Background
The CNIL received a complaint concerning Apple’s ad personalization practices on the App Store and carried out several investigations between 2021 and 2022.
The CNIL’s investigations concluded that Apple was collecting the identifiers of users that visited the App Store using the old iPhone operating system (version 14.6) for several purposes, including to personalize ads shown on the App Store. Apple was collecting such data by default, without obtaining users’ consent.
The CNIL’s Decisions and Sanctions
Under the French Data Protection Act, the collection of these identifiers could not be considered strictly necessary for the provision of a service (i.e., the App Store in this case) and be exempt from the prior consent requirement; therefore, the identifiers should not have been collected without users’ prior consent. In this case, the targeted advertising settings available from the “Settings” icon of the iPhone were pre-checked by default. In addition, the CNIL found that users had to take too many actions in order to deactivate this setting, making consent too difficult to provide and withdraw.
Accordingly, the CNIL held that Apple’s cookie practices infringe Article 82 of the French Data Protection Act governing the use of cookies. As a result of these alleged infringements, the CNIL imposed an €8,000,000 fine against Apple.
According to the CNIL, the amount of the fine is justified by the scope of the processing that was limited to the Apple Store, the number of affected data subjects in France, Apple’s profits from advertising revenues indirectly generated from data collected via these identifiers and the fact that Apple has, since the investigation, reached compliance.
The CNIL’s Jurisdiction
The CNIL asserted that it drew its authority to investigate Apple’s targeted advertising practices under the e-Privacy Directive, which is transposed into national law by each EU Member State (i.e., in Article 82 of the French Data Protection Act). Apple Distribution International, whose head office is in Ireland, presented itself as the controller of the processing regarding the ad personalization on the App Store in Europe. The CNIL, however, asserted that it was territorially competent because the use of identifiers was carried out within the framework of the activities of Apple’s French establishments (i.e. Apple Retail France and Apple France). Accordingly, the CNIL asserted that the cooperation and so-called “one-stop-shop” mechanisms set forth in the EU General Data Protection Regulation (“GDPR”) did not apply.
Read the decision (in French) and the press release (in English and in French).