Summary

Facts

The French DPA (DPA) started an investigation on 14 may 2020 into TikTok's website (the 'service provider' or 'the company'). The DPA also inquired on TikTok's cookie use with a particular focus on whether/how the provider deposited and/or accessed cookies and other trackers on French-located users' devices.

The investigation ascertained different elements. First, the company had a French establishment (TIKTOK SAS) tasked with the sale and promotion of advertising on the French market. The employees of this establishment worked with advertisers to target local audiences with personalised ads. Second, TikTok's cookie banner on the main TikTok website (Tiktok.com), allowed users to accept all cookies with a single click using a single button. It was possible to deny cookies, such as using the 'manage consent' button, but these methods required more steps when compared to accepting cookies. Third, even if a user did not consent to their installation, certain advertising cookies would nonetheless be placed. The DPA also found that in the case a user had consented to the use of cookies on the main website, cookies would also be placed on the user's device when this user would navigate to one of TikTok's subdomains, with no consent request in those cases.

Holding

Material competence of the French DPA

The DPA determined that it was materially competent. It considered Articles 16 and 20 of the French data protection act and two decisions from the French Conseil d'Etat, in which it was stated that operations regarding the use of trackers on users' devices, located on French territory, fell within the competence of the French DPA. One of these decisions was the Conseil's decision of 28 January 2022 (Societe GOOGLE LLC and Societe GOOGLE IRELAND LIMITED).

Territorial competence of the French DPA

In order to assess if the DPA was territorially competent to handle this decision under Article 3 of the French Data Protection Act, the DPA assessed if TikTok fulfilled two requirements. Under the first one, (1) the provider needed to have an establishment on French territory. This was the case, since 'TIKTOK SAS' was a French establishment. The second condition requires (2) that the tracker-related processing must carried out in the context of activities of such establishment. The DPA referred to another of its decisions (AMAZON EUROPE CORE of 27 June 2022) where such "link" was also confirmed if the French establishment promoted and sold advertising services on the French market, and used the tracking tools to provide such services (See points 10 and 15 of this Amazon decision - link to original decision in French). The DPA considered that this second criterion was also fulfilled in this decision. Indeed, TIKTOK SAS was responsible for the sale and promotion of advertising for the French market, which was only possible with a cookie placed on the users device.

Article 82 of the French Data Protection Act

The DPA explained that Article 82 of the French Data Protection Act required the provider to ask consent of data subjects if it was reading/writing information to the user’s device. There were however two exceptions to this consent-requirement. No consent was required if the sole purpose of the identifier was to facilitate communication by electronic means or when the identifier was strictly necessary for the provision of an online communication service at the user's request. If an identifier had multiple purposes, the provider could only use the identifier for advertising when it had obtained prior consent from the data subject for this specific purpose. Besides a few cookies, of which the purpose remained unclear, the DPA determined that the cookies used were not exclusively intended to enable or to facilitate communication by electronic means, nor could these cookies be regarded as strictly necessary for the provision of an online communication service. Therefore, TikTok had to obtain valid consent (Article 4(11) GDPR) from users before using the identifiers. The DPA stated that it should be as easy to refuse or withdraw consent for cookies as it is to give consent for cookies. In this case, however, the DPA held that the user was not sufficiently informed about the possibility to simply not consent to the cookies when the cookie-banner would be presented to this user. The DPA also found that it was not intuitive for the user to consider that he/she could navigate the main website without taking any action regarding the banner. When the user did not take any action on this banner, the banner would remain displayed on the webpage. The user was however not informed about the consequences of this inactivity. The simplest choice was therefore acceptance of all cookies because the banner would then disappear.

The DPA also considered the unclear nature of the "manage settings" button on the cookie banner, which did not clearly mention the possibility to refuse cookies. The DPA also considered that the provider's decision to make refusing cookies more complex than accepting them actually discourages users from refusing cookies and encourages them to prefer the ease of the 'accept all' button. Because of the fact that no new consent was requested when a user navigated to one of TikTok's subdomains, the DPA considered that it was really important that the consent that was asked on the main domain was given freely. Because of the fact that refusing cookies was not as easy as accepting them and insufficient information was provided, the DPA considered that this was not the case, in violation with Article 82 of the French Data Protection Act.

Article 82 of the French Data Protection Act also states that users must be informed in "a clear and complete manner". The DPA determined that TikTok only mentioned general descriptions on its cookie banner. The DPA assessed the phrases in the banner in detail and held that the user would not be able to determine what types of content would be presented to the user and in what form this content would be presented. The DPA also determined that if several cookies served the same purpose or several purposes, the user had to be informed when consenting for each cookie. The DPA held that in this case, the user did not know whether the provider's cookies were for "analytical data" and/or for marketing purposes, which seemed to be two different purposes. The DPA also held that it should have been possible to accept these cookies separately. This resulted in another violation of Article 82 of the French Data Protection Act. The information provided by TikTok in the cookie banner on the main website was not sufficient and did not allow users to give free and informed consent.

After considering several mitigating and aggravating factors, the DPA fined TikTok €2,500,000 for the lack of valid consent and €2,500,000 for providing imprecise information on its consent banner.

Comment

This is the third decision one month where the French DPA fined a major technology company for the use of cookies pursuant of Article 82 of the French Data Protection Act. One week before this TikTok decision, the DPA fined Apple €8,000,000 for similair reasons. At the end of December 2022, the DPA had also fined Microsoft €60,000,000 for the use of cookies.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of the restricted formation n°SAN-2022-027 of 29 December 2022 concerning the companies TIKTOK INFORMATION TECHNOLOGIES UK LIMITED and TIKTOK TECHNOLOGY LIMITED

The Commission nationale de l'informatique et des libertés, meeting in its restricted formation composed of Mr Alexandre LINDEN, Chairman, Mr Philippe-Pierre CABOURDIN, Vice-Chairman, Ms Anne DEBET, Ms Christine MAUGÜÉ, Mr Alain DRU and Mr Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and the free movement of such data;

Having regard to Law No. 78-17 of 6 January 1978 on information technology, files and freedoms, in particular Articles 20 et seq;

Having regard to Decree No. 2019-536 of 29 May 2019 taken for the application of Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms;

Having regard to Deliberation No. 2013-175 of 4 July 2013 adopting the internal rules of procedure of the Commission nationale de l'informatique et des libertés;

Having regard to Decision No. 2020-047C of 27 December 2019 of the President of the Commission nationale de l'informatique et des libertés to instruct the Secretary General to carry out or have carried out a mission to verify any processing of personal data relating, in whole or in part, to data relating to the marketing or use of the products or services associated with the "Tik Tok" brand;

Having regard to the decision of the President of the Commission nationale de l'informatique et des libertés appointing a rapporteur before the restricted formation of 3 February 2022;

Having regard to the report of Mrs Valérie PEUGEOT, Commissioner-Rapporteur, notified to the companies TIKTOK INFORMATION TECHNOLOGIES UK LIMITED and TIKTOK TECHNOLOGY LIMITED on 7 July 2022;

Having regard to the written observations submitted by TIKTOK INFORMATION TECHNOLOGIES UK LIMITED and TIKTOK TECHNOLOGY LIMITED on 22 August 2022;

Having regard to the rapporteur's reply to these observations, notified on 22 September 2022 to the companies' counsel;

Having regard to the written observations of TIKTOK INFORMATION TECHNOLOGIES UK LIMITED and TIKTOK TECHNOLOGY LIMITED received on 24 October 2022;

Having regard to the other documents in the file;

The following were present at the meeting of the restricted formation on 1 December 2022:

- Mrs Valérie PEUGEOT, Commissioner, heard in her report;

As representatives of TIKTOK INFORMATION TECHNOLOGIES UK LIMITED and TIKTOK TECHNOLOGY LIMITED :

- [...]

