The Cnil has fined Apple 8 million euros for having imposed advertising trackers on its users in France, without their explicit consent, as reported on Wednesday, January 4.
The investigation was launched by the French internet privacy watchdog following a complaint by the France Digitale association, which brings together French start-ups and, in particular, software developers distributed through the US group’s app store. . The relatively limited nature of the fine is explained by the fact that Apple quickly complied during the Cnil investigation, which took place in mid-2021.
In addition, these advertising identifiers only allowed Apple to target Internet users when they were browsing the mobile application store (App Store), therefore in a very limited scope. Finally, the authority could only penalize the infractions in France.
In fact, the old version 14.6 of Apple’s operating system deposited identifiers “by default” in the brand’s mobile devices (iPhone, iPad, etc.). These identifiers allowed Apple to personalize the ads displayed in its app store. If the user did not want this advertising tracking, they had to uncheck a box in the device settings.
extenuating circumstance
At the time of the complaint, the CEO of France Digitale, Nicolas Brien, had criticized Apple’s “double standards”. The Apple brand allowed itself a pre-ticked box for its trackers, while it recently forced third-party apps to request explicit user consent for their own cookies.
“For years” the position of the European Court of Justice and the courts has been “very clear”, explained to AFP the general secretary of the Cnil, Louis Dutheillet de Lamothe. Meaningful consent “cannot be a pre-ticked box,” he emphasized.
However, if Apple is convicted, the company may find solace in the details of the Cnil’s decision. This does recognize as mitigating the operation “by cohorts”, and not individually, of this advertising targeting. With these identifiers, Apple does not seek to target individuals, but categories of individuals, a less aggressive operation for privacy.
The sanction only concerns France, as it is subject to the European ePrivacy Directive, which only allows national sanctions. The European Data Protection Regulation (GDPR), which provides for sanctions at the European level, does not apply in this specific case.
Source: BFM TV
