On December 29, 2022, France’s privacy regulator (CNIL) imposed an €8 million fine on Apple. The CNIL found Apple in breach of France’s ePrivacy rules for not obtaining mobile users’ consent prior to reading and depositing Identifiers for Advertising (IDFAs) on those users’ devices. Apple has announced that it intends to appeal the decision.
Background
On March 10, 2021, France Digitale filed a complaint with the CNIL against Apple stating it failed to properly obtain users’ prior consent for processing IDFAs to serve personalized advertising on the App Store in relation to an older version (14.6) of the iPhone operating system (iOS).
The Decision
- The CNIL asserts jurisdiction under French ePrivacy Law even though it is not Apple’s lead privacy regulator under the GDPR
The CNIL concluded it had jurisdiction because the claims related to the French implementation of the EU’s ePrivacy Directive (the “French ePrivacy Law”), and not the GDPR. Under the GDPR, controllers can rely on the “one-stop-shop” mechanism, which allows them to appoint one data protection regulator for all investigatory matters. Under the ePrivacy Directive, the “one-stop-shop” mechanism does not apply, so any regulator can start an investigation on cookies or similar identifiers under its own national implementing laws. - The IDFAs used by Apple
IDFAs are codes, stored on Apple servers, and assigned to each App Store user so Apple can identify the user to provide its App Store services. While the user is browsing the App Store, the user’s activity is traced and linked to the IDFA on Apple’s servers (“first-step-IDFA”). If the targeted advertising settings are enabled in the App Store, Apple uses the first-step-IDFA to serve targeted advertising to the user on the App Store. In 14.6 iOS, the advertising settings are enabled by default and Apple does not display a pop-up to obtain users’ consent.Next, the user’s device generates two other identifiers (“second-step-IDFAs”). When a user searches for an application in the App Store, the device sends an advertisement request to Apple’s “Ad Platforms” servers. A second-step-IDFA replaces the first-step-IDFA and breaks the link between the identifier and the identity of the user, preventing Apple’s “Ad Platforms” servers from being able to identify the specific Apple user account. One of the second-step IDFAs is also used to count the number of times an ad is displayed on a user’s device. - The IDFAs used by Apple are not strictly necessary to provide the App Store services
Under the French ePrivacy Law, companies must obtain users’ consent before storing or gaining access to information on a user’s device (such as by using cookies and other identifiers, including IDFAs), unless the access is strictly necessary for the provision of a service requested by the user. Consent requires a positive action by the user.In this case, Apple argued that the initial reading of first-step-IDFAs did not require user consent under the French ePrivacy Law because it was strictly necessary to provide the services, i.e. to return search results in the App Store to the user. Apple further argued that its subsequent processing of first-step-IDFAs for advertisement personalization fell outside the scope of the French ePrivacy Law because it was done on its own servers and therefore it did not qualify as storing or gaining access to information on a user device. The CNIL disagreed, and found that because Apple ultimately used the first-step-IDFAs for advertising purposes, even if that was not the initial use case, Apple could not rely on the strictly necessary consent exemption under the French ePrivacy Law.Regarding the second-step-IDFAs, Apple argued that they were exempted from the French ePrivacy Law consent requirement because they were accessed solely as strictly necessary to protect users’ privacy. The CNIL found that Apple ultimately read these identifiers for advertising purposes and could therefore not rely on the consent exemption for strictly necessary trackers.The CNIL concluded that Apple was required to obtain consent from users to process both the first-step-IDFA and the second-step-IDFAs. - Apple did not obtain valid consent from users to use IDFAs
According to the CNIL, Apple failed to obtain valid consent from users because the advertising settings were pre-checked by default. In addition, the option for users to provide or deny consent was not integrated in the user flow and it took too many actions to reach the setting and deactivate it. - Fine of €8 million
The CNIL held that Apple infringed the French ePrivacy Law and imposed an €8 million fine.- The scope of the processing: the App Store is the only official distribution channel for mobile applications on iOS devices, since Apple does not allow apps to be downloaded outside of the App Store. Therefore Apple users have no choice but to engage with it.
- The number of French users affected: the CNIL noted that 27.5 million iOS 14.6 devices connected to the French App Store using a French IP address in the relevant period.
- Apple’s financial advantage: the breach enabled Apple to present users with personalized ads promoting apps on the App Store.
As a mitigating factor, the CNIL considered that the second-step-IDFAs made Apple’s data processing less intrusive, by making it impossible to directly link the advertisements served on the App Store to the users’ identities.
Takeaways for Businesses
- Regulators are digging deep in reviewing consent exemptions under ePrivacy rules. Businesses should proceed carefully when re-using identifiers collected under the strictly necessary exemption for different purposes like advertising. According to the CNIL, the consent exemption only applies where all purposes of the identifiers (not only the purpose of collection) are strictly necessary.
- The CNIL is part of the “Cookie Taskforce” set up by the EDPB aimed at harmonizing EU regulators’ approach when it comes to investigating and enforcing privacy breaches relating to cookies and other tracking technologies. It is therefore likely that other regulators share the CNIL’s viewpoint.
- In-app consent pop-ups for IDFAs and similar identifiers are becoming more and more standard. Businesses should review their use of IDFAs and similar identifiers and implement compliant consent mechanisms where required.
- The GDPR’s one-stop-shop will not protect businesses from enforcement under ePrivacy rules by other regulators. In addition, companies without an establishment in the EU but that access EU users’ IDFAs or other identifiers are subject to regulators’ ePrivacy enforcement powers in their territory.