The companies TIKTOK INFORMATION TECHNOLOGIES UK LIMITED and TIKTOK TECHNOLOGY LIMITED having last spoken;

The restricted formation adopted the following decision:

I. Facts and procedure

1. The TIKTOK Group, which has offices in Europe, the Middle East, North America, Asia and Africa, belongs to the BYTEDANCE group of companies, which operates a range of content distribution platforms. BYTEDANCE LTD, the parent company of the TIKTOK Group, is registered in the Cayman Islands.

2. BYTEDANCE launched the TIKTOK app in May 2017. In November 2017, BYTEDANCE acquired "musical.ly", a content distribution platform allowing users to create, view and share content. The American company MUSICAL.LY INC. offered the "musical.ly" application to users located in the United States and the European Union. Following the acquisition, the "musical.ly" app was renamed TIKTOK in August 2018 and the corporate name of MUSICAL.LY INC. was changed to TIKTOK INC. in May 2019.

3. TIKTOK INC. continued to offer the app to persons within the European Union following the acquisition of the app by BYTEDANCE and its name change to TIKTOK. TIKTOK INC. was responsible for the processing of personal data of users located in the European Union until July 2020. In the course of the monitoring procedure, TIKTOK INFORMATION TECHNOLOGIES UK LIMITED (hereinafter "TIKTOK UK") and TIKTOK TECHNOLOGY LIMITED (hereinafter "TIKTOK IRELAND") indicated that, as of July 29, 2020, they are jointly responsible for the processing of personal data of European users.

4. TIKTOK UK, based in London (UK), had [...] employees in June 2020.

5. 5. TIKTOK IRELAND, a subsidiary of TIKTOK UK, is headquartered in Dublin, Ireland. It was incorporated at the end of 2018 and employed [...] people in June 2020.

6. In 2021, BYTEDANCE, the parent company of TIKTOK, had a turnover of approximately [...] dollars. The total turnover of TIKTOK UK and its subsidiaries was almost [...] dollars in 2019 and over [...] dollars in 2020.

7. Furthermore, two TIKTOK establishments are present in France, NEWS REPUBLIC and TIKTOK SAS, which have their registered offices in Bordeaux and Paris respectively.

8. In the first quarter of 2020, the TIKTOK application had approximately 60 million active users per month in the European Union and the United Kingdom. Approximately 7 million of these monthly active users were located in France, of which 5 million were registered users, i.e. with an account. According to publicly available information, TIKTOK was the most downloaded mobile phone application in 2021.

9. Pursuant to Decision No. 2020-047C of the President of the Commission nationale de l'informatique et des libertés (hereinafter "the Commission" or "the CNIL") of 27 December 2019, the CNIL carried out an online monitoring mission on the "tiktok.com" website on 14 May 2020.

10. On June 3, 2020, a documentary inspection was also carried out by sending a questionnaire to TIKTOK INC, the controller at the time, a copy of which was sent to TIKTOK UK. The company was thus asked to answer several questions relating in particular to the organisation of the group, its responsibility in the context of the processing carried out on the "tiktok.com" site, and the purposes of the reading and/or writing operations carried out from this site on the terminals of users residing in France.

11. On June 29, 2020, TIKTOK UK sent elements of its response to the CNIL. By emails dated 26 August and 30 September 2020, the CNIL delegation requested additional information from the company, which TIKTOK IRELAND provided by letters dated 24 September and 9 October 2020.

12. On 3 June 2021, a second online check was carried out by a CNIL delegation. During this control, the delegation followed three paths in order to identify whether cookies are deposited on the user's equipment during navigation:

- path 1 - "refusal of the deposit of cookies": when the user goes to the website "www.tiktok.com" and continues browsing after clicking on the "Manage settings" tab located in the cookie information banner, then on the "Open cookie settings" button, then on the "Save" button;

- path 2 - "no choice expressed": when the user goes to the website "www.tiktok.com" and then does not click on any of the buttons that appear in the information banner, and then continues browsing the social network;

- path 3 - "acceptance of cookies, then withdrawal of consent": when the user goes to the website "www.tiktok.com" and, after clicking on the "Accept all" tab located in the information banner relating to cookies, continues to browse the social network; then when he/she goes to the link entitled "Cookies" in the footer, clicks on the "Open cookie settings" button, unchecks the "Analytical and marketing data" slider, then clicks on the "Save" button and continues to browse.

13. 13. The inspection delegation asked TIKTOK IRELAND, in the context of the online report of findings drawn up at the end of the inspection, for further details on the purpose of each of the cookies mentioned in the report and on the purpose of the requests made to certain areas mentioned in the documents.

14. By letter dated 22 June 2021, TIKTOK IRELAND provided the details requested by the inspection delegation.

15. For the purposes of investigating these elements, the Commission President appointed Ms Valérie PEUGEOT as rapporteur on 3 February 2022, on the basis of Article 39 of Decree No. 2019-536 of 29 May 2019.

16. In a letter dated 30 May 2022, the rapporteur requested additional information from counsel for the companies TIKTOK UK and TIKTOK IRELAND, in particular on the current functions of the companies TIKTOK SAS and NEWS REPUBLIC, on the legal links between the companies NEWS REPUBLIC, TIKTOK SAS, TIKTOK IRELAND and TIKTOK UK and on the date on which the "refuse all" button was added to the banner relating to cookies on the "tiktok.com" site. These additional elements were sent to the rapporteur by letter dated 14 June 2022.

17. 17. Then, at the rapporteur's request, the President of the Commission had a new verification mission carried out on the processing operations carried out on the "tiktok.com" website on 30 June 2022.

