Tricky TikTok Tracking Exposed in France by CNIL

Share article
twitter linkedin medium facebook

TikTok was recently hit with a fine of €5 million (about $5.4 million) by the French data protection authorities for violating the regulations regarding cookie permission.

TikTok UK and TikTok Ireland fell foul of data protection rules last year and had to pay fines of €5 million (around $5.4 million) after an audit by the CNIL. The Commission Nationale Informatique & Libertés, is the French data protection authority, a national body whose rules are in accordance with the GDPR (General Data Protection Regulation) framework that’s enforced in Europe.

The French agency took a dim view of the fact that TikTok’s website users could accept cookies with just a single click, but if they wanted to reject them it took several more. The CNIL also sanctioned the company for not being clear with users about what those cookies were being used for. The agency found that even when users clicked a banner to get a better explanation of what purposes their data would be put to, they still weren’t given enough information to make an informed decision about it.

Dubious TikTok tracking policies

The CNIL uncovered these gaps in TikTok’s cookie policies and procedures during a June 2021 audit (one of several that it conducted between May 2020 and June 2022). The company only remedied the cookie rejection problem in February 2022 by adding a “Reject All” button, apparently after repeated warnings to do so from the CNIL. With the company dragging its feet for so long it seems surprising that it got away with such a relatively small fine. TikTok tracking at the time was clearly in breach of Article 82 of the French Data Protection Act, after all.

But the CNIL does take other factors into consideration, and among them may have been the realization that although TikTok tracking may have not been up to scratch on this occasion, the company’s omissions only affected the website, which meant that fewer minors, and fewer users in general, were impacted, far fewer than if the TikTok app itself had been using the same approach to gaining its users’ informed consent and not telling them what it planned to do with their data.

It’s hard to imagine how big the fine would have been if this kind of TikTok tracking had been implemented on its app, which has so far been downloaded over 3 billion times!

CNIL acts against TikTok tracking

The CNIL enforcement action was taken under the European Union’s ePrivacy Directive. This is different from its General Data Protection Regulation (GDPR) because it doesn’t require complaints that impact EU users to be forwarded to a lead data supervisor in an EU country of main establishment. (TikTok claims main establishment status in Ireland for the GDPR).

Its guidance on the ePrivacy Directive was updated in 2019 to say that consent is necessary for ad tracking, and since 2020, the French regulator has been able to issue a whole series of enforcements in response to cookie infringements by big tech companies. If you are still wondering how we could describe that €5 million CNIL fine for TikTok tracking as ‘getting off lightly’, then consider that it has also hit Apple with an $8.5 million fine, Facebook with one for $68 million, and Google with a whopping $170 million penalty. Also bear in mind that it’s not alone. Amazon currently holds the record for a data protection fine of €746m, which was levied by Luxembourg’s National Commission for Data Protection (CNPD) on 16 July 2021. The company was penalized for using private user data for targeted advertising.

It looks as if the French regulator’s crusade to enforce proper cookie consent and protect consumers and their data is positioning it as the rapid response alternative to the so-far less nimble cross-border efforts of others to enforce the GDPR rules, and its actions are definitely focusing the attention of large companies, but companies of every size should be just as concerned, including yours.

How Reflectiz can help detecting unlawful TikTok tracking

If the potential for catching an astronomical fine has you worried then you will be glad to know that Reflectiz lets you constantly monitor your tracking pixels, including the TikTok tracking pixel, and our system also performs a “cookie-no-consent” scan which finds out who is tracking your user’s activity without their permission and warns you before data protection agencies come knocking on your door too.

Get in touch with us today to receive your free TikTok pixel detection scan. It’s the best way to ensure that pixel tracking is working as it should be, that it isn’t compromising the privacy of your users, and that you aren’t being exposed to the possibility of getting hit by a very large fine.

Read our latest case study about pixels here.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free