Advertising ID: APPLE DISTRIBUTION INTERNATIONAL fined 8 million euros
On 29 December 2022, the CNIL's restricted committee imposed an administrative fine of 8 million euros on the company APPLE DISTRIBUTION INTERNATIONAL because it did not collect the consent of iPhone's French users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals.
Following a complaint concerning the ad personalization in the App Store, the CNIL carried out several investigations in 2021 and 2022 in order to verify compliance with the applicable regulations.
The CNIL services found that under the old version 14.6 of the operating system of the iPhone, when a user visited the App Store, identifiers used for several purposes, including personalization of ads on the App Store, were by default automatically read on the terminal without obtaining consent.
The breach of the French Data Protection Act
Due to their advertising purpose, these identifiers are not strictly necessary for the provision of the service (the App Store). Therefore, they must not be read and/or deposited without the user's prior consent. However, in practice, the advertising targeting settings available from the "Settings" icon of the iPhone were pre-checked by default.
Moreover, the user had to perform a large number of actions in order to deactivate this setting, since this option was not included in the initialization process of the phone. Therefore, the user had to click on the "Settings" icon of the iPhone, then go to the "Privacy" menu and finally to the section entitled "Apple advertising". These elements did not allow to collect the prior consent of users.
Consequently, the restricted committee, the CNIL's body responsible for issuing sanctions, found a breach of Article 82 of the French Data Protection Act and imposed a fine of 8 million euros on APPLE DISTRIBUTION INTERNATIONAL, which was made public.
It explained this amount by the scope of the processing limited to the Apple Store, the number of people concerned in France, the profits the company made from advertising revenues indirectly generated from data collected by these identifiers and the fact that since then, the company has reached compliance.
Jurisdiction of the CNIL
The CNIL is materially competent to verify and sanction operations related to identifiers deposited and/or read by the company on the terminals of Internet users located in France. The cooperation mechanism provided for by the GDPR (the “one-stop shop” mechanism) is not intended to apply in these procedures insofar as the operations linked to the use of the identifiers fall within the scope of the " ePrivacy " directive, transposed in Article 82 of the French Data Protection Act.
The restricted committee considered that the CNIL is also territorially competent because the use of identifiers is carried out within the "framework of the activities" of the companies APPLE RETAIL FRANCE and APPLE FRANCE, which constitute the "establishments" on French territory of the APPLE group.
Note: APPLE DISTRIBUTION INTERNATIONAL, whose head office is in Ireland, presents itself as the controller of the processing regarding the ad personalization on the App Store, in the European region. The companies APPLE RETAIL FRANCE and APPLE FRANCE are the establishments in France of the Apple group.