18. On 7 July 2022, the rapporteur sent the company a report detailing the failure to comply with Article 82 of Law no. 78-17 of 6 January 1978, as amended, on data processing, files and freedoms (hereinafter "the Data Processing and Freedoms Law"), which she considered to have occurred in this case. The rapporteur proposed that the Commission's restricted panel impose an administrative fine on the companies TIKTOK UK and TIKTOK IRELAND, as well as an injunction, accompanied by a fine, to cease depositing cookies and tracers subject to the collection of consent from persons residing in France when they arrive on the "tiktok.com' site, even before they have had the opportunity to make a choice regarding access operations or the recording of information in their terminal, after they have refused to accept read and write operations or after they have withdrawn their consent, and to inform the persons concerned about the purposes of the various cookies for which the user can make a choice by clicking on a slider button, in order to enable them to give free and informed consent. It also proposed that the penalty decision should be made public, but that it should no longer be possible to identify the companies by name after two years from its publication.

19. On 22 August 2022, the companies submitted their observations in response to the penalty report.

20. The rapporteur replied to the companies' observations on 22 September 2022.

21. On 24 October 2022, the companies submitted further observations in response to the Rapporteur's comments.

22. By letter dated 9 November 2022, the rapporteur informed the companies' counsel that the investigation was closed, pursuant to Article 40, III, of amended Decree no. 2019-536 of 29 May 2019.

23. By letter dated 10 November 2022, the companies were informed that the case had been placed on the agenda of the restricted formation of 1 December 2022.

24. The rapporteur and the companies presented oral observations at the meeting of the restricted formation.

II. Reasons for the decision

A. On the processing operations in question and the competence of the CNIL

1. On the material competence of the CNIL and the non-application of the "one-stop shop" mechanism provided for by the RGPD

25. The processing operations that are the subject of the present procedure relate to the deposit of cookies and tracers on the terminal of users residing in France when browsing the "tiktok.com" site and the TIKTOK sub-domains. The main domain - "tiktok.com" - is the main site through which users can watch videos on the TIKTOK platform. As for the sub-domains, they are dedicated to other specific activities: sub-domain dedicated to TIKTOK news ("newsroom.tiktok.com"), sub-domain allowing to collaborate with creators according to one's industry, budget and business goals ("creatormarketplace.tiktok.com") or sub-domain allowing developers to create tools for creators and communities ("developers.tiktok.com") for example.

26. The processing operations subject to the procedure are carried out in the context of the provision of publicly available electronic communications services over a public electronic communications network offered within the European Union. As such, they fall within the material scope of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2006/24/EC of 15 March 2006 and by Directive 2009/136/EC of 25 November 2009 (hereinafter "ePrivacy Directive").

27. 27. Article 5(3) of this Directive, relating to the storage of or access to information already stored in a subscriber's or user's terminal equipment, has been transposed into national law in Article 82 of the Data Protection Act, within Chapter IV of the Act relating to the Rights and Obligations specific to processing in the electronic communications sector.

28. 28. Under Article 16 of the Data Protection Act, "the restricted formation shall take measures and impose sanctions against data controllers or processors who do not comply with the obligations arising from [...] the present law". According to Article 20, paragraph III, of the same law, "when the controller or his processor does not respect the obligations resulting from [...] the present law, the president of the Commission nationale de l'informatique et des libertés [...] may refer the matter to the restricted formation".

29. The rapporteur considers that the CNIL is materially competent to control and sanction the operations of accessing or recording information implemented by companies in the terminals of users of the TIKTOK social network in France.

30. In their defence, the companies did not comment on the CNIL's jurisdiction in their written submissions, stating that they "reserve the right to make a decision at a later date".

31. The select committee recalls that the Conseil d'État, in its decision Société GOOGLE LLC and Société GOOGLE IRELAND LIMITED of 28 January 2022, confirmed that the control of access operations or the recording of information in the terminals of users in France of an electronic communications service, even arising from cross-border processing, falls within the competence of the CNIL and that the one-stop shop system provided for by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "the GDPR" or "the Regulation") is not applicable: "no provision has been made for the application of the so-called "one-stop shop" mechanism applicable to cross-border processing, defined in Article 56 of that Regulation, for the implementation and control measures of Directive 2002/58/EC of 12 July 2002, which fall within the competence of the national supervisory authorities under Article 15a of that Directive. It follows that, as far as the control of operations of access and recording of information in the terminals of users in France of an electronic communications service is concerned, even if they are the result of cross-border processing, the measures for controlling the application of the provisions transposing the objectives of Directive 2002/58/EC fall within the competence conferred on the CNIL by the law of 6 January 1978 [...(CE, 10th and 9th joint chambers, 28 January 2022, GOOGLE LLC and GOOGLE IRELAND LIMITED, n° 449209, pt. 12). The Council of State reaffirmed this position in a ruling of 27 June 2022 (CE, 10th and 9th joint chambers, 27 June 2022, AMAZON EUROPE CORE, No. 451423).

32. 32. Consequently, the restricted panel considers that the CNIL is competent to monitor and initiate sanction proceedings concerning processing operations carried out by companies falling within the scope of the ePrivacy Directive, provided that the processing operation falls within its territorial jurisdiction.

2. On the territorial jurisdiction of the CNIL

33. The rule for the territorial application of the requirements set out in Article 82 of the Data Protection Act is set out in Article 3, paragraph I, of the same Act, which states: "without prejudice, as regards processing falling within the scope of Regulation (EU) 2016/679 of 27 April 2016, to the criteria provided for in Article 3 of that Regulation, all the provisions of this Act shall apply to the processing of personal data carried out in the context of the activities of an establishment of a controller [...] on French territory, whether or not the processing takes place in France".

34. The rapporteur considers that the CNIL is territorially competent in application of these provisions since the processing that is the subject of the present procedure, consisting of operations to access or enter information in the terminal of users residing in France when browsing the "tiktok.com" website, is carried out within the "framework of the activities" of TIKTOK SAS, which constitutes the "establishment" on French territory of TIKTOK UK and TIKTOK IRELAND.

35. 35. In their defence, the companies did not comment on this point, stating that they 'reserve the right to make a decision at a later date'.

36. 36. Firstly, with regard to the existence of an establishment of the controller on French territory, the restricted panel recalls that the Court of Justice of the European Union (hereinafter the "CJEU") has consistently held that the concept of establishment must be assessed in a flexible manner and that to this end both the degree of stability of the establishment and the reality of the exercise of the activities in another Member State should be assessed, taking into account the specific nature of the economic activities and the provision of services in question (see, for example, CJEU, Weltimmo, 1 Oct. 2015, C 230/14, pts. 30 and 31). The CJEU further considers that a company, an autonomous legal person, of the same group as the controller, may constitute an establishment of the controller within the meaning of these provisions (CJEU, 13 May 2014, Google Spain, C-131/12, pt 48).

37. In the present case, the restricted formation notes, first of all, that the companies indicated in the course of the procedure that the company TIKTOK SAS had taken over the functions of the company NEWS REPUBLIC. TIKTOK SAS, registered in France since 17 March 2020, has premises located at 19 rue Poissonnière in Paris (75002). Under the terms of its articles of association filed with the Paris Commercial Court, its purpose is, in particular, "to develop, promote, sell and/or distribute software, services, advice and/or products enabling or facilitating access by users of mobile telephones or other mobile media to content in all its forms: texts, videos, music, images".

