Simon Coulthard January 17, 2023
The French Data Protection Authority, CNIL, declared on December 29, 2022, that it had fined Apple $85 million for breaking French laws governing the use of cookies, other tracking technologies, and targeted advertising.
Between 2021 and 2022, CNIL conducted several investigations after receiving a complaint about Apple's ad personalization practices on the App Store.
According to CNIL's findings, Apple was collecting the identifiers of users who visited the App Store while using the old iPhone operating system (version 14.6) for a variety of purposes, including personalizing ads displayed on the App Store.
Ultimately, Apple had been collecting personal data by default and without the permission of users - contravening important responsibilities set by data privacy regulations.
Read more about this topic on the CNIL website.
The CNIL services discovered that when a user visited the App Store using the outdated operating system version 14.6 of the iPhone, identifiers used for a number of purposes, including the personalization of App Store advertisements, were automatically read on the terminal without the action of obtaining consent.
By default, Apple was gathering data and using it for advertisements, according to CNIL, and users had to take a "large number of actions" to disable advertising in the Privacy section of the Settings app.
The CNIL determined that Apple had violated Article 82 of the Data Protection Act and given an $8.5 million fine.
The amount of the fine, according to the CNIL, is justified by the fact that the processing was restricted to the Apple Store, the number of French residents who were affected, Apple's profits from advertising revenues derived indirectly from the data collected using these identifiers, and the fact that the company has since achieved compliance.
The tech giant also suffered a class-action lawsuit that was filed against Apple on November 10 with the claim that it continues to track user behavior even when the option is disabled.
With GDPR coming into effect along with other data privacy laws, every company should pay attention to its consent cookie banner. Or they should try cookieless tracking to avoid huge fines.
Gain World-Class Insights & Offer Innovative Privacy & Security