CNIL (France) - SAN-2022-026: Difference between revisions

From GDPRhub
No edit summary
 
(15 intermediate revisions by 4 users not shown)
Line 63: Line 63:
}}
}}


The French DPA fined VOODOO €3,000,000 for not collecting the consent of data subjects for personalized advertising and for providing them misleading information about the use of their data.
The French DPA fined VOODOO, a mobile game developer, €3,000,000 for violating Article 82 of the French data protection act. VOODOO did not collect the consent of users for personalised advertising and provided misleading information regarding tracking behaviour of users.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
VOODOO (the controller) is a company specialised in smartphone games. Following a decision from the French DPA’s president, a delegation of the French DPA carried out several checks on voodoo.io and on various mobile applications published by VOODOO, particularly to check the cookies and tracers deposited and/or read by the controller.
VOODOO ('provider') was a mobile game developer. The investigation service of the French DPA (the investigation service) carried out several checks on ''voodoo.io'' and on several of the provider's mobile applications on iOS, in particular to check cookies and trackers deposited on user devices.  
The verifications carried out between June 2021 and July 2022 were performed in the context of downloading and running applications on an iPhone (APPLE), with the iOS operating system.


The delegation followed the path of a data subject who downloaded an application published by the controller and then opened it for the first time on their phone. It noted that when the application was opened, the data subject was presented with an initial window designed by APPLE called "App Tracking Transparency" (hereinafter "the ATT solicitation") to obtain their consent to the tracking of their activities on the applications downloaded to their phone. Then, it found that regardless of the choice expressed by the data subject in response to the ATT Solicitation, a second window relating to the tracking of advertising by the controller was presented to them. The delegation then followed two scenarios, one in which the ATT solicitation was granted and the other in which the ATT solicitation was refused. When the ATT solicitation was accepted, it allowed the data subject's consent to be collected for the monitoring of their activities on the downloaded applications. On the contrary, when the data subject clicked on "Ask the app not to track my activities", the second window that was then presented to them by the controller did not contain any buttons or checkboxes designed to obtain their consent to other forms of personalised advertising. The data subject only had to certify that they were over the age of sixteen and accept the controller’s personal data protection policy.
The investigation service followed the path of a user who downloaded one of the provider's apps and opened the application for the first time. The user would be presented with a window, designed by APPLE, called "''App Tracking Transparency''" (hereinafter "the first window"). The purpose of this first window was to obtain consent from the user to let the provider track the user's activities on the provider's applications.  


The delegation noted that in this scenario, the IDFA, which is APPLE's advertising identifier, was not read but replaced by a string of zeros. On the other hand, it noted that the IDFV was read and transmitted to domains for advertising purposes, along with other information specific to the device (system language, device model, screen brightness, battery level, available memory space, etc.) and its use (application used and time spent), without the consent of the data subject to this operation.
The user had two options in the first window, either to accept tracking by the provider or to decline it. Whatever option the data subject would choose, a second window, designed by the provider, would show up after the first window. In this second window, the user only had to certify that they were over the age of sixteen. Also, the user had to accept the provider’s personal data protection policy.  


What is an IDFV? When a publisher offers an application on the App Store, APPLE provides an "IDentifier For Vendors" (or IDFV) allowing the publisher to track the use of its applications by users. An IDFV is assigned to each user and is identical for all applications distributed by the same publisher (in this case, all the applications of the controller).  
When the user clicked on "''Ask the app not to track my activities''" in the first window, the second window would contain a text indicating that the user's iPhone settings prevented “''tracking for the purpose of personalising ads and advertisements based on your device's advertising ID''". The controller also stated in this second window that "''Data protection is a key issue for Voodoo and we respect your choice''." The DPA noted that in this scenario, the IDFA, APPLE's own advertising identifier, was not read but replaced by a string of zeros. Therefore, the provider would not be able to read this identifier. However, the DPA found that in this scenario, another cookie called 'the IDFV' was read by the provider for advertising purposes. The IDFV ("Identifier For Vendors") was a cookie provided by Apple to the publisher of an app in the Apple App store. This cookie allowed the publisher to track the use of its application(s) on a user device. A separate IDFV was assigned to each user but was identical for all applications distributed by the same publisher.  