38. Furthermore, the restricted formation notes, with regard to the links between these two establishments and the companies TIKTOK UK and TIKTOK IRELAND, that the companies NEWS REPUBLIC and TIKTOK SAS are both part of the BYTEDANCE group involved in the processing of personal data of French users and are both wholly owned by the company TIKTOK UK. They are linked to each other by contractual agreements.

39. Secondly, with regard to the existence of processing carried out "in the context of the activities" of this establishment, the restricted panel notes that, in its decision AMAZON EUROPE CORE of 27 June 2022, the Conseil d'État recalled that "it follows from the case law of the Court of Justice of the European Union, in particular from its judgment of 5 June 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (C-210/16), that in view of the objective pursued by that directive [the e-Privacy Directive], which is to ensure effective and comprehensive protection of the fundamental rights and freedoms of natural persons, in particular the right to the protection of privacy and the protection of personal data, processing of personal data may be regarded as being carried out "in the course of the activities" of a national establishment not only if that establishment is itself involved in carrying out that processing, but also if the latter merely carries out, on the territory of a Member State the promotion and sale of advertising space in order to make profitable the services offered by the controller of a processing operation consisting in collecting personal data by means of connection tracers installed on the terminals of visitors to a site" (EC, 10th and 9th chambers, 27 June 2022, AMAZON EUROPE CORE, No. 451423, pt. 10). The Council of State considered in the same decision that this was the case when the activities of the controller's establishment consisted of the promotion and marketing of advertising tools controlled and operated by the controller, which functioned in particular thanks to the data collected through connection tracers deposited on the terminals of users of the site operated by the controller (pt. 15 of the above-mentioned decision).

In the present case, the restricted formation notes that the operations of accessing or recording information in the terminal of users located in France when using the TIKTOK social network - main domain and sub-domains - are intrinsically linked to the activities of the company TIKTOK SAS (and of the company NEWS REPUBLIC before TIKTOK SAS took over its functions). Indeed, the companies TIKTOK IRELAND and TIKTOK UK operate the website "tiktok.com" on which advertising space is purchased by advertisers. The sale of these advertising spaces and, more generally, the promotion of advertising tools are carried out, for the French market, by the company TIKTOK SAS (and previously by the company NEWS REPUBLIC), which works with advertisers to target "local audiences" and thus propose the most relevant advertisements. However, the display of personalised advertisements to a specific Internet user is only possible if the latter's browsing within the application can be traced thanks to a cookie, in order to determine which content would be the most relevant to display.

41. Thus, the processing consisting of accessing or recording information in the terminal of users residing in France, when using the TIKTOK social network, is carried out in the context of the activities of the company TIKTOK SAS (and previously NEWS REPUBLIC). The restricted panel noted that the two criteria provided for in Article 3, paragraph I, of the Data Protection Act were therefore met.

42. It follows that French law is applicable and that the CNIL is materially and territorially competent to exercise its powers, including the power to impose sanctions on processing operations falling within the scope of the ePrivacy Directive.

B. On the determination of the controller

43. The restricted formation notes, first of all, that Articles 4(7) and 26(1) of the RGPD are applicable to the present procedure because of the use of the concept of "controller" in Article 82 of the Data Protection Act, which is justified by the reference made by Article 2 of the ePrivacy Directive to Directive 95/46/EC on the protection of personal data, which has been replaced by the RGPD.

44. According to Article 4(7) of the GDPR, the controller is "the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing". According to Article 26(1) of the GDPR, "where two or more controllers jointly determine the purposes and means of the processing, they shall be joint controllers".

45. The rapporteur considers that the companies TIKTOK IRELAND and TIKTOK UK act as joint controllers of the processing at issue, in that they jointly participate in determining the purposes and means of the processing consisting of accessing or recording information in the terminal of users residing in France when using the TIKTOK social network, in particular on the "tiktok.com" site and the TIKTOK sub-domains.

46. The companies did not make any observations on this point in their written submissions.

47. The restricted formation recalls that the CJEU has ruled on several occasions on the concept of joint responsibility for treatment, in particular in its Jehovah's Witnesses judgment. In that judgment, it considered that, according to the provisions of Article 2(d) of Directive 95/46 on the protection of personal data, "the concept of 'controller' refers to the natural or legal person who, 'alone or jointly with others', determines the purposes and means of the processing of personal data. This concept does not necessarily refer to a single natural or legal person and may involve several actors participating in the processing, each of whom must then be subject to the applicable data protection provisions [...]. Since the objective of this provision is to ensure, through a broad definition of the concept of 'controller', effective and comprehensive protection of data subjects, the existence of joint responsibility does not necessarily mean that the different actors are equally responsible for the same processing of personal data. On the contrary, those actors may be involved at different stages of that processing and to different degrees, so that the level of responsibility of each of them must be assessed taking into account all the relevant circumstances of the case" (CJEU, 10 July 2018, C 25/17, pts. 65 and 66).

48. The restricted formation considers that these developments provide useful clarification of the concept of joint processing responsibility invoked by the rapporteur with regard to the companies TIKTOK UK and TIKTOK IRELAND concerned by the processing operations at issue.

49. The restricted formation underlines that the company TIKTOK UK specified, in a letter of 29 June 2020 addressed to the CNIL during the control procedure, that it was "in the process of moving to a joint controller model, in which TikTok Information Technologies UK Limited in the United Kingdom and TikTok Technology Limited in Ireland will become joint controllers of the personal data of users located in the EU". Then, in a letter dated 24 September 2020, TIKTOK IRELAND reported on the role of TIKTOK IRELAND and TIKTOK UK as joint controllers of user data in the European Economic Area.

50. The Panel notes that at the time of the online inspection on 3 June 2021, the privacy policy on the "tiktok.com" website stated in paragraph 11: "About us and how to contact us": "TikTok Ireland and TikTok UK provide the Platform and related services and jointly process personal data in the manner described under this policy and our Terms of Service".

51. Finally, in a letter dated June 15, 2022, counsel for the TIKTOK companies confirmed that the announced restructuring of the BYTEDANCE group, to which the TIKTOK IRELAND and TIKTOK UK companies belong, does not affect their status as joint data controllers with regard to the "tiktok.com" website, made available to TIKTOK users in France. It specified that the two companies "jointly determine the purposes and means of the processing activities consisting of accessing and recording information in the terminal of users residing in France when using the TikTok services".

52. It follows from all of the above that TIKTOK UK and TIKTOK IRELAND jointly determine the purposes and means of the processing activities consisting of accessing or recording information in the terminal of users residing in France when using the TIKTOK social network and therefore act as joint controllers of the processing activities at issue.

