On 29 December 2022, France’s Data Protection Authority, the CNIL (Commission Nationale Informatique & Libertés) imposed an administrative fine of EUR 8 million on Apple Distribution International (“Apple“) for not obtaining the consent of French users before positioning identifiers used for advertising purposes in iPhone operating systems.
During investigations regarding personalised advertisement settings arranged in the App Store, the CNIL discovered that once users visited the App Store, an older version of the operating system for the iPhone (i.e., iOS 14.6) enables identifiers that were used for several purposes, including ad personalisation automatically by default and without obtaining the user’s consent.
The CNIL focused on the strictly necessary criteria and underlined that the identifiers used in the App Store are not strictly necessary for receiving the App Store service. Thus, the CNIL determined that the identifiers subject to the investigation cannot be used without the user’s prior consent.
Another matter scrutinised in the CNIL’s evaluation is the manner in which users can deactivate personalised ad arrangements. The CNIL stated in its announcement on 4 January 2023 that Apple did not provide a feasible way for their users to deactivate this setting, as users had to carry out multiple actions to override it.
As a result, the French privacy watchdog finalised its investigation by determining a breach of the French Data Protection Act and sanctioned Apple by considering (i) the number of people affected in France, (ii) the profits made through advertising revenues, and (iii) Apple’s compliance with data privacy since then.