Mobile games: the CNIL fined VOODOO 3 million euros

17 January 2023

On 29 December 2022, the CNIL imposed a fine of 3 million euros on the company VOODOO, which publishes video games for smartphones, for using an essentially technical identifier for advertising without the user's consent.

Background information

From August 2021 to July 2022, the CNIL carried out several investigations on and on different mobile applications published by the company VOODOO, such as the game Helix Jump.

Investigations were only carried out within the framework of the downloading and operation of the applications on an iPhone (APPLE), with the iOS operating system.

When a publisher offers an application on the App Store, APPLE provides it with a technical identifier “IDentifier For Vendors” (or IDFV), allowing this publisher to track the use that is made of its applications by the users. An IDFV is assigned to every user and is identical for all the applications distributed by one publisher, and therefore, in this case, for all the VOODOO's applications.

By combining other information from the smartphone, the IDFV allows to track people's browsing habits, including the categories of games they opt for, in order to personalize the ads seen by each of them.

Breach of the French Data Protection Act

When opening a video game application, a first window designed by the company APPLE (App Tracking Transparency or ATT) is presented to the users in order to collect their consent for the tracking of their activities on applications downloaded on their smartphones.

When a user refuses the "ATT request", a second window is displayed by the company VOODOO explaining that the advertising tracking has been deactivated and specifying that non-personalized ads will still be offered.

During its investigations, the CNIL however observed that when a user refuses the advertising tracking, the company VOODOO reads the technical identifier associated to this user (IDFV) anyway and still processes the information linked to the browsing habits for advertising purposes, therefore without consent and in contradiction with what it indicates in the information screen it displays.

The use of the IDFV for advertising purposes without the user's consent constitutes a breach of Article 82 of the French Data Protection Act.

Sanction by the CNIL

Consequently, the restricted committee – CNIL's body responsible for issuing sanctions – sanctioned the company VOODOO with a fine of 3 million euros, which has been made public.

It especially justified the amount by the number of people concerned, the financial benefits obtained as a result of the breach and the 2020 and 2021 company's turnovers.

In addition to the administrative fine, the restricted committee also issued an order with periodic penalty payment requiring that the company collects the user's consent to the use of the IDFV for advertising purposes, within three months from the notification of the decision. Otherwise, the company will have to pay a 20,000 per day of delay.