C. On the failure to comply with the obligations relating to cookies

53. According to Article 82 of the Data Protection Act, transposing Article 5(3) of the ePrivacy Directive, "any subscriber or user of an electronic communications service must be informed in a clear and comprehensive manner, unless he or she has been informed in advance, by the controller or his or her representative :

1° The purpose of any action to access, by electronic transmission, information already stored in his or her electronic communications terminal equipment, or to write information into that equipment ;

2° Of the means available to him/her to oppose it.

Such access or recording may only take place on condition that the subscriber or user has expressed, after having received this information, his consent, which may result from the appropriate parameters of his connection device or any other device under his control.

These provisions shall not apply if access to information stored in the user's terminal equipment or the writing of information in the user's terminal equipment :

1° Either, has the sole purpose of enabling or facilitating communication by electronic means;

2° Or is strictly necessary for the provision of an online communication service at the express request of the user.

1. On the need for consent to read and/or write operations

54. The rapporteur notes that the checks carried out according to three distinct user paths showed that, upon arrival on the site before any action, after browsing without having accepted the deposit of cookies, after refusal of cookies by the user and after withdrawal of consent, several cookies were deposited, including the cookies named "tt_webid", "tt_webid_v2" and "ttwid". According to the information provided during the inspection procedure, the companies initially indicated that the "tt_webid_v2" cookie was for internal analysis. Then, TIKTOK IRELAND specified that the purposes of these three cookies were as follows: "security and fraud detection (i.e., identification of bots); capping the frequency of viewing of the most popular videos on the platform; capping the frequency of advertisements shown on the platform and A/B testing".

55. In her initial submissions, the rapporteur noted that cookies relating to display capping, sometimes referred to as "ad capping", consist of not presenting a user with the same ad too repeatedly. She considered that these cookies, whose purpose is part of the broader purpose of online behavioural advertising, are not exclusively intended to enable or facilitate communication by electronic means, nor can they be regarded as strictly necessary for the provision of an online communication service at the express request of the user. The rapporteur therefore considered that the companies TIKTOK UK and TIKTOK IRELAND disregarded the obligations of Article 82 of the Data Protection Act by depositing such cookies without the user's consent.

56. 56. In their initial observations in their defence, the companies explained that they had provided erroneous information to the delegation of control regarding the purposes of the cookies "tt_webid", "tt_webid_v2" and "ttwid". They specify that the purpose announced as "capping advertising" is in fact the fight against spam and that the incorrect information sent to the CNIL is the result of "an unintentional error made when drafting the response, due to poor internal communication". They add that this purpose is to prevent bots and malicious users from sending unwanted messages to users (anti-spam measure) or from publishing ads not authorised by the TIKTOK platform, for example in the "comments" section of videos posted by users. They conclude that the cookies "tt_webid", "tt_webid_v2" and "ttwid" are strictly necessary and therefore do not require the user's consent when deposited on his terminal.

57. In light of these new elements, in her second submission, the rapporteur considered that in the absence of documents communicated by the companies describing the technical specifics of the three cookies mentioned above (use of each cookie, cookie program, etc.), she was not in a position to rule on the question of whether these three cookies could be placed on users' terminals without prior consent, in accordance with one of the two exemptions provided for in Article 82 of the aforementioned Data Protection Act. It thus invited TIKTOK UK and TIKTOK IRELAND to produce additional evidence in support of their claims.

58. In response, the companies indicated that on August 31, 2022, the "tt_webid" and "tt_webid_v2" cookies were deleted from all TIKTOK domains and that they had been removed from the main domain at an earlier date. The companies explain that they now only use the 'ttwid' cookie. They also provided additional details on the purposes of the said cookies. They indicate that the purpose of these cookies is security and fraud detection, capping the frequency of viewing of the most popular videos on the platform, detection and prevention of spam and tests to compare two versions of the same page (commonly known as A/B testing) and consider that they are exempt from the requirement to obtain consent. Furthermore, the companies state that non-essential cookies, and therefore subject to consent, are only placed on the user's terminal if the user accesses one of the TIKTOK sub-domains.

59. During the session, in view of the latest information provided by the companies and in the absence of a stabilised doctrine on the state of certain purposes mentioned by the companies, the rapporteur proposed to the restricted panel that it should not find any breach of the requirement to obtain consent for the placing of "ttwid", "tt_webid" and "tt_webid_v2" cookies on the user's terminal.

60. The restricted formation considers that the elements of the file submitted for its assessment do not allow it to pronounce on the characterisation of the breach relating to the registration of these three cookies on the user's terminal before any action on his part. However, it notes that it appears from the companies' submissions that other cookies not exempt from consent are deposited on the TIKTOK sub-domains.

2. On the conditions for obtaining consent to deposit and read non-essential cookies

61. In law, Article 2(f) of the ePrivacy Directive provides that the consent of a user or subscriber corresponds to the consent of the data subject contained in Directive 95/46/EC, which has been replaced by the GDPR.

62. Thus, since the entry into force of the RGPD, the 'consent' provided for in the above-mentioned Article 82 must be understood within the meaning of Article 4(11) of the RGPD, i.e. it must be given freely, specifically and unambiguously and manifested by a clear positive act.

63. In this respect, Recital 42 of the Regulation provides that "consent should not be considered to have been freely given if the data subject does not have a genuine choice or is not able to refuse or withdraw consent without suffering prejudice.

64. The CNIL considers that it follows from these provisions combined, as it interpreted them in its deliberations No. 2020-091 of 17 September 2020 adopting guidelines on the application of Article 82 of the Act of 6 January 1978 as amended to read and/or write operations on a user's terminal (in particular to "cookies and other trackers") and No. 2020-092 adopting a recommendation proposing practical methods of compliance in the event of recourse to "cookies and other trackers", that it must be as easy to refuse or withdraw consent to trackers as it is to give it. These instruments aim to interpret the applicable legislative provisions and to provide guidance to actors on the implementation of concrete measures to ensure compliance with these provisions, so that they implement these measures or measures of equivalent effect. In this sense, the guidelines state that their main purpose "is to recall and clarify the law applicable to the reading and/or writing of information [...] in the subscriber's or user's electronic communications terminal equipment, and in particular to the use of cookies".

65. 65. With regard to possible refusal methods, in the same recommendation, the Commission strongly recommended that "the mechanism for expressing refusal to consent to read and/or write operations should be accessible on the same screen and with the same ease as the mechanism for expressing consent. Indeed, it considers that consent interfaces that require a single click to consent to tracking while several actions are necessary to "set up" a refusal to consent present, in most cases, the risk of biasing the choice of the user, who wishes to be able to view the site or use the application quickly.

For example, at the first level of information, users may have the choice between two buttons presented at the same level and in the same format, on which are written respectively "accept all" and "refuse all", "authorise" and "prohibit", or "consent" and "do not consent", or any other equivalent and sufficiently clear formulation. The Commission considers that this modality constitutes a simple and clear means of enabling the user to express his refusal as easily as his consent.

