On December 29, 2022, the French Data Protection Authority (hereafter “CNIL”) announced the imposition of an administrative fine of €8 million on Apple Distribution International. The penalty was imposed in response to a complaint and related to the use of personalised advertisements that were set to default settings in violation of Article 82 of the French Data Protection Act.
The case stems from a March 2021 complaint lodged by start-up lobby group, France Digitale, which argued that Apple did not respect data protection rules. The decision of the CNIL comes as a shock for tech giants as Apple has always pitched itself as a privacy champion. Last year, it introduced App Tracking Transparency (ATT), a feature asking users for their consent to be tracked online by third parties for targeted-ad purposes. The fine in this case relates to ad personalisation practices, which are complex areas for many businesses when it comes to compliance with data protection rules.
This article outlines further details about the case and the steps your organisation can undertake to avoid similar gaps in compliance around cookies and other tracking technologies.
Background
According to the findings of the CNIL’s investigations, Apple was gathering user IDs for several uses, including for customising App Store advertisements, when users of older iPhone models (version 14.6) visited the App Store. The Apple Developer website indicates that about 18% of all iPhones continue to use iOS 14 or an earlier version.
Before identifiers for ad personalisation (IDFA) can be placed onto a device, Article 82 of the French Data Protection Act stipulates that consent must be sought. Used by advertisers to serve personalised ads on iPhones, the IDFA is a unique, random identifier assigned to iOS mobile devices. It is anonymous, so it does not reveal any personal information, but it allows advertisers and app owners to identify specific mobile devices and collect information about their use, enabling customised, targeted ads to be displayed. By adding these App Store IDs by default and without the end user’s knowledge, Apple broke the law by violating the EU ePrivacy Directive. (CNIL Guide on ePrivacy Directive)
The CNIL’s Verdict and Actions
The identifiers should not have been collected without users’ prior consent. According to the French Data Protection Act, the collection of these identifiers could not be considered strictly necessary for the provision of a service (in this case, the App Store) and be exempt from the prior consent requirement. In this instance, the iPhone’s settings were pre-checked by default. The CNIL also discovered that users had to perform too many steps to remove this setting, making permission both to provide and to withdraw too challenging.
The €8 million fine, according to the CNIL, is justified by the fact that the processing was restricted to the Apple Store, the number of French residents who were affected, Apple’s profits from advertising revenues derived indirectly from the data collected using these identifiers, and the fact that the company has since achieved compliance via iOS 15.
Key takeaways: Interaction between Apple’s ATT and the ePrivacy Directive
- Contrary to widespread belief, the ePrivacy Directive requirements concerning the access to and storage of cookies and other tracking technologies does not only apply to browsers and internet pages, but also to mobile apps. The issue of processing personal data through mobile applications is a top concern for CNIL. The implementation of Consent Management Platforms (CMP) and other systems for gaining consent for tracking technologies will therefore likely increase in future apps. (See: CNIL Consultation Paper on Data Collection in Mobile Apps)
- Since the user has a reasonable expectation that they will not be monitored, refusing to grant consent for the ATT pop-up will be interpreted as refusing all tracking technologies. Any tracking of users after such a refusal is deemed deceptive and unfair.
- The opposite will not be true. Consent for tracking in the ATT pop-up will not be sufficient for all tracking activities because it does not provide users with sufficient information about the various tracking technologies being used and their purposes. It also does not allow users to give granular consent and accept only specific tracking technologies.
Recommendations
One of the main focuses of the CNIL’s work has been “personal data collection in smartphone applications” for the 2022–2024 strategic plan. The CNIL’s goal is to increase the compliance of mobile applications and their ecosystems and make data flows public to better protect user privacy. This decision against Apple confirms that businesses must undertake specific actions before proceeding with any kind of data processing activities. Specifically, organisations should:
- Primarily, responsibility of every organisation is to inform the audience of all kinds of data being collected from them. The purpose of the collection of data and how the data be used must be communicated to the audience it is collected from.
- The GDPR mandates that you have a voluntary opt-in option for internal business activities if you are collecting user data. This means that if the user does not explicitly declare that they agree to the tracking, you must not track them.
- Examine whether the performance of a Data Protection Impact Assessment is necessary to detect and mitigate any risks related to the processing activities.
The CNIL fine comes after several individualised advertising and cookie-related actions in the EU, and it serves as a helpful reminder to all organisations in the EU that individualised advertising sanctions may have a significant impact. It also sets the bar for ensuring that organisations consider not just Data Protection Requirements but also other legislation like the ePrivacy Directive (and national legislation implementing this Directive) as well as the planned ePrivacy Regulation. As a result, this is the ideal moment to review your organisation’s GDPR compliance.
Trilateral’s Data Protection and Cyber-risk team has data protection specialists with extensive expertise and experience in reviewing the lawfulness of data processing activities and can advise your organisation on necessary actions before engaging in any data processing activities. Please feel free to contact our advisors, who would be happy to speak with you about your compliance needs considering these decisions.
