The EU continues to tighten penalties for tech giants over data practices. Recently, a significant fine was issued in France when authorities imposed 5 million euros on TikTok due to shortcomings in how user data is tracked and managed, raising questions about compliance with digital privacy rules.
The French data protection regulator, the National Commission on Informatics and Freedoms (CNIL), concluded that TikTok, the popular short‑form video platform owned by ByteDance, makes it difficult for users to opt out of online data monitoring. The regulator found that cookie technologies used by the service do not clearly inform users about how their behavior data is collected and used within the platform. This lack of clarity can leave users unsure about what personal information is being gathered and how it influences their online experience.
The ruling specifically targets the tiktok.com web portal, with the decision not extending to the mobile apps that many users access on smartphones. In France, the distinction matters because cookie rules can apply differently to web pages versus app environments, but the underlying principle is the same: users should have transparent choices about tracking technologies and be able to consent or refuse without pressure or opaque mechanisms.
A cookie, or biscuit in some regions, is a small data file that a website sends to a visitor’s device each time they connect. While cookies help save passwords and keep user preferences, they also track online activity and habits. This information can be used to tailor advertisements and content to a user’s interests, which is why clear consent and control are essential under privacy laws.
What does EU law say?
At the heart of EU privacy rules is the General Data Protection Regulation (GDPR), which came into effect in 2016. The GDPR sets out that websites operating within the European Union must obtain user consent before placing tracking cookies or similar technologies. Importantly, users must be offered a genuine choice: they should be able to accept or reject tracking without being steered toward the accept option by design or wording. The aim is to protect individuals by ensuring data handling is fair, transparent, and proportionate to the purpose of processing.
Observing the GDPR, TikTok faced penalties for not meeting these standards in certain contexts. While this latest French action focuses on a specific platform aspect, the broader message is clear: regulators are intensifying scrutiny of how big tech communicates data practices and upholds user rights. The example of a separate and earlier decision against Microsoft shows that enforcement is part of a wider trend toward stricter accountability for how user data is used for advertising and recommendations across major services.
For users in Canada and the United States who regularly engage with TikTok or similar services, the implications are practical. Privacy notices, cookie banners, and consent settings should be easy to understand and accessible across devices. When these tools are clear and choice-based, users can better manage their personal information and reduce unwanted tracking while still enjoying online content and features. The evolving regulatory landscape encourages platforms to simplify explanations, provide clear opt-out mechanisms, and respect user decisions across all entry points, including web and mobile.
In summary, the EU continues to set the standard for cookie transparency and user consent. The TikTok case in France underscores the push for stronger clarity around data collection and the responsible use of personal information. For consumers in North America, it reinforces the value of scrutinizing privacy settings, understanding what data is collected, and demanding straightforward ways to control how that data is used to shape online experiences. Regulators, platforms, and users alike are navigating toward greater transparency and accountability in digital privacy practices.