By combining it with other information on the smartphone, the IDFV made it possible to track data subjects’ browsing habits, particularly the game categories they preferred, in order to personalize the ads seen by each of them.
The provider also collected other information specific to the user's device (such as system language, device model, etc.) The controller stated in the second window that it collected this information and used the IDFV to provide non-personalised advertisements based on browsing habits.


=== Holding ===
=== Holding ===
According to Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive, any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he or she has been informed in advance, by the controller or their representative of the purpose of any action intended to gain access, by electronic transmission, to information already stored in their electronic communications terminal equipment, or to write information into such equipment; and of the means available to them for objecting to it. Moreover, the consent provided for in the aforementioned Article 82 must be understood within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]], i.e., it must be given in a free, specific, informed and unambiguous manner and be manifested by a clear affirmative act. Where the data subject declined the ATT solicitation, the second window presented to the data subject contained a text indicating that the data subject’s phone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". The French DPA therefore considered that the data subjects would never expect their data to be used for personalised advertising purposes. The French DPA held that the terms used in this window did not correspond to the reality of the processing carried out by the controller. The DPA held that the fact of collecting information on data subjects’ browsing habits to offer them advertisements necessarily prevents these advertisements from being qualified as non-personalised, even though the data associated with the identifier only allowed for limited personalisation (limited to the context of the application used). It thus considered that the information was likely to mislead data subjects as to the consequences of refusing the ATT solicitation.
According to Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive, any subscriber or user of an electronic communications service must be informed in a clear and complete manner. This is only different when these users have been informed in advance of certain details regarding the cookies: such as the purpose of any action of the provider intended to access information already stored on user devices, or to write information to a device; or details regarding the means available to users to object to these reading/writing operations. Moreover, the consent provided for in the aforementioned Article 82 must be understood within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]].  


Moreover, the controller did not contest that a reading of the data subject’s IDFV was carried out when the data subject refused the ATT solicitation. The controller also confirmed that the reading of data subjects' IDFV was used for advertising purposes. As the controller's use of the IDFV did not fall under the exceptions defined in Article 82 of the French Data Protection Act and it could not, therefore, be carried out on the data subject's terminal without their prior consent. The French DPA held that by using the IDFV for advertising purposes without the data subject's consent, the controller breached its obligations under Article 82 of the French Data Protection Act.
The provider did not dispute that it read the IDFV-identifier on user devices when a user would deny tracking in the first window. The provider also confirmed that the reading of data subjects' IDFV was conducted for advertising purposes. The DPA held that the provider's use of the IDFV did not fall under the one of exceptions defined in Article 82 of the French Data Protection Act. Therefore, the provider would have to obtain the user's prior consent.  


The French DPA imposed a €3 million fine on VOODOO. It justified this amount by the number of people concerned, by the financial benefits obtained as a result of the breach and by the turnover achieved by the controller in 2020 and 2021. In addition to the administrative fine, the French DPA also ordered the controller to obtain the data subject's consent to the use of the IDFV for advertising purposes within three months of the notification of the decision. If it ever failed to do so, the controller would be liable to pay a penalty of €20,000 per day of delay.
The DPA stated that the provider reduced the effectiveness of the choice expressed by the user to decline tracking in the first window. The reason for this was the fact that  the user had declined tracking by the provider in that window, but was now still tracked by the provider who simply used a different cookie to do so. The DPA also determined that when the user declined tracking in the first window, the second window presented to the user contained a text indicating that the user's iPhone settings prevented “''tracking for the purpose of personalising ads and advertisements based on your device's advertising ID''". Based on this information, The DPA considered that users would never expect their data to be used for personalised advertising purposes, since they had just rejected tracking in the first window. The French DPA further specified that the information provided by the controller in this second window did not correspond with the reality of the situation. It held that collecting information on data subjects’ browsing habits in order to offer them advertisements necessarily entailed that these advertisements could not be qualified as 'non-personalised', even though the data associated with the identifier only allowed for limited personalisation (limited to the context of the application used). 
 
The DPA thus considered that the information provided by the provider was likely to mislead data subjects regarding the consequences of refusing tracking in the first window. 
 
The French DPA held that by using the IDFV for advertising purposes without the user's consent, the provider breached its obligations under Article 82 of the French Data Protection Act.
 
