France’s data protection authority (CNIL) has fined Apple €8,000,000 ($8.5M) for collecting user data for targeted advertising on the App Store without requesting or securing the user’s consent.
This practice is considered a violation of Article 82 of the French Data Protection Act (DPA), a national directive that aligns with the GDPR (General Data Protection Regulation), which is applicable across Europe.
Article 82 of the French DPA requires that “any action through which an electronic communication service accesses or enter information in a user’s terminal equipment (such as the storage of cookies) requires the user’s consent.”
This is the same article that Facebook and Google violated in the past by making it hard for their website visitors to find the option to reject tracking cookies, for which CNIL fined Facebook and Google €60,000,000 ($68M) and €150,000,000 ($170M) respectively.
As CNIL explains in the rationale for the penalty, the setting to disable persistent identifiers that make it possible for Apple to profile users is available on iOS and set to “enabled” by default, but it’s somewhat hidden.
More specifically, the option is on the “Apple advertising” section of the “Privacy” subsection of the iOS “Settings” menu.
This means that the user had to follow several targeted steps to find and deactivate this tracking system, and it’s presumed that most won’t know how to do it or bother looking for it.
According to CNIL’s announcement, the user profiling happened automatically on iOS 14.6, which is the version examined by the data protection authority following user reports.
CNIL suggests that Apple could keep the option “buried” in the settings menu as long as it prompted the user to consent to App Store tracking upon the device’s first setup, which wasn’t the case in iOS 14.6.
Apple has remediated this issue since then, so newer versions of iOS treat user consent matters under the applicable data protection laws.
However, CNIL still had to impose a fine for the period of violation, with the €8 million figure reflecting the number of impacted users in France and the estimated indirect profits the company made from targeted advertising.
When requested for a comment, an Apple France spokesperson told BleepingComputer they plan to appeal CNIL’s decision.
Here’s Apple’s statement in full:
We are disappointed with this decision given the CNIL has previously recognized that how we serve search ads in the App Store prioritizes user privacy, and we will appeal.
Apple Search Ads goes further than any other digital advertising platform we are aware of by providing users with a clear choice as to whether or not they would like personalized ads.
Additionally, Apple Search Ads never tracks users across 3rd party apps and websites, and only uses first-party data to personalize ads.
We believe privacy is a fundamental human right and a user should always get to decide whether to share their data and with whom.
