CNIL (France) - Délibération SAN-2022-027 du 29 décembre 2022
|CNIL - Délibération SAN-2022-027 du 29 décembre 2022|
Article 82 of the French Data Protection Act
|National Case Number/Name:||Délibération SAN-2022-027 du 29 décembre 2022|
|European Case Law Identifier:||n/a|
|Original Source:||CNIL (in FR)|
The French DPA fined TikTok €5,000,000 for implementing advertising identifiers on users' devices without prior consent. TikTok's cookie banner was also found insufficiently informative.
English Summary[edit | edit source]
Facts[edit | edit source]
The French DPA (DPA) started an investigation on 14 may 2020 into TikTok's website (the 'service provider' or 'the company'). The DPA also inquired on TikTok's cookie use with a particular focus on whether/how the provider deposited and/or accessed cookies and other trackers on French-located users' devices.
Holding[edit | edit source]
Material competence of the French DPA
The DPA determined that it was materially competent. It considered Articles 16 and 20 of the French data protection act and two decisions from the French Conseil d'Etat, in which it was stated that operations regarding the use of trackers on users' devices, located on French territory, fell within the competence of the French DPA. One of these decisions was the Conseil's decision of 28 January 2022 (Societe GOOGLE LLC and Societe GOOGLE IRELAND LIMITED).
Territorial competence of the French DPA
In order to assess if the DPA was territorially competent to handle this decision under Article 3 of the French Data Protection Act, the DPA assessed if TikTok fulfilled two requirements. Under the first one, (1) the provider needed to have an establishment on French territory. This was the case, since 'TIKTOK SAS' was a French establishment. The second condition requires (2) that the tracker-related processing must carried out in the context of activities of such establishment. The DPA referred to another of its decisions (AMAZON EUROPE CORE of 27 June 2022) where such "link" was also confirmed if the French establishment promoted and sold advertising services on the French market, and used the tracking tools to provide such services (See points 10 and 15 of this Amazon decision - link to original decision in French). The DPA considered that this second criterion was also fulfilled in this decision. Indeed, TIKTOK SAS was responsible for the sale and promotion of advertising for the French market, which was only possible with a cookie placed on the users device.
Article 82 of the French Data Protection Act
The DPA explained that Article 82 of the French Data Protection Act required the provider to ask consent of data subjects if it was reading/writing information to the user’s device. There were however two exceptions to this consent-requirement. No consent was required if the sole purpose of the identifier was to facilitate communication by electronic means or when the identifier was strictly necessary for the provision of an online communication service at the user's request. If an identifier had multiple purposes, the provider could only use the identifier for advertising when it had obtained prior consent from the data subject for this specific purpose. Besides a few cookies, of which the purpose remained unclear, the DPA determined that the cookies used were not exclusively intended to enable or to facilitate communication by electronic means, nor could these cookies be regarded as strictly necessary for the provision of an online communication service. Therefore, TikTok had to obtain valid consent (Article 4(11) GDPR) from users before using the identifiers. The DPA stated that it should be as easy to refuse or withdraw consent for cookies as it is to give consent for cookies. In this case, however, the DPA held that the user was not sufficiently informed about the possibility to simply not consent to the cookies when the cookie-banner would be presented to this user. The DPA also found that it was not intuitive for the user to consider that he/she could navigate the main website without taking any action regarding the banner. When the user did not take any action on this banner, the banner would remain displayed on the webpage. The user was however not informed about the consequences of this inactivity. The simplest choice was therefore acceptance of all cookies because the banner would then disappear.
Article 82 of the French Data Protection Act also states that users must be informed in "a clear and complete manner". The DPA determined that TikTok only mentioned general descriptions on its cookie banner. The DPA assessed the phrases in the banner in detail and held that the user would not be able to determine what types of content would be presented to the user and in what form this content would be presented. The DPA also determined that if several cookies served the same purpose or several purposes, the user had to be informed when consenting for each cookie. The DPA held that in this case, the user did not know whether the provider's cookies were for "analytical data" and/or for marketing purposes, which seemed to be two different purposes. The DPA also held that it should have been possible to accept these cookies separately. This resulted in another violation of Article 82 of the French Data Protection Act. The information provided by TikTok in the cookie banner on the main website was not sufficient and did not allow users to give free and informed consent.
After considering several mitigating and aggravating factors, the DPA fined TikTok €2,500,000 for the lack of valid consent and €2,500,000 for providing imprecise information on its consent banner.
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.