The French DPA imposed a €3,000,000 fine on the provider. It justified this amount by the number of people concerned, by the financial benefits obtained as a result of the breach and by the turnover achieved by the provider in 2020 and 2021. In addition to the administrative fine, the French DPA also ordered the provider to obtain the users consent for the use of the IDFV for advertising purposes from now on and within three months of the notification of the decision.  


== Comment ==
== Comment ==
''Share your comments here!''
This is another decision by the CNIL in which it fined a provider for the use of cookies. Since December 2022, the CNIL has fined multiple companies for similar cookie violations. Below, you will find GDPRHub summaries for each of these decisions:
 
* Apple: [[CNIL (France) - Délibération SAN-2022-025]]
* Tiktok: [[CNIL (France) - Délibération SAN-2022-027 du 29 décembre 2022]]
* Microsoft: [[CNIL (France) - Deliberation SAN-2022-024 of December 20, 2022]]
It is also important to note that the ATT window (referred to in the summary as 'the first window') is part of a technical mechanism on iOS devices, which has been implemented by Apple in 2021 (iOS version 14.5) and requires every third party developer (parties other than Apple themselves) to obtain consent from users before tracking them on their iOS devices.


== Further Resources ==
== Further Resources ==
Line 96: Line 106:


<pre>
<pre>
Deliberation SAN-2022-026 of 29 December 2022
National Commission for Information Technology and Civil Liberties
    Nature of the deliberation: Sanction
    Legal status: In force
    Date of publication on Légifrance: Tuesday 17 January 2023
Deliberation of the restricted formation no SAN-2022-026 of 29 December 2022 concerning the company VOODOO
The Commission nationale de l'informatique et des libertés, meeting in its restricted formation composed of Mr Alexandre LINDEN, chairman, Mr Philippe-Pierre CABOURDIN, vice-chairman, Ms Anne DEBET, Ms Christine MAUGÜÉ and Mr Alain DRU, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and the free movement of such data;
Having regard to Law No. 78-17 of 6 January 1978 on information technology, files and freedoms, in particular Articles 20 et seq;
Having regard to Decree No. 2019-536 of 29 May 2019 taken for the application of Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms;
Having regard to Deliberation No. 2013-175 of 4 July 2013 adopting the internal rules of procedure of the Commission nationale de l'informatique et des libertés;
Having regard to Decision No. 2021-194C of the President of the CNIL of 29 June 2021 to instruct the Secretary General to carry out or have carried out a verification mission of the processing operations implemented by the company VOODOO or on its behalf;
Having regard to the decision of the President of the Commission nationale de l'informatique et des libertés appointing a rapporteur before the restricted formation of 20 June 2022;
Having regard to the report by Mr Claude Castelluccia, the reporting commissioner, notified to the company VOODOO on 22 July 2022;
Having regard to the written observations submitted by VOODOO on 26 September 2022;
Having regard to the rapporteur's response to these observations, notified to the company's counsel on 21 October 2022;
Having regard to the written observations of VOODOO received on 21 November 2022;
Having regard to the other documents in the file;
The following were present at the meeting of the restricted formation on 8 December 2022:
- Mr Claude Castelluccia, Commissioner, heard in his report;
As representatives of the company VOODOO :
- [...]
The company VOODOO having spoken last ;
The restricted formation adopted the following decision:
I. Facts and procedure
1. Created in 2013, VOODOO (hereinafter "the company"), which specialises in the publishing of telephone games, is a simplified joint stock company with its registered office at 17 rue Henry Monnier in Paris (75009). In September 2021, the VOODOO group, which comprises some twenty companies, employed [...] people in France, including [...] within VOODOO. The company has several subsidiaries in several EU Member States whose sole activity is the development of mobile games which are then published and operated by VOODOO.
2. In 2020, VOODOO had a turnover of more than EUR [...] and a profit of almost EUR [...]. In 2021, its turnover amounted to approximately EUR [...] with a net profit of over EUR [...].
3. Pursuant to Decision No. 2021-194C of the President of the CNIL of 29 June 2021, a delegation from the Commission carried out an online inspection on 19 August 2021 on both "www.voodoo.io" from a computer and the "Helix Jump" application from an APPLE telephone. The purpose of the audit was to verify the cookies and tracking devices placed and/or read by VOODOO. On this occasion, the delegation followed the path of a user who downloaded an application published by VOODOO and then opened it for the first time on his phone. It noted that when the application was opened, the user was presented with an initial window designed by APPLE and called "App Tracking Transparency" (hereinafter "the ATT solicitation") in order to obtain his or her consent to the tracking of his or her activities on the applications downloaded to his or her phone. It then noted that, regardless of the choice expressed by the user in response to the "ATT request", a second window relating to the tracking of advertising by VOODOO was presented to the user. The delegation then followed two scenarios, one in which the "ATT solicitation" is granted and the other in which the "ATT solicitation" is refused. Report No. 2021-194/1, drawn up by the delegation at the end of the inspection, was notified to VOODOO the same day.
