The Cnil has fined Apple 8 million euros for having imposed advertising trackers on its users in France, without their explicit consent, it said on Wednesday.
ℹ️🔴 The CNIL imposes a #sanction of 8 million euros against the company APPLE DISTRIBUTION INTERNATIONAL 👉 https://t.co/6Ub5ZLZZpf pic.twitter.com/iyjxWEKFgM
– CNIL (@CNIL) January 4, 2023
The old version 14.6 of Apple's operating system deposited "by default" identifiers on the brand's mobile devices (iPhone, iPad, etc.).
These identifiers allowed Apple to personalize the advertisements displayed on its application store.
If the user did not want this advertising tracking, he had to uncheck a box in the device settings.
The investigation was launched by the French guardian of privacy on the Internet after a complaint from the France Digitale association, which brings together French start-ups and in particular software developers distributed via the American group's application store.
Read also“Nothing prevents our competitors from better respecting privacy”, preaches Apple
At the time of the complaint, the general manager of France Digitale, Nicolas Brien, had castigated the "double standards" of Apple.
The Apple brand allowed itself a pre-ticked box for its tracers, while it recently imposed on third-party applications to request explicit consent from the Internet user for their own cookies.
“It has been years” that the position of the European Court of Justice and the courts has been “very clear”, explained the secretary general of the Cnil, Louis Dutheillet de Lamothe.
Meaningful consent “cannot be a pre-ticked box,” he stressed.
A limited fine
If Apple is condemned, however, the company may find consolation in the details of the Cnil's decision.
This indeed recognizes as a mitigating circumstance the operation “by cohorts”, and not individual, of this advertising targeting.
With these identifiers, Apple does not seek to target individuals, but categories of individuals, a less aggressive operation for privacy.
The relatively limited nature of the fine is explained by the fact that Apple quickly brought itself into compliance during the Cnil investigation, which took place in mid-2021.
In addition, these advertising identifiers only allowed Apple to target Internet users when they were browsing the mobile application store (App Store), therefore in a very limited field.
Finally, the authority was only able to penalize breaches in France.
The sanction only concerns France, as it falls under the European e-Privacy Directive, which only allows national sanctions.
The European Data Protection Regulation (GDPR), which provides for sanctions at European level, does not apply in this specific case.