France’s Data Protection Authority (CNIL), has sanctioned Apple EUR8,000,000 ($8.5M), for collecting user data to target advertising via the App Store, without requesting consent.
This is a violation Article 82 (French Data Protection Act) (DPA), a directive of France that is in line with the GDPR (General Data Protection Regulation) which is applicable throughout Europe.
The French DPA Article 82 requires consent from the user for “any electronic communication service to access or enter information (such as cookies storage) in the terminal equipment of a user.”
It is the exact article Facebook and Google have violated previously by making it difficult for website visitors to locate the option to refuse tracking cookies. CNIL has fined Facebook $68M ($68M), and Google EUR150,000,000 ($170M, respectively.
CNIL explains the reason for the penalty in its rationale. The setting to disable persistent identifiers which make it possible for Apple profile users can be found on iOS. It’s set to “enabled by default” but is somewhat obscure.
The option can be found in the Apple advertising section of “Privacy”, which is located under the iOS “Settings” menu.
It means the user needed to take several steps in order to locate and disable this tracking system. Most people won’t even know what to do or where to look for it.
According to CNIL, user profiling occurred automatically on iOS 14.6, the iOS version that was examined by the data protection authority after user reports.
CNIL suggested that Apple might keep this option “buried” within the settings menu, provided it prompts the user to agree to App Store tracking on the first device setup. This was not the case with iOS 14.6.
Apple has since remediated the issue, and iOS versions later than iOS 5.1 will treat consent matters in accordance with applicable data protection laws.
CNIL had to still impose a penalty for violation. The EUR8 million number represents the total users impacted in France as well as the indirect profit the company earned from targeted advertising.
A spokesperson for Apple France told BleepingComputer that Apple France plans to appeal the decision of CNIL.
This is Apple’s complete statement:
This decision is disappointing, as the CNIL previously acknowledged that the way we display search ads on the App Store prioritises user privacy. We will appeal.
Apple Search Ads is unlike any other digital advertising platform that we know of, allowing users to choose whether they want personalized ads.
Apple Search Ads does not track users on third-party apps or websites. Instead, it uses only first-party data for personalizing ads.
Privacy is an essential human right. Users should have the power to choose whether or not to share data with others.