The unique device identifier that Apple uses for personalized ad tracking, the IDFA, has been in the news lately. You may soon be hearing just as much about Google’s equivalent for Android, the Android Advertising Identifier (AAID).
Unlike Apple, Google is not voluntarily throttling the third-party tracking of Android users that the AAID facilitates. But it is facing a new privacy complaint in the EU brought by noyb, the group that disrupted EU-US data transfers and has previously taken on Facebook and Apple. noyb accuses Google of not collecting appropriate consent as required by EU regulations, in a case that involves some 306 million Android device users in the region.
Android ad tracking under examination in France
noyb has filed the complaint with French data protection authority CNIL. It has also alleged a violation of the ePrivacy directive rather than the GDPR, which means that CNIL has the option of keeping the case in-house and rendering a decision on its own. Since Google has its EU headquarters in Ireland, a GDPR case would involve the EU’s other data protection authorities.
The complaint points out that Google assigns each device an AAID for use in ad tracking via apps downloaded from the Play Store; as with Apple’s IDFA, this is a central component for free-to-use apps that rely on display advertising for revenue. noyb argues that the AAID is created and used without the end user’s knowledge or consent, in violation of the ePrivacy directive and France’s national data protection act (“Loi informatique et libertés”). An Android device is additionally not able to function without an AAID; while recent Android versions allow the user to have a new one generated at any time, there is no opting out of or removing it. Users also cannot remove data associated with a previous ID. noyb contends that this does not meet the threshold of “informed and unambiguous” permission collection required by the privacy directive.
This may be a violation of GDPR terms as well, though this particular complaint specifically notes that it does not want it evaluated in that way. In May 2020 noyb filed a similar complaint related to the AAID in Austria that is being reviewed for potential GDPR violations.
The complaint is particularly noteworthy given noyb’s track record. The company’s successful challenge to the EU-US Privacy Shield agreement last year was a shock to the world, and forced companies passing EU citizen personal data between the continents to scramble to come up with alternative mechanisms that satisfied strict GDPR privacy conditions (an issue that still has legal questions hanging over it). noyb was also successful in petitioning CNIL to take action against Google in 2018 over “forced consent” to privacy policies, a case that Google lost on appeal and eventually led to a fine of 50 million Euros.
The AAID is actually meant to be Android’s mechanism for protecting user privacy. It tracks a great deal of data about user activity and what they interact with as they navigate the internet and other apps, but it is meant to be an anonymized ad tracking solution that keeps elements of the user’s personal identity away from advertisers. In early 2019, a study by AppCensus found that tens of thousands of Android apps were bypassing the AAID with tracking methods that were more invasive, accessing things like hardware MAC addresses and IMEI numbers. During the controversy over TikTok that played out over the second half of 2020, it was found that the popular social media app was using encryption to hide the fact that it was using techniques that accessed the user’s MAC address for tracking and data gathering purposes.
Comparison to Apple’s IDFA
Apple’s IDFA was created for similar reasons, but may have run its course. The upcoming iOS 14.5 update is expected to integrate the final pieces of its App Tracking Transparency framework, which requires app publishers to obtain consent to use the IDFA for ad tracking when the user downloads and installs the app. Apple has taken the additional step of banning “device fingerprinting” and other alternative forms of ad tracking from the platform, which would in theory give Android a considerable advantage in attracting marketing dollars. For several software versions now Apple has allowed its users to disable use of the IDFA entirely in the settings menu; studies indicate about 50% of their users have done so. When they are proactively prompted with an ad tracking opt-in notice for each new app, marketers are expecting that number to go up substantially.
In addition to “substantial sanctions,” Google might be forced into a similar situation should CNIL decide in favor of noyb (or should the GDPR case be decided similarly, though that process is likely to take a much longer time). Using the numbers seen among Apple users, that could mean Google losing half its ad tracking market if it is forced to allow for opting out of the AAID entirely. It remains to be seen exactly how hard the new mandatory opt-in notifications will hit the Apple market, but Google could be in for similar pain if regulators decide that something similar is a required component of collecting informed consent.