The past year has seen Apple undergo a bold shift in business strategy, putting a strong emphasis on the security and privacy of its devices by nearly running the targeted advertising industry out of them. However, there has been some early speculation that this might ultimately be more about Apple’s own budding advertising services as much as it is about what’s best for its users. Notes from a recent ruling by CNIL, France’s data protection authority, are likely to add some fuel to that speculation. In a confidential note attached to the proceedings, CNIL raised questions about Apple’s own privacy compliance. The regulator indicated that Apple may not be obtaining proper consent when using first-party tracking methods such as cookies, something it characterized as a potential ” … major breach of regulations.”
Apple might become the center of privacy compliance focus in EU
It should be made clear that this is not a formal decision against Apple, nor is it an announcement of an investigation by the data protection authority. However, it is an indication that Apple might fail the privacy compliance test under General Data Protection Regulation (GDPR) rules if formally scrutinized. That is something that could happen in the near future given that it faces a recently-filed complaint in France alleging that iOS 14 does not meet EU privacy compliance standards.
The information comes from a confidential note obtained by Politico and signed by CNIL President Marie Laure Denis . The note comes from the data protection authority’s recent ruling that Apple’s App Tracking Transparency framework is in line with the GDPR. CNIL praised the centerpiece of the framework (and chief bone of contention for the advertising industry), the mandatory pop-up that asks users to opt in to use of the IDFA device identifier for tracking.
While CNIL put its stamp of approval on the iOS 14 privacy changes as pertains to third-party tracking, the data protection authority privately questioned whether Apple’s first-party tracking comports to privacy compliance regulations. It specifically questions whether Apple’s own definition of internal tracking of users is too narrow. The data protection authority expressed concern with the fact that Apple is reading and writing data from the terminal without collecting consent; this includes the use of first-party cookies, or those that only Apple is able to view.
CNIL opines that since other targeted advertising companies are required to collect consent when reading or writing data in this way, the tech giant should be held to the same standard. Apple’s case against this idea is that its devices are equipped with “privacy-by-default features” and that users have the option of opting out of first-party data collection. However, CNIL notes that personalized ad tracking being enabled by default could be an issue for the company. CNIL also noted that while Apple was not running a ” … data hungry intrusive business model,” it would nevertheless be required to meet the same consent standards that anyone else collecting similar personal data for advertising purposes would. That would mean full up-front notification as to what is being collected and how it is being used according to GDPR requirements, something that is not necessarily done with the pre-installed apps that come ready to launch on Apple devices.
Data protection authority takes up Apple privacy complaint
All of this analysis was done to inform the upcoming case brought by France Digitale, a lobbying group that represents a wide variety of France’s small businesses and entrepreneurs. The startup lobby is demanding that Apple be subject to exactly the same privacy compliance standards that advertisers in its ecosystem are subject to re: the IDFA. That would mean IDFA use switched off on devices by default and requiring an opt-in prompt even for Apple’s pre-installed apps. In addition to GDPR rules, this particular matter might fall afoul of privacy compliance standards established under the EU’s ePrivacy Directive. If the matter is judged to be related to ePrivacy standards, it would empower France to act directly without referral to any other EU data protection authority.
Apple is not currently a major player in targeted advertising, but has been developing its own system since 2019. The system currently works through specific pre-installed apps such as Apple News, the App Store and Apple Stocks. It makes use of the user’s IDFA to deliver personalized ads; users can opt out of this tracking, but at present can only do this by turning off the IDFA entirely in the settings menu.
CNIL is continuing to investigate the complaint, with no set date as to further action. The note is currently nothing more than a matter of initial opinion, but does give some insight as to how the data protection authority is proceeding with its privacy compliance investigation.