The sanction decision was issued on December 29 but only made public yesterday (the text of the decision is available here in French). The CNIL is acting under the European Union’s ePrivacy Directive — which allows for Member State level data protection authorities to take action over local complaints about breaches, rather than requiring they be referred to a lead data supervisor in the country where the company in question has its main EU establishment (as happens with the EU’s newer General Data Protection Regulation, or GDPR). While the size of the fine isn’t going to cause any sleepless nights in Cupertino, Apple leverages claims of peerless user privacy to polish its premium brand — and differentiate iPhones from cheaper hardware running Google’s Android platform — so any dent in its reputation for protecting user data should sting. The CNIL says it was acting on a complaint against Apple for showing personalized ads on its App Store. The action relates to an older version (14.6) of the iPhone operating system, under which — after the watchdog investigated in 2021 and 2022 — it found the tech giant had not obtained prior consent from users to process their data for targeted advertising that was served when a user visited Apple’s App Store. CNIL found that v14.6 of iOS automatically read identifiers on the user’s iPhone — which served a number of purposes, including powering personalizing ads on the App Store — and that processing occurred without Apple obtaining proper consent, in the regulator’s view, as consent was gathering via a setting that was pre-checked by default. 2019 CNIL guidance on the ePrivacy Directive stipulates that consent is necessary for ad tracking. From the CNIL’s press release [translated from French with machine translation]:
Due to their advertising purpose, these identifiers are not strictly necessary for the provision of the service (the App Store). Consequently, they must not be able to be read and/or deposited without the user having expressed his prior consent. However, in practice, the ad targeting settings available from the iPhone’s ‘Settings’ icon were pre-checked by default.
In addition, the user had to perform a large number of actions to successfully deactivate this parameter since this possibility was not integrated into the initialization process of the telephone. The user had to click on the ‘Settings’ icon of the iPhone, then go to the ‘Privacy’ menu and finally to the section entitled ‘Apple Advertising’. These elements did not make it possible to collect the prior consent of users.
The CNIL said the level of fine reflects the scope of the processing (which it notes was limited to the App Store); the number of French users affected; and the profits Apple derives from ad revenue indirectly generated from the data collected by the identifiers — as well as the regulator factoring in Apple having since brought itself into compliance. Apple was contacted for comment on the CNIL sanction. A company spokesman confirmed it plans to appeal — sending us this statement:
We are disappointed with this decision given the CNIL has previously recognized that how we serve search ads in the App Store prioritizes user privacy, and we will appeal. Apple Search Ads goes further than any other digital advertising platform we are aware of by providing users with a clear choice as to whether or not they would like personalized ads. Additionally, Apple Search Ads never tracks users across 3rd party apps and websites, and only uses first-party data to personalize ads. We believe privacy is a fundamental human right and a user should always get to decide whether to share their data and with whom.