Apple Fined in France over App Store Ad Targeting ePrivacy Breach

France's data protection watchdog has imposed a fine of €8M on Apple for not obtaining local mobile users' consent before placing ad identifiers on their devices...

Apple security

Apple is probably the Tech Giant we at VPNreports respect the most, and we’re saying this as non-Apple users. The reason for this is simple – they actually care about their users’ privacy.

That said, we were surprised to learn that the iPhone maker has been slapped with a privacy-related fine in France.

Specifically, the country’s data protection watchdog, the CNIL, has imposed a sanction of €8 million (~$8.5M) on Apple for not obtaining local mobile users’ consent prior to placing (and/or reading) ad identifiers on their devices in breach of local data protection law.

The decision was issued on December 29 but only made public in the new year — you can see it in French on this page.

The CNIL is acting under the European Union’s ePrivacy Directive, allowing Member State level data protection authorities to take action over local complaints about breaches. The watchdog said it was acting on a complaint against Apple for showing personalized ads on its App Store.

The action relates to an older version (14.6) of the iPhone operating system, under which the tech giant had not obtained prior consent from users to process their data for targeted advertising that was served when a user visited Apple’s App Store.

CNIL found that v14.6 of iOS automatically read identifiers on the user’s iPhone, and that processing occurred without Apple obtaining proper consent — which was required as per 2019 CNIL guidance on the ePrivacy Directive related to ad tracking.

Due to their advertising purpose, these identifiers are not strictly necessary for the provision of the service (the App Store). Consequently, they must not be able to be read and/or deposited without the user having expressed his prior consent. However, in practice, the ad targeting settings available from the iPhone’s ‘Settings’ icon were pre-checked by default.

In addition, the user had to perform a large number of actions to successfully deactivate this parameter since this possibility was not integrated into the initialization process of the telephone. The user had to click on the ‘Settings’ icon of the iPhone, then go to the ‘Privacy’ menu and finally to the section entitled ‘Apple Advertising’. These elements did not make it possible to collect the prior consent of users.

According to the CNIL, the level of fine reflects the scope of the processing, the number of French users affected, and the profits Apple derives from ad revenue indirectly generated from the data collected by the identifiers.

Unsurprisingly, Apple plans to appeal the decision:

We are disappointed with this decision given the CNIL has previously recognized that how we serve search ads in the App Store prioritizes user privacy, and we will appeal. Apple Search Ads goes further than any other digital advertising platform we are aware of by providing users with a clear choice as to whether or not they would like personalized ads. Additionally, Apple Search Ads never tracks users across 3rd party apps and websites, and only uses first-party data to personalize ads. We believe privacy is a fundamental human right and a user should always get to decide whether to share their data and with whom.

It is worth adding this is not the first time Apple has faced critical scrutiny over double privacy standards. Back in 2020, European privacy rights campaign group “noyb” filed a series of complaints with EU data protection watchdogs about an Identifier for Advertisers (aka IDFA) baked into the iPhone by default by Apple, arguing the existence of the IDFA was a similar breach of the prior consent to tracking principle.

Moreover, the company has been accused of privacy hypocrisy in recent years over its different treatment vis-a-vis the tracking of iPhone users’ app activity to serve its own “personalized ads” vs a recently introduced requirement that third-party apps obtain consent from users.

Apple has continued to dispute these arguments, claiming it complies with local privacy laws and offers a higher level of privacy and data protection for iOS users than rival platforms. With that, we can agree.