66. The restricted formation recalls that the CNIL recommendation referred to above is intended to clarify the obligations provided for by the French and European legislators, in particular by drawing all the consequences of the principle of freedom of consent as defined in Article 4, paragraph 11, of the GDPR, and by applying them to the hypotheses of acceptance and refusal by the user to the deposit of cookies on his terminal. Indeed, this principle of freedom of consent implies that the user benefits from a "genuine freedom of choice", as underlined in recital 42 of the RGPD, and therefore that the modalities offered to him to manifest this choice are not biased in favour of consent.

67. The rapporteur observed that on the day of the online inspection carried out on 3 June 2021, although the banner displayed on the "tiktok.com" website contained a button allowing users to accept cookies immediately, no similar means was offered to users to refuse, easily and with a single click, the deposit of these cookies. The user had to perform at least three actions (a first click on "Manage settings", then a click on "Open cookie settings" and a click on "Save"). In the rapporteur's view, such a mechanism was therefore not as easy as the one allowing the user to express his or her consent, in disregard of the legal requirements of freedom of consent, which imply that the user should not be encouraged to accept cookies rather than to refuse them. The rapporteur therefore considered that the conditions for obtaining consent implemented by the companies TIKTOK UK and TIKTOK IRELAND on the 'tiktok.com' website did not comply with the provisions of Article 82 of the Data Protection Act as clarified by Article 4(11) of the RGPD on the freedom of consent, at the time of the online inspection on 3 June 2021 and until 28 February 2022, the date on which the companies implemented a 'Refuse All' button.

68. In defence, the companies explain that prior to the implementation of this "decline all" button, TIKTOK did not rely on implied consent from its users for the use of non-essential cookies and that no non-essential cookies were placed on the users' terminal before they clicked on the "accept all" button. In this sense, when the user refrained from clicking on the "Accept all" button, this meant that no non-essential cookies were written to their terminal and thus it was as easy to refuse as to consent to read and/or write operations. They point out that the CNIL guidelines themselves provided that the absence of any action on the part of the user is an acceptable mechanism for the user to refuse non-essential cookies: "The Commission observes that while consent must be reflected in a positive action by the user, the latter's refusal may be inferred from his silence. The expression of the user's refusal must therefore not require any action on his part or must be able to be translated into an action with the same degree of simplicity as that which enables him to express his consent" (§30 of the aforementioned guidelines). The companies consider that "the Cookie Banner explicitly told users that TikTok would only use non-essential cookies when they clicked the ["Accept All"] button. Any action by the user other than explicitly accepting cookies was considered a refusal by TikTok, and its practices were in compliance with the CNIL Guidelines.

69. First, the Panel notes that, while TIKTOK UK and TIKTOK IRELAND now argue that the absence of a choice expressed by the user had the effect that no non-essential cookie was written to the user's terminal, the information banner displayed to the user did not contain any information to that effect.

70. The restricted formation considers, as the Commission recalled in its aforementioned guidelines, that if the user's refusal to consent to cookies can be deduced from his silence, it is on condition that the user is fully informed. Otherwise, the balance between acceptance and refusal is not respected. This was not the case in this instance: when viewing the banner, the user was not informed of the means available to him to simply not consent to cookies.

71. On the contrary, the restricted formation considered that it was not intuitive for the user to consider that he could continue to navigate without taking any action on the cookies banner. It also noted that, when the user did not make any choice and browsed the site, the banner remained displayed. The persistence of the banner at the bottom of the page, although not preventing the user from using the website's functions, was likely to encourage the person to make a choice, if only to make the banner disappear in order to facilitate navigation. Consequently, the simplest choice for a user was to accept cookies via the "Accept all" button, since the banner would disappear immediately in this case. Thus, the restricted panel considers that in the absence of information on the consequences of his inaction, the user wishing to refuse cookies was strongly encouraged to click on the "Manage settings" button, then to carry out the three actions described above.

72. Furthermore, the Panel notes the lack of explicit nature of the "Manage settings" button proposed in the first window, which did not clearly mention the existence of means to refuse cookies. It considered that the fact that the cookies were not deposited had no effect on the confusion generated by the information path, which could give the user the feeling that it was not possible to refuse the deposit of cookies and that he or she had no means of control in this respect.

73. Secondly, the restricted panel notes that several studies show that organisations that have set up a "refuse all" button on the first-level consent interface have seen a decrease in the rate of consent to accept cookies. For example, according to the "Privacy Barometer - 2021 Edition" published by COMMANDERS ACT, the consent rate on computers has dropped from 70% to 55% in April-May 2021, since the collection of consent is explicit. Similarly, according to a 366-Kantar study, it appears that 41% of Internet users in France refused, systematically or partially, the deposit of cookies in June 2021.

74. The restricted formation thus considers that making the mechanism for refusing cookies more complex than the one for accepting them actually discourages users from refusing cookies and encourages them to prefer the ease of the "accept all" button. Indeed, an Internet user is generally led to consult numerous sites. Browsing the internet is fast and fluid. Having to click on "Manage settings" and having to understand how the page for refusing cookies is constructed is likely to discourage the user, who would nevertheless like to refuse the deposit of cookies. It is not disputed that in the present case the companies offered a choice between accepting or refusing cookies before the insertion of the "refuse all" button, but the way in which this refusal could be expressed, in the context of Internet browsing, biased the expression of the choice in favour of consent in such a way as to alter the freedom of choice.

75. Lastly, the restricted panel notes that, although the companies indicate in their written submissions that non-essential cookies are not placed on users' terminals when they visit the main domain, the consent that may have been obtained through the banner on the main site leads to the deposit of cookies when certain TIKTOK sub-domains are visited, without a new banner for obtaining consent being displayed at the entrance to these sub-domains. It points out that the registration of non-essential cookies outside the main domain is corroborated both by the wording of the banner found during the online inspection on 3 June 2021, namely "We use cookies and other technologies to enhance your experience on our websites. By clicking "Accept All", you agree to our use of third-party cookies for analytics and marketing purposes" and by those in Tik Tok's cookie policy: "With your consent, we use the third-party cookies described below for analytics purposes to promote our services on other platforms and websites, and to measure the effectiveness of our own marketing campaigns. "

76. The companies also state in their written submissions that the users' choices regarding cookies expressed upon arrival at the main "tiktok.com" domain are recorded and kept in memory for the entire navigation on all TIKTOK domains. Thus, the choice expressed by the user on the main domain with regard to cookies is valid for all cookie registration operations carried out on the sub-domains. It was therefore essential to provide a method of refusing cookies as easily as accepting them, so that the user's consent could be given freely, both on the main domain and on the sub-domains.

77. In view of the above, the restricted panel considers that there has been a breach of the provisions of Article 82 of the Data Protection Act, interpreted in the light of the RGPD, insofar as the user did not have the possibility of refusing read and/or write operations with the same degree of simplicity as accepting them at the time of the online check on 3 June 2021 and until the introduction of a "Refuse All" button on 28 February 2022.

