Apple Store in France showing ad personalization and consent fine by CNIL

Apple Fined €8 Million for App Store Ad Personalization in France, Consent Process Insufficient

France remains active in issuing direct fines to tech companies under the terms of its French Data Protection Act, circumventing the usually laborious and contentious General Data Protection Regulation (GDPR) process. This time it has hit Apple’s App Store with a fine of €8 million over its ad personalization practices, taking it to task for not properly collecting consent and making the process of opting out too indirect.

The fine applies to version 14.6 of iOS, which was released in late May 2021 and was updated in July of that year. The Apple Developer website indicates that about 18% of all iPhones continue to use iOS 14 or an earlier version.

iOS ad personalization failed to meet French data protection standards prior to mid-2021

Article 82 of the French Data Protection Act requires that consent must be obtained before identifiers for ad personalization purposes can be deposited or written onto a device. Apple fell afoul of the law by placing these App Store identifiers by default and without informing the end user.

Apple had no legal wiggle room in this due to the fact that the ad personalization identifiers are not essential for the operation of the service. The settings could also be manually disabled via the iPhone “Privacy” menu, but were on by default.

The App Store penalty is another case of French privacy regulator CNIL exercising its own power to directly fine a tech firm that would normally be shielded by the Ireland DPC during the GDPR investigation process. EU nations that have adopted their own privacy law that incorporates the ePrivacy Directive are able to do this in certain data privacy cases that can be shown to impact citizens of their country, particularly if tracking cookies and ad personalization are involved. And while Apple’s regional EU headquarters are in Ireland, the fact that it has offices and a retail presence in France also helped the case.

Though Apple has changed its ad personalization settings since iOS 14.6, a spokesperson for the company said that it was “disappointed” in the decision and was planning to appeal. Apple’s App Tracking Transparency framework has brought privacy to the forefront for device owners with its requirement that third party apps disclose ad tracking and obtain user consent, but several of its own apps (such as the App Store and News) have been criticized for being exempt from some of these rules.

Legal scrutiny of Apple App Store focuses on its special exceptions

The App Store fine comes amidst a small wave of similar actions from CNIL, which kicked off 2022 with a combined €210 million in fines to Google and Facebook predicated on ePrivacy Directive violations. The year closed with a €60 million fine to Microsoft for violations involving the Bing search engine. These actions nearly always involve tracking cookies, which the ePrivacy Directive specifically addresses.

The fine to Apple is not among the largest of these ad personalization penalties from CNIL, which determines the cost based on the scope of processing and the number of impacted data subjects in France alone. The profit Apple made from the ads and the company’s efforts to come into compliance before the penalty was handed down were also considered. Apple’s relatively quick update to iOS 14.6 may have been prompted in part by the complaints with the French regulator that triggered the investigation.

The exceptions that Apple has granted to its own apps have been a sore point in the company’s privacy marketing strategy, and one that keeps popping up in lawsuits and regulatory actions. Apple’s general defense has always been that it does not let the ad personalization information it collects out of its own ecosystem, and CNIL’s relatively small fine likely reflects the fact that third party data brokers were not involved. The company has faced greater trouble from the antitrust aspect of the situation; app developers have had some legal success in arguing the company has monopoly power given it operates one of essentially just two viable app stores, and that it could be favoring its own apps and services by putting greater restrictions on third party ad personalization.

In the meantime, Apple has several ongoing GDPR probes that remain unresolved, one of which involves whether the transparency into its handling of ad personalization is sufficient. These investigations are being handled by the Irish DPC, and some have now been open for over three years. Getting a bearing on their progress is difficult given that the Irish DPC has a policy of not commenting on cases in progress. The European Commission is also heading up an antitrust investigation involving the company’s treatment of apps that were in competition with Apple Pay.