France fines Apple for App Store ad targeting ePrivacy breach
A rare privacy penalty for Apple: The French data protection authority, the CNIL, has announced that it has imposed a penalty of 8 million euros (~8 $.5 million) to the iPhone maker for failing to obtain local mobile users' prior to placing (and/or reading) advertising IDs on their devices in violation of local data protection law.
The sanction decision was issued on December 29 but only made public yesterday (the text of the decision is available here).
The CNIL operates within the framework of the European Union's ePrivacy Directive, which allows data protection authorities at member state level to take action on local complaints about breaches, rather than requiring that 'they are referred to a data controller in the country where the business in question has its principal place of business in the EU (as is the case with the new EU General Data Protection Regulation, or GDPR).
While the size of this ePrivacy fine won't cause sleepless nights in Cupertino, Apple is relying on unparalleled user privacy claims to polish its premium brand and differentiate iPhones from cheaper hardware running the Google's Android platform. its reputation for protecting user data should sting.
The CNIL says it was following up on a complaint against Apple for running personalized ads on its App Store. The action concerns an older version (14.6) of the iPhone operating system, under which - after the watchdog's investigation in 2021 and 2022 - it discovered that the tech giant had not obtained the prior consent of users to process their data for the purpose of targeted advertising. when a user visited the Apple App Store.
The CNIL found that iOS version 14.6 automatically read identifiers on the user's iPhone, which served several purposes, including the personalization of advertisements on the App Store, and that the processing had took place without Apple obtaining the appropriate consent, according to the regulator, because consent was collected through a default pre-verified setting. (NB: The CNIL 2019 guidelines relating to the ePrivacy directive stipulate that consent is necessary for the tracking of advertisements.)
Excerpt from the CNIL press release:
Because of their advertising purpose, these identifiers are not strictly necessary for the provision of the service (the App Store). Consequently, they must not be able to be read and/or deposited without the user having expressed his prior agreement. However, in practice, the ad targeting settings available from the iPhone "Settings" icon were pre-checked by default.
Additionally, the user had to perform a lot of actions to successfully disable this setting since this possibility was not built into the phone initialization process. The user had to click on the 'Settings' icon on the iPhone, then go to the 'Privacy' menu and finally to the section called 'Apple Advertising'. These elements did not make it possible to collect the prior consent of users.
The CNIL said the level of the fine reflects the scope of the processing (which it said was limited to the App Store); the number of French users concerned; and the profits Apple derives from advertising revenue generated indirectly from the data collected by the IDs - as well as the fact that the regulator is taking into account that Apple has since brought itself into compliance.
Apple has been contacted to comment on the CNIL sanction. A company spokesperson confirmed their intention to appeal by sending us this statement:
We are disappointed with this decision given that the CNIL has previously acknowledged that the way we serve search ads in the App Store prioritizes user privacy, and we will appeal. Apple Search Ads goes further than any other digital advertising platform we know of by giving users a clear choice about whether or not they want personalized ads. Additionally, Apple Search Ads never tracks users across third-party apps and websites and only uses first-party data to personalize ads. We believe that privacy is a fundamental human right and that a user should always decide if they want to share their data and with whom.
This isn't the first time Apple has come under scrutiny for the double standard when it comes to privacy. In 2020, European privacy rights campaign group noyb filed a series of complaints with EU data protection watchdogs over an identifier for advertisers (aka IDFA) built into the iPhone by...
A rare privacy penalty for Apple: The French data protection authority, the CNIL, has announced that it has imposed a penalty of 8 million euros (~8 $.5 million) to the iPhone maker for failing to obtain local mobile users' prior to placing (and/or reading) advertising IDs on their devices in violation of local data protection law.
The sanction decision was issued on December 29 but only made public yesterday (the text of the decision is available here).
The CNIL operates within the framework of the European Union's ePrivacy Directive, which allows data protection authorities at member state level to take action on local complaints about breaches, rather than requiring that 'they are referred to a data controller in the country where the business in question has its principal place of business in the EU (as is the case with the new EU General Data Protection Regulation, or GDPR).
While the size of this ePrivacy fine won't cause sleepless nights in Cupertino, Apple is relying on unparalleled user privacy claims to polish its premium brand and differentiate iPhones from cheaper hardware running the Google's Android platform. its reputation for protecting user data should sting.
The CNIL says it was following up on a complaint against Apple for running personalized ads on its App Store. The action concerns an older version (14.6) of the iPhone operating system, under which - after the watchdog's investigation in 2021 and 2022 - it discovered that the tech giant had not obtained the prior consent of users to process their data for the purpose of targeted advertising. when a user visited the Apple App Store.
The CNIL found that iOS version 14.6 automatically read identifiers on the user's iPhone, which served several purposes, including the personalization of advertisements on the App Store, and that the processing had took place without Apple obtaining the appropriate consent, according to the regulator, because consent was collected through a default pre-verified setting. (NB: The CNIL 2019 guidelines relating to the ePrivacy directive stipulate that consent is necessary for the tracking of advertisements.)
Excerpt from the CNIL press release:
Because of their advertising purpose, these identifiers are not strictly necessary for the provision of the service (the App Store). Consequently, they must not be able to be read and/or deposited without the user having expressed his prior agreement. However, in practice, the ad targeting settings available from the iPhone "Settings" icon were pre-checked by default.
Additionally, the user had to perform a lot of actions to successfully disable this setting since this possibility was not built into the phone initialization process. The user had to click on the 'Settings' icon on the iPhone, then go to the 'Privacy' menu and finally to the section called 'Apple Advertising'. These elements did not make it possible to collect the prior consent of users.
The CNIL said the level of the fine reflects the scope of the processing (which it said was limited to the App Store); the number of French users concerned; and the profits Apple derives from advertising revenue generated indirectly from the data collected by the IDs - as well as the fact that the regulator is taking into account that Apple has since brought itself into compliance.
Apple has been contacted to comment on the CNIL sanction. A company spokesperson confirmed their intention to appeal by sending us this statement:
We are disappointed with this decision given that the CNIL has previously acknowledged that the way we serve search ads in the App Store prioritizes user privacy, and we will appeal. Apple Search Ads goes further than any other digital advertising platform we know of by giving users a clear choice about whether or not they want personalized ads. Additionally, Apple Search Ads never tracks users across third-party apps and websites and only uses first-party data to personalize ads. We believe that privacy is a fundamental human right and that a user should always decide if they want to share their data and with whom.
This isn't the first time Apple has come under scrutiny for the double standard when it comes to privacy. In 2020, European privacy rights campaign group noyb filed a series of complaints with EU data protection watchdogs over an identifier for advertisers (aka IDFA) built into the iPhone by...
What's Your Reaction?