3. On the lack of information to individuals

78. As indicated above, Article 82 of the Data Protection Act provides that "any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he or she has been informed beforehand, by the controller or his or her representative: 1° Of the purpose of any action aimed at accessing, by means of electronic transmission, information already stored in his or her electronic communications terminal equipment, or at entering information in this equipment [...]".

79. The above-mentioned CNIL guidelines of 17 September 2020, whose purpose is to recall and explain the applicable law, provide that "the information must be drafted in simple and comprehensible terms and must enable users to be duly informed of the different purposes of the tracers used [...]. The information must be complete, visible and highlighted. A simple reference to the general conditions of use is not sufficient" (§§ 22 and 23). The Commission adds that "At the very least, the provision of the following information to users, prior to obtaining their consent, is necessary to ensure the informed nature of the latter: [...] the purpose of data reading or writing operations [...]" (§24).

80. The rapporteur noted that, on the banner appearing at the time of the online check carried out on 3 June 2021, the purposes for which cookies are used include "analysis and marketing purposes", without providing any further details. According to the Commission, these purposes were not sufficiently specific and precise to consider that the information complied with the obligations arising from Article 82 of the Data Protection Act. The inspection carried out on 30 June 2022 revealed that the companies had added a "Refuse all" button on their first-level cookie banner and had completed the information on the purposes. Nevertheless, the rapporteur noted that the modified banner contained a material error ("You can manage cookies at any time"). Furthermore, the rapporteur noted that, in the context of this second inspection, when the user clicked on "cookie management" on the banner presented to him or her on arrival at the "tiktok.com" site, a new window appeared with a list of "analysis and marketing cookies". Such a window with a list of "analytical and marketing data" cookies was also present at the time of the online check carried out on 3 June 2021. The rapporteur considered that, while the companies offer the user the possibility of expressing consent for each cookie, it is not indicated what purpose each cookie serves (analysis or marketing or both), thus making it impossible for the user to know exactly what he or she is consenting to. The rapporteur concluded that the information provided by the companies was therefore not sufficient and did not allow the user to give free and informed consent.

81. In their defence, the companies explained that they had corrected the grammatical error in the French version of the banner by 15 July 2022. They stressed that "the banner relating to cookies was understandable for the average user" and that the speed of the update underlined their willingness to cooperate with the CNIL and to constantly improve their practices on the basis of the regulators' remarks. They added that the CNIL guidelines, in paragraph 24, only ask users to be provided, at the first level of information, with "the purpose of data reading or writing operations", without specifying the level of detail of this information, and that the CNIL, in its deliberation No. 2020-092 of 17 September 2020 adopting a recommendation on cookies, mentioned above, provides that a more detailed description of the purposes may be accessible via a hypertext link provided in the first level of information. In their view, this was the case in the present case, since the purposes set out in the cookie banner were specified in the cookie settings and the cookie policy, both of which were accessible via a hypertext link that provided additional detailed information to users. They added that, without acknowledging any breach on their part but in an ongoing effort to improve their practices, they added more detail to the cookie settings on 16 September 2022. As for the second part of the breach, the companies state that there is no obligation in the ePrivacy Directive, the Data Protection Act or the CNIL guidelines to repeat the purpose of each non-essential cookie in the cookie settings, as several cookies serve the same purpose. The companies consider that, when a number of cookies have the same purpose, it is sufficient to indicate this same purpose above all the non-essential cookies concerned, with a slider on/off button. They further add that the cookie policy, which is easily accessible from the cookie banner, provides detailed information on the purpose of each cookie individually. The companies conclude that the cookie banner and the cookie policy provide users with sufficient information to enable them to give free and informed consent. Finally, they state that, as they strive to continually improve transparency and user understanding, they have modified the cookie settings to further clarify the description of the purpose of each non-essential cookie listed in the cookie settings under each slider button.

82. Firstly, with regard to the first part of the infringement, the restricted formation recalls that both Article 5(3) of the ePrivacy Directive and Article 82 of the Data Protection Act expressly provide that the user must be fully informed of the purposes of depositing and reading cookies and of the means available to him to object to them.

83. However, the restricted panel notes that the above-mentioned information banner displayed on the home page contained only a general and approximate description of the purposes of all the cookies deposited. Indeed, the terms "to improve your experience on our websites" and "for analysis and marketing purposes" are particularly imprecise.

84. The term "analysis" does not make it possible to identify the purpose pursued by this analysis, nor the difference with the purpose attached to the terms "improve your experience on our websites". Similarly, the restricted panel notes that the "marketing" purposes may cover various processing operations (statistics, commercial prospecting, targeted advertising, contextual advertising, etc.). Thus, when reading this banner, the user was not in a position to understand what types of content would be presented to him or her and, if so, in what form.

85. Moreover, while the restricted formation confirms that it is possible to complete the information appearing at the first level via a hypertext link, the fact remains that the information present in the dedicated banner must be sufficiently clear to allow the user to make an informed choice at this stage. However, the restricted panel considers that in this case, as explained above, the purposes are not developed in a sufficiently precise manner. The restricted panel also notes in this respect that the new wording used by the companies in the banner, as observed during the online inspection carried out on 30 June 2022, is more precise, in that the companies explain what the "marketing" purpose covers, namely "to be able to understand the effectiveness of TikTok's advertising campaigns".

86. Secondly, the restricted formation notes that, if several cookies can serve the same purpose or if certain cookies can pursue several purposes, the user must be informed of this when the interface for collecting consent offers to express his choice cookie by cookie. Indeed, Article 82 of the Data Protection Act expressly states that the user "must be informed in a clear and complete manner". In the present case, the restricted panel considers that before the latest modifications made by the companies in September 2022, the user did not know whether the cookies listed were for "analytical data" and/or "marketing" purposes, which seem to be two different purposes (and moreover designated in too imprecise a manner) and which should be able to be accepted separately. The restricted panel therefore considered that, until September 2022, the information provided by the companies was not sufficient and did not allow the user to give a free and informed consent.

87. In view of all these elements, the restricted formation considers :

- that by not informing the user of the purposes of the operations of reading and/or writing information in his terminal equipment in a precise manner on the first level of information at the time of the online check on June 3, 2021, the companies TIKTOK UK and TIKTOK IRELAND disregarded the obligations provided for in Article 82 of the French Data Protection Act;

- that, until September 2022, the information provided by the companies regarding the purposes of the various cookies for which the user can make a choice by clicking on a slider button, accessible at the second level, was insufficient and did not allow the user to give free and informed consent, in violation of Article 82 of the Data Protection Act.

