Excerpt
TikTok was fined by the French DPA for implementing advertising identifiers without consent and for having an insufficiently informative cookie banner. The banner allowed users to accept all cookies with one click, making it difficult to refuse them, and some advertising cookies were placed even if a user did not consent.
Our analysis
The case analysis involves TikTok's violation of Article 82 of the French Data Protection Act regarding its use of cookies and its cookie banner. The investigation by the French DPA found that TikTok's cookie banner did not provide users with enough information and options to give informed consent. The DPA identified several deceptive patterns that TikTok used, such as hard-to-cancel, forced action, and hidden information, in its cookie banner. The banner allowed users to accept all cookies with a single click using a single button, making it easier to accept cookies than to deny them. Users who did not take any action on the banner would also see it remain displayed on the web page without being informed of the consequences of their inactivity. Additionally, certain advertising cookies would still be placed even if a user did not consent to their installation. The DPA held that users must be informed in a clear and complete manner, which TikTok failed to do. TikTok's cookie banner only provided general descriptions, and the user could not determine what types of content would be presented to them or in what form it would be presented. The DPA also found that TikTok did not inform users whether the provider's cookies were for analytical data and/or marketing purposes, making it impossible to give free and informed consent. TikTok was fined €2,500,000 for the lack of valid consent and €2,500,000 for providing imprecise information on its consent banner. The case serves as a reminder to companies to ensure that their cookie banners provide users with enough information and options to give informed consent, and to avoid using deceptive patterns such as hard-to-cancel, forced action, and hidden information.
Outcome
TikTok has been fined a total of €5,000,000 by the Data Protection Authority (DPA) for violating the General Data Protection Regulation (GDPR). The fine was divided into two parts - €2,500,000 for failing to obtain valid consent from users and €2,500,000 for displaying imprecise information on its consent banner. The DPA considered various mitigating and aggravating factors before deciding on the amount of the fine.
Parties
TikTok Information Technologies UK Limited and TikTok Technology Limited
Case number
Délibération SAN-2022-027 du 29 décembre 2022
Decision
Related deceptive patterns
Hard to cancel (aka "Roach Motel") is a deceptive pattern where it is easy to sign up for a service or subscription, but very difficult to cancel it. This typically involves hiding the cancellation option, requiring users to call customer services to cancel, and making the cancellation process overly complex and time-consuming. This can cause users to give up trying to cancel, and continue paying for the service for a longer period.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Users must give informed and unambiguous consent and receive clear information about cookies, including processing purposes and data controller identity, according to the law.