4. On 2 September 2021, a documentary inspection was also carried out by sending a questionnaire to which the company replied on 21 September 2021.
5. A request for further information was sent to the company on 17 January 2022, which replied on 31 January 2022.
6. For the purpose of examining these elements, the Commission Chair appointed Mr Claude Castelluccia as rapporteur on 20 June 2022, on the basis of Article 39 of Decree no. 2019-536 of 29 May 2019 as amended.
7. On 18 July 2022, at the request of the rapporteur and following a decision by the President of the CNIL, new online checks were carried out both on the site "www.voodoo.io" from a computer and on eleven applications from an APPLE phone, namely "Paper.io 2"; "Aquapark.io"; "Crowd City"; "Hole.io"; "Snake VS Block"; "Shortcut Run"; "Woodturning 3D"; "Spiral Roll"; "Scribble Rider";" Cube Surfer" and "Helix Jump", which are listed on the above-mentioned website as the most downloaded.
8. On 22 July 2022, the rapporteur sent the company a report detailing the breach of Article 82 of Law No. 78-17 of 6 January 1978, as amended, relating to information technology, files and freedoms (hereinafter the "Information Technology and Freedoms Law"), which he considered to have occurred in this case. This report proposed that the restricted panel impose an administrative fine on the company, as well as an injunction, accompanied by a fine, to stop using the "identifier for vendors" (hereinafter "IDFV") on terminals for advertising purposes without the user's consent. It also proposed that the penalty decision be made public, but that it should no longer be possible to identify the company by name after two years from its publication.
9. On 26 September 2022, the company submitted its observations in response to the penalty report.
10. The rapporteur replied to the company's observations on 21 October 2022.
11. On 21 November 2022, the company submitted further observations in response to the rapporteur's comments.
12. By letter dated 22 November 2022, the rapporteur informed the company's counsel that the investigation was closed, pursuant to Article 40, III, of amended Decree no. 2019-536 of 29 May 2019.
13. 13. By letter of the same date, the company's counsel was informed that the case had been placed on the agenda of the restricted formation of 8 December 2022.
14. The rapporteur and the company presented oral observations at the meeting of the restricted formation.
II. Reasons for the decision
A. On the personal data processing at issue and the liability of VOODOO
15. With regard to the processing operations at issue, the restricted panel notes that the procedure concerns the reading and writing operations carried out on users' terminal equipment and which fall within the scope of the "ePrivacy" Directive, in particular, the reading of the "Identifier For Advertisers" (hereinafter "IDFA") and the IDFV, of users' terminals using the iOS operating system.
16. The IDFA is a unique identifier assigned to each device by APPLE's iOS operating system. It is a series of hexadecimal characters created to allow advertisers to uniquely identify the device across all installed mobile applications that use this identifier.
17. 17. The RFID is an identifier that is made available to publishers by APPLE, allowing them to track user usage of their applications. Unlike the RSI, the RSI only has the same value for applications identified as coming from the same publisher. The VRI is thus distinct for each application publisher, but identical for all applications distributed by the same publisher.
18. With regard to the responsibility for these processing operations, the restricted panel notes, first of all, that Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data (hereinafter "RGPD") is applicable to the present proceedings because of the use of the concept of "controller" in Article 82 of the Data Protection Act, which is justified by the reference made by Article 2 of the ePrivacy Directive to Directive 95/46/EC on the protection of personal data, which the RGPD has replaced.
19. According to Article 4(7) of the GDPR, the controller is "the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing".
20. The Select Committee then noted that the information in the file showed that VOODOO indicated that it determined the purposes and means of processing the personal data of users of the applications. The information in the file corroborates this statement.
21. 21. VOODOO must therefore be considered to be responsible for processing consisting of accessing or recording information in the terminals of users residing in France when using the applications it publishes.
B. On the procedure