III. On corrective measures and their publicity

88. Under the terms of Article 20, III, of the amended Act of 6 January 1978, "When the controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this Act, the president of the Commission nationale de l'informatique et des libertés may also, where applicable, after having sent him the warning provided for in I of this article or, where applicable, in addition to a formal notice provided for in II, refer the matter to the restricted formation of the Commission with a view to pronouncing, after an adversarial procedure, one or more of the following measures: [...]

2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or this Act or to comply with the requests made by the data subject to exercise his or her rights, which may be accompanied, except in cases where the processing is implemented by the State, by a penalty payment the amount of which may not exceed €100,000 for each day of delay from the date set by the select committee; [...]

7° With the exception of cases where the processing is implemented by the State, an administrative fine that may not exceed €10 million or, in the case of an undertaking, 2% of the total annual worldwide turnover for the previous financial year, whichever is higher. [...] In determining the amount of the fine, the restricted formation shall take into account the criteria specified in the same Article 83.

89. Article 83 of the RGPD provides that "each supervisory authority shall ensure that administrative fines imposed pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account in deciding whether to impose an administrative fine and in deciding the amount of that fine.

A. On the imposition of administrative fines and their amount

90. The companies consider that the proposed administrative fines are disproportionate and unjustified in light of the circumstances of the case and the nature of the alleged breaches. They consider that a call to order would suffice, should the CNIL find that there has been any breach.

91. The restricted formation recalls that Article 20, paragraph III, of the Data Protection Act gives it the power to impose various sanctions, in particular administrative fines, the maximum amount of which may be equivalent to 2% of the total annual worldwide turnover of the previous financial year achieved by the data controller or to 10 million euros. It adds that the determination of the amount of these fines is assessed in the light of the criteria specified in Article 83 of the GDPR.

92. 92. Firstly, the restricted formation emphasises that, in this case, the criterion provided for in Article 83(2)(a) of the GDPR relating to the seriousness of the breach should be applied, taking into account the scope of the processing operation and the number of data subjects concerned by the latter.

93. The restricted formation noted the massive nature of the processing. It recalls that the social network counted 13.9 million unique visitors in France for the month of August 2021 according to publicly available sources, which corresponds to almost a quarter of the French population. The number of people concerned by the treatments in question is thus extremely large on the scale of the French population.

94. In addition, the restricted formation notes that publicly available information shows that 38% of TIKTOK users are between 13 and 17 years old. As children are vulnerable persons, they deserve special protection.

95. With regard to the seriousness of the breach, the Restricted Section nevertheless notes, as detailed above, that it did not find any breach in relation to the need to obtain consent pursuant to Article 82 of the Data Protection Act with regard to the storage of "ttwid", "tt_webid" and "tt_webid_v2" cookies on the user's terminal.

96. Secondly, the restricted panel notes that the companies cooperated with the CNIL services and that they responded to all the requests for information within the time limits set. In so doing, the companies complied with the obligations arising from Article 18 of the Data Protection Act, without the facts of the case constituting a mitigating circumstance.

97. Thirdly, the Panel considers that the criterion provided for in Article 83(2)(k) of the Regulation should be applied to any other circumstances applicable to the facts of the case.

98. The restricted formation recalls the general context in which the companies TIKTOK UK and TIKTOK IRELAND chose not to offer their users, on the "tiktok.com" site, the option of easily refusing cookies until the end of February 2022. Indeed, the CNIL has implemented a compliance plan on the issue of cookies spread over several years, which has also led to a dispute before the Council of State. The CNIL has communicated publicly on its website, on several occasions, that it must be as easy for the Internet user to refuse cookies as to accept them, in particular on 1 October 2020 on the occasion of the publication of the aforementioned guidelines and recommendation of 17 September 2020. Compliance was to be achieved by 1 April 2021 in order to guarantee free consent for Internet users. Hundreds of thousands of actors, from the smallest to the largest sites, have complied and have introduced a "refuse all" or "continue without accepting" button on their consent collection interface.

99. The restricted panel notes that it was only on 28 February 2022 that companies chose to comply and insert a "refuse all" button.

Lastly, the panel recalls that, pursuant to the provisions of Article 20, paragraph III, of the Data Protection Act, TIKTOK UK and TIKTOK IRELAND are liable to a financial penalty of a maximum amount of 2% of their turnover, which amounted to nearly USD [...] in 2019 and to more than USD [...] in 2020, or EUR 10 million, whichever is higher. 10 million, whichever is higher. The amount of the fine in this case is therefore

101. Therefore, in light of the respective responsibilities of the companies, their financial capacities and the relevant criteria of Article 83(2) of the Merger Regulation referred to above, the Restricted Section considers that a fine of EUR 2.5 million against TIKTOK UK and a fine of EUR 2.5 million against TIKTOK IRELAND appear justified.

B. On the issuance of an injunction

102. The rapporteur proposed to the restricted formation, in her initial report, to issue a compliance order, which could consist of :

- the cessation of the deposit of cookies and tracers subject to the collection of the consent of persons residing in France when they arrive on the "tiktok.com" site, even before they have had the opportunity to make a choice as to the operations of accessing or recording information in their terminal, after their refusal of the read and write operations or after withdrawal of their consent;

- information to the persons concerned on the purposes of the various cookies for which the user can make a choice by clicking on a slider button, accessible at the second level, in order to enable him/her to give free and informed consent.

103. 103. In view of the changes made by the companies in September 2022, the rapporteur proposed, in her second submission, that the second part of the injunction should not be upheld since, from now on, data subjects are well informed of the purposes of the various cookies for which the user can make a choice by clicking on a slider button. Furthermore, during the session, the rapporteur also abandoned the first part of the injunction initially proposed.

104. The companies argue that the first part of the injunction proposed by the rapporteur is inappropriate, as the "ttwid" cookie is strictly necessary.

105. In view of the elements developed above, the Restricted Group considers that there are no grounds for issuing an injunction.

C. On advertising

106. The companies contest the rapporteur's proposal to make the present decision public. In order to justify this request for publicity, the rapporteur refers in particular to the number of persons concerned. The companies contest this point, considering that the non-essential cookies are not deposited on the main domain, but only on the relevant TIKTOK sub-domains and that the number of French users who visit these sub-domains is much lower.

107. The Panel considers that the publicity of the present decision is justified in view of the seriousness of the breaches in question, the scope of the processing and the number of data subjects.

FOR THESE REASONS

The CNIL's select committee, after deliberation, decides to :

- to impose an administrative fine on TIKTOK INFORMATION TECHNOLOGIES UK LIMITED in the amount of 2.5 million euros (two million five hundred thousand euros), in respect of the breach of Article 82 of the Data Protection Act;

- 2.5 million (two million five hundred thousand euros), with regard to the breach of Article 82 of the Data Protection Act;

- to send this decision to TIKTOK SAS for enforcement;

- to make its decision public on the CNIL website and on the Légifrance website, which will no longer identify the companies by name at the end of a period of two years from its publication.

The Chairman

Alexandre LINDEN

This decision may be appealed to the Council of State within four months of its notification.