A rare privacy penalty for Apple: France’s data protection watchdog, the CNIL, has announced it imposed a sanction of €8 million (~$8.5M) on the iPhone maker for not obtaining local mobile users’ consent prior to placing (and/or reading) ad identifiers on their devices in breach of local data protection law.
The sanction decision was issued on December 29 but only made public yesterday (the text of the decision is available here in French).
The CNIL is acting under the European Union’s ePrivacy Directive — which allows for Member State level data protection authorities to take action over local complaints about breaches, rather than requiring they be referred to a lead data supervisor in the country where the company in question has its main EU establishment (as happens with the EU’s newer General Data Protection Regulation, or GDPR).
While the size of this ePrivacy fine isn’t going to cause any sleepless nights in Cupertino, Apple leverages claims of peerless user privacy to polish its premium brand — and differentiate iPhones from cheaper hardware running Google’s Android platform — so any dent in its reputation for protecting user data should sting.
The CNIL says it was acting on a complaint against Apple for showing personalized ads on its App Store. The action relates to an older version (14.6) of the iPhone operating system, under which — after the watchdog investigated in 2021 and 2022 — it found the tech giant had not obtained prior consent from users to process their data for targeted advertising that was served when a user visited Apple’s App Store.
CNIL found that v14.6 of iOS automatically read identifiers on the user’s iPhone — which served a number of purposes, including powering personalizing ads on the App Store — and that processing occurred without Apple obtaining proper consent, in the regulator’s view, as consent was being gathered via a setting that was pre-checked by default. (NB: 2019 CNIL guidance on the ePrivacy Directive stipulates that consent is necessary for ad tracking.)
From the CNIL’s press release [translated from French with machine translation]:
Due to their advertising purpose, these identifiers are not strictly necessary for the provision of the service (the App Store). Consequently, they must not be able to be read and/or deposited without the user having expressed his prior consent. However, in practice, the ad targeting settings available from the iPhone’s ‘Settings’ icon were pre-checked by default.
In addition, the user had to perform a large number of actions to successfully deactivate this parameter since this possibility was not integrated into the initialization process of the telephone. The user had to click on the ‘Settings’ icon of the iPhone, then go to the ‘Privacy’ menu and finally to the section entitled ‘Apple Advertising’. These elements did not make it possible to collect the prior consent of users.
The CNIL said the level of fine reflects the scope of the processing (which it notes was limited to the App Store); the number of French users affected; and the profits Apple derives from ad revenue indirectly generated from the data collected by the identifiers — as well as the regulator factoring in Apple having since brought itself into compliance.
Apple was contacted for comment on the CNIL sanction. A company spokesman confirmed it plans to appeal — sending us this statement:
We are disappointed with this decision given the CNIL has previously recognized that how we serve search ads in the App Store prioritizes user privacy, and we will appeal. Apple Search Ads goes further than any other digital advertising platform we are aware of by providing users with a clear choice as to whether or not they would like personalized ads. Additionally, Apple Search Ads never tracks users across 3rd party apps and websites, and only uses first-party data to personalize ads. We believe privacy is a fundamental human right and a user should always get to decide whether to share their data and with whom.
It’s not the first time Apple has faced critical scrutiny over privacy double standards. Back in 2020, European privacy rights campaign group noyb filed a series of complaints with EU data protection watchdogs about an Identifier for Advertisers (aka IDFA) baked into the iPhone by default by Apple, arguing the existence of the IDFA was a similar breach of the prior consent to tracking principle.
The company has also been accused of privacy hypocrisy in recent years over its different treatment vis-a-vis the tracking of iPhone users’ app activity to serve its own ‘personalized ads’ vs a recently introduced requirement that third party apps obtain consent from users — after it introduced the App Tracking Transparency feature (aka ATT) to iOS back in 2021.
Apple has continued to dispute these lines of arguments — claiming it complies with local privacy laws and offers a higher level of privacy and data protection for iOS users than rival platforms.
Amazon, Google and Meta (Facebook) have also all been hit with CNIL sanctions for cookie-related breached since 2020. And last year Google went on to update its cookie consent pop-up across the EU to (finally) offer a simple ‘accept all’ or ‘refuse all’ option at the top level.
tl;dr: Regulatory enforcement of privacy works.
The steady flow of enforcements and corrections that the CNIL’s interventions have been able to achieve for users in France via ePrivacy — a much older EU directive than the GDPR — has cast further critical light on the operation of the latter flagship privacy regulation where scrutiny and enforcement on tech giants continues to be bogged down by forum shopping, associated procedural bottlenecks and resourcing issues, as well as by disputes between regulators over how to settle these cross-border cases.
But while a GDPR complaint against a tech giant can take years, plural to get enforced — such as the ~4.8 years it took to finalize ‘forced consent’ advertising complaints against two Meta properties, Facebook and Instagram, and still with likely years of appeals of that decision ahead (and with other even longer-standing complaints still inching painstakingly toward a final decision) — the difference between an EU directive and a regulation means that enforcement is pan-EU by default, rather than being localized to the jurisdiction of the enforcing DPA. That means, with ePrivacy, any wider compliance rollouts are at the discretion of a sanctioned entity — so the impact for users may be more localized.
Additionally, any (eventual) GDPR penalties may also be more substantial than ePrivacy stings — with the GDPR allowing for fines of up to 4% of global annual turnover, while ePrivacy is stuck with an older regime that leaves it up to Member States to set “effective, proportionate and dissuasive” penalties. (Ergo, user rights here are tethered to local politics.)
Although corrective orders can have far more bite for big tech than financial sanctions given how much revenue these giants pull in — as even fines that run to hundreds of millions or more may be written off as just a cost of doing business. Whereas orders to change practices to comply with privacy laws can force meaningful reforms.
It’s worth noting that the EU has been attempting — for years — to replace the now more-than-two-decades-old ePrivacy Directive with an updated ePrivacy Regulation. However big tech lobbying and lawmaker disputes over a 2017 Commission proposal have conspired to stall the file for most of this period.
Member States did, at long last, agree a common negotiating position in February 2021 — finally enabling trilogue negotiations to kick off. But debates between the EU’s co-legislators over big and small details continue — and it’s not clear when (or even if) a consensus can be hashed out.
And that means the veteran ePrivacy Directive may still have years more working life — and millions more in big tech fines — ahead of it.