Contents:
Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection authority, fined Apple €8,000,000 ($8.5M) for collecting user data without the user’s consent. The data was used to better target advertising in the App Store.
These actions are against Article 82 of the French Data Protection Act (DPA), the French law aligned with the European General Data Protection Regulation (GDPR)
Article 82 says that “any action through which an electronic communication service accesses or enters information in a user’s terminal equipment (such as the storage of cookies) requires the user’s consent.”
Why Was Apple Fined?
CNIL penalty was triggered by users’ reports about the automated profiling on iOS 14.6. The persistent identifiers used by Apple to profile customers were enabled by default on the devices and difficult to turn off as the option were not in plain sight.
More specifically, the option is on the “Apple advertising” section of the “Privacy” subsection of the iOS “Settings” menu.
The users had to take several steps to get to this profiling system, so it is presumed that it was difficult for many of them to find it. The option can be kept in its place, CNIL says, as long as the user is notified about the App Store tracking on the first setup of a device.
The CNIL services found that under the old version 14.6 of the operating system of the iPhone when a user visited the App Store, identifiers used for several purposes, including personalization of ads on the App Store, were by default automatically read on the terminal without obtaining consent.
Legal Context
Even though the newer versions of iOS do not present the same conflicting issues, the fine is meant to punish Apple for the period in which it violated the data protection laws. The €8 million reflects the number of affected individuals in France only and the company’s estimated revenue from the targeted ads.
Apple France declared to BleepingComputer that they plan to appeal the fine: “We are disappointed with this decision given the CNIL has previously recognized that how we serve search ads in the App Store prioritizes user privacy, and we will appeal.”
Apple is not the first company to be sanctioned under Article 82, previously Facebook and Google were fined for breaching the same law with €60,000,000 ($68M) and €150,000,000 ($170M) respectively.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.
