You are not experiencing déjà vu.
The CNIL, France’s data protection authority, did indeed issue three separate fines – all to do with consent or the lack thereof – over the course of less than two weeks.
In early January, the CNIL fined Apple 8 million euros for failing to collect tracking consent from French iPhone users.
Just over a week later, the CNIL announced a 5 million euro fine for TiKTok over cookie consent violations.
And less than a week after that, the CNIL hit mobile game developer Voodoo with a 3 million euro fine for using Apple’s IDFV to track users without consent.
All three enforcement actions have certain similarities, but it’s worth paying attention to the details and their potential ramifications.
No thanks, mate
To make these judgments, the CNIL relied alternately on the French Data Protection Act and the ePrivacy Directive, rather than the GDPR, so as to avoid questions over jurisdiction.
Many large non-European technology companies, including Apple, Meta and TikTok, have their European headquarters in Ireland, which makes the Irish Data Protection Commission (DPC) their lead supervisory authority.
Ireland’s outsized influence over GDPR enforcement is a fact that doesn’t sit well with most privacy advocates, who view the DPC as being too soft on Big Tech.
That voodoo that you (don’t) do
The CNIL’s Voodoo case is interesting because it calls out an ATT workaround.
As part of its AppTrackingTransparency framework, Apple requires that all third parties get an explicit opt-in before accessing a user’s IDFA (identifier for advertising) for ad tracking and personalization. Apple’s policy also explicitly states that developers are prohibited from combining the IDFV (identifier for vendors) with other data to track users across sites and apps without permission from the user.
The IDFV is a persistent identifier Apple assigns to publishers that they can use for analytics purposes across the apps in their own portfolio (and only the apps in their own portfolio).
According to the CNIL, Voodoo would show users an ATT prompt, but if they said no to IDFA tracking, the developer would still use the IDFV to track people for advertising purposes without getting consent.
In other words, Voodoo made it seem like it was honoring a user’s choice by displaying an ATT prompt, but in reality Voodoo just wasn’t taking “no” for an answer.
Tikked off
It’s a meme by this point that all the big social platforms seem to spend half their time ripping off TikTok features, but here’s something they’d do best not to copy: dark patterns for collecting consent.
Between May 2020 and June of last year, the CNIL conducted a series of checks to see whether TikTok’s mechanism for collecting consent was up to snuff. (It’s important to note that the CNIL’s investigation focused on TikTok’s website, not its mobile app.)
In the CNIL’s view, although TikTok did offer a button to simply opt into cookies, there was no button or “equivalent solution” to as easily opt out of cookie tracking. It took several clicks to refuse all cookies and only one click to accept them.
The CNIL also found that TikTok didn’t inform users “in a sufficiently precise manner” about the purposes of different cookies.
Pomme mauvaise
And then there was the CNIL’s fine against Apple, which positions itself as a staunch protector of privacy – a stance that rubs most ad tech companies the wrong way.
In March 2021, the lobbying group France Digitale, which presents French startups, brought a complaint against Apple, arguing Apple tracked iOS 14.6 users within its own apps without asking for consent.
Despite the fact that Apple started collecting consent following the 2021 complaint, it did so beginning only with iOS 15 devices (albeit using its own personalized ads prompt and not the restrictive ATT prompts required for third parties). The CNIL fined Apple for enabling personalized advertising by default on older versions of its mobile OS.
Although, from one perspective, the CNIL’s ruling against Apple is a moral victory for developers, an 8 million euro fine for Apple is not even a rounding error.
As IAB France noted in a statement after the fine was announced, “for many years Apple has had an undue comparative advantage over all the other players in the mobile ecosystem that have not been given the same impunity.”
Rather than calling it a “fine,” you could also say 8 million euros, for Apple, is the rather-affordable cost of doing business at the expense of competitors.
