Mobile phones, 09.01.2023, 10:30 AM
The French regulatory agency for data protection (CNIL) fined Apple 8,000,000 euros for collecting user data for targeted advertising in the App Store without requiring or securing user consent.
This practice is considered a violation of Article 82 of the French Data Protection Act (DPA), which is aligned with the GDPR (General Data Protection Regulation), which applies across Europe.
Article 82 of the French Data Protection Law requires that “any action by which an electronic communication service accesses or enters information into the user’s terminal equipment (such as storing cookies) requires the user’s consent”.
This is the same member that Facebook and Google previously violated by making it difficult for visitors to their websites to find the option to refuse tracking cookies, which is why CNIL fined Facebook and Google 60,000,000 euros and 150,000,000 euros.
In explaining the fine, the CNIL explained that the setting to disable persistent identifiers that allow Apple to profile users is available on iOS and is set to “enabled” by default, but is somewhat hidden. Specifically, the option is located under the “Apple Advertising” section of the “Privacy” setting found in the iOS “Settings” menu.
This means that the user had to go through several steps to find and deactivate this tracking system because the option was not included in the initialization process of the phone, and it is assumed that most users did not know how to do it or had to go out of their way to find it.
According to the CNIL statement, user profiling occurred automatically on iOS 14.6, the iOS version analyzed by the CNIL after user logins.
CNIL says Apple could keep the option “buried” in the settings menu as long as it asks users to consent to App Store tracking after initial device setup, which was not the case with iOS 14.6.
Apple has fixed this problem, so newer versions of iOS treat user consent issues according to applicable data protection laws.
Nevertheless, the CNIL decided to impose a fine for the period of the breach, the €8 million figure reflecting the number of affected users in France and the estimated indirect profit the company made from targeted advertising.
An Apple spokesman in France said they plan to appeal the CNIL’s decision.
Cover photo: Ahmet Onur Yeygun, Pexels