22. The company considers that the procedure followed by the CNIL does not respect the principle of the right to a fair trial insofar as the rapporteur did not conduct his investigation in a manner that was both incriminating and exculpatory. The company considers that the rapporteur did not take into account the figures it provided on 3 August 2022 regarding the number of users of the VOODOO applications targeted by the inspection, which are much more representative of the number of people concerned than the number of downloads on which the rapporteur based his initial report. In view of these elements, the company asks the restricted formation to remove the inspection report of 18 July 2022 from the proceedings.
23. Firstly, the restricted formation notes that, if the sanction procedure is indeed subject to certain requirements of the right to a fair trial, the company does not provide any element tending to show that the procedure in question did not respect the rights of the defence.
24. Secondly, with regard to the figures relating to the number of downloads or unique active users in France on iOS, the restricted formation notes that, as he explained at the meeting, the rapporteur referred to the number of downloads of the VOODOO applications in order to highlight the number of people potentially concerned by the infringement that he considers to have occurred. It also notes that the adversarial phase between the rapporteur and VOODOO enabled figures relating to the number of people concerned to be submitted to the debates and that, at the meeting, the rapporteur took this volume into account in order to adjust the amount of the proposed fine.
25. In view of these elements, the restricted formation considers that the procedure is not vitiated by any irregularity.
C. On the breach of Article 82 of the Data Protection Act
26. Under Article 82 of the Data Protection Act, transposing Article 5(3) of the ePrivacy Directive, "any subscriber or user of an electronic communications service must be informed in a clear and comprehensive manner, unless he or she has been informed in advance by the controller or its representative :
1° The purpose of any action to access, by electronic transmission, information already stored in his or her electronic communications terminal equipment, or to write information into that equipment;
2° Of the means available to him/her to oppose it.
Such access or recording may only take place on condition that the subscriber or user has expressed, after having received this information, his consent, which may result from the appropriate parameters of his connection device or any other device under his control.
These provisions shall not apply if access to information stored in the user's terminal equipment or the writing of information in the user's terminal equipment :
1° Either, has the sole purpose of enabling or facilitating communication by electronic means;
2° Or is strictly necessary for the provision of an online communication service at the express request of the user.
27. Since the entry into force of the RGPD, the "consent" provided for in the above-mentioned Article 82 must be understood within the meaning of Article 4(11) of the RGPD, i.e. it must be given in a free, specific, informed and unambiguous manner and manifested in a clear positive act.
28. The CNIL specified in its Deliberation No. 2020-091 of 17 September 2020 adopting guidelines on the application of Article 82 of the amended Act of 6 January 1978 to read and write operations on a user's terminal (in particular "cookies and other tracers") and repealing Deliberation No. 2019-093 of 4 July 2019: "These guidelines concern all terminal equipment covered by this definition, regardless of the operating systems or application software (such as web browsers) used. They cover, in particular, the use of HTTP cookies, through which these read or write actions are most often performed, but also other technologies such as [...] identifiers generated by operating systems (whether advertising or not: IDFA, IDFV, Android ID, etc.), hardware identifiers (MAC address, serial number or any other device identifier), etc. "(§§ 12 and 13).
29. The rapporteur observes that during the inspection carried out on 19 August 2021 on an APPLE device running the iOS operating system, when a user opens an application published by VOODOO for the first time, the "ATT solicitation" is presented to the user in order to obtain his or her consent to the tracking of his or her activities on the applications downloaded to his or her phone. The user then has the option of clicking on "Ask the app not to track my activities" or "Authorise". Whichever choice the user makes in response to the "ATT request", a second window, specific to VOODOO, is presented to them. When the user clicks on "Ask the app not to track my activities", the window that is then presented to him/her by VOODOO does not contain any buttons or checkboxes designed to obtain his/her consent to other forms of personalised advertising. The user must only certify that they are over the age of sixteen and accept the company's personal data protection policy.
