The French data protection authority (CNIL) has fined Apple €8,000,000 ($8.5 million) for collecting user data for targeted advertising on the App Store without request or obtain user consent.
This practice is considered a violation of Article 82 of the French Data Protection Act (LPD), a national directive that aligns with the GDPR (General Data Protection Regulation), which is applicable in all Europe.
Article 82 of the LPD requires that “any action by which an electronic communication service accesses or inserts information into the terminal equipment of a user (such as the registration of cookies) requires the consent of the user. “.
It’s the same item which Facebook and Google have violated in the past by making it difficult for visitors to their website to find the option to reject tracking cookies, for which the CNIL fined Facebook and Google €60,000,000 (68 million) and €150,000,000 ($170 million) respectively.
As the CNIL explains in the justification for the sanction, the setting for disabling persistent identifiers allowing Apple to profile users is available on iOS and set to “enabled” by default, but it is somewhat hidden.
Specifically, the option is in the “Apple Advertising” section of the “Privacy” subsection of the iOS “Settings” menu.
This means that the user had to follow several targeted steps to find and deactivate this tracking system, and it is presumed that most will not know how to do it or will not bother to look for it.
According to the CNIL announcement, user profiling was done automatically on iOS 14.6, which is the version reviewed by the data protection authority following user reports.
The CNIL suggests that Apple could keep the option “buried” in the settings menu as long as it prompts the user to consent to App Store tracking when first setting up the device, which does not was not the case in iOS 14.6.
Apple has since addressed this issue, so newer versions of iOS handle user consent issues in accordance with applicable data protection laws.
However, the CNIL still had to impose a fine for the period of infringement, with the €8 million figure reflecting the number of users impacted in France and the estimated indirect profits the company made from targeted advertising. .
Asked for comment, a spokesperson for Apple France told BleepingComputer that they plan to appeal the CNIL’s decision.
Here is Apple’s statement in full:
We are disappointed with this decision given that the CNIL has previously acknowledged that the way we serve search ads in the App Store prioritizes user privacy, and we will appeal.
Apple Search Ads goes further than any other digital advertising platform we know of by giving users a clear choice about whether or not they want personalized ads.
Additionally, Apple Search Ads never tracks users across third-party apps and websites and only uses first-party data to personalize ads.
We believe that privacy is a fundamental human right and that a user must always decide what to share their data with and with whom.