30. The rapporteur notes that in this scenario the IDFA, which is APPLE's advertising identifier, is not read but replaced by a string of zeros ("00000000-0000-0000-0000-000000000000"). On the other hand, he notes that the PII is read and transmitted to domains for advertising purposes, along with other information specific to the device (system language, device model, screen brightness, battery level, available memory space, etc.) and its use (application used and time spent), without the user having given his or her consent to this operation. He observed that VOODOO did not dispute the advertising purpose of this reading operation and concluded that by using the ID FDV for this purpose without the user's prior consent, VOODOO was in breach of the obligations of Article 82 of the French Data Protection Act. The rapporteur also notes that the breach committed by VOODOO is particularly serious in that the information it presents to the user is misleading. Indeed, when the user has refused the "ATT solicitation", the second window presented to the user contains a text indicating that the settings of his or her telephone "prevent tracking for the purpose of personalising ads and advertisements according to the advertising ID of your device". The rapporteur therefore considers that the user has a legitimate expectation that no tracking of any kind will be carried out for advertising purposes.
31. 31. In its defence, the company contested the rapporteur's assertion that the 'ATT solicitation' was no longer presented to users who had downloaded several VOODOO applications once they had refused to be tracked for advertising purposes when they opened the first application. It specifies that the "ATT solicitation" is presented to the user each time a new VOODOO application is downloaded, unless the user has deactivated the "Authorise app tracking requests" option available in the "Privacy" / "Tracking" settings of his or her iPhone, and not only once for all VOODOO applications. It considers that its system for obtaining consent to the use of identifiers for advertising purposes and the information provided to users are partially compliant with the provisions of Article 82 of the French Data Protection Act. The company states that, as regards the information provided to users, this is admittedly clumsy, but cannot be qualified as misleading and does not have the seriousness emphasised by the rapporteur. Indeed, if, in the window it displays, the company mentions that it collects data for "non-targeted advertising purposes" "based on [users'] browsing habits", this information must be interpreted in relation to the tracking of "browsing habits" made possible by the IDFA, which allows tracking across all the applications downloaded by a user on his or her terminal running the iOS operating system. The company argues that, in contrast, when collected, IDFV only allows tracking across apps offered by a single publisher. The company states that it is in this sense that VOODOO claimed that it does not "track" users if they refuse the ATT.
32. Firstly, the restricted panel recalls that Article 82 of the Data Protection Act requires consent to read and write information in a user's terminal, but provides for specific cases in which certain tracers benefit from an exemption from consent: either when the sole purpose is to enable or facilitate communication by electronic means, or when it is strictly necessary for the provision of an online communication service at the express request of the user.
33. In the present case, the restricted panel notes that the company does not contest that a reading operation of the VDI specific to the user's terminal is carried out when the user refuses the "ATT solicitation" - which solicitation allows, when accepted, to collect the user's consent to the monitoring of his or her activities on the downloaded applications. The company also confirms that the reading of users' PII is for advertising purposes.
34. The Panel notes that the purpose of this operation is not to enable or facilitate communication by electronic means and is not strictly necessary for the provision of an online communication service at the express request of the user. Consequently, such an operation of reading the FVI does not fall under any of the exceptions defined in Article 82 of the French Data Protection Act and cannot be carried out on the person's terminal without prior consent.
35. 35. The Select Committee considers that, even though the SFDI does not allow tracking as extensive as that made possible by the SFDI, the fact remains that, as is apparent from the documents in the file and the company's written submissions and in particular the window it presents to the user, this identifier makes it possible to track the user's activity within the applications published by VOODOO for advertising purposes and without the prior consent of the interested parties. The restricted panel further notes that by refusing the "ATT solicitation", the user has already expressed his wish that his activity not be tracked by any actor whatsoever. Thus, the fact that the company still carries out reading and/or writing operations for advertising purposes deprives the choice expressed by the user of effectiveness.
36. Secondly, the Panel notes that in case of refusal of the "ATT solicitation", the following information is presented to the user: "You have deactivated the tracking of advertising on your terminal" (in red) and "Data protection is a key issue for Voodoo and we respect your choice. Please note that your device settings prevent tracking for the purpose of personalising ads and advertisements based on your device's ad ID. Other technical data that does not involve tracking (such as information related to the type of device, type of connection or its IP address for example) may still be collected as described in our Privacy Policy, in particular to allow you to enjoy our games but also so that we can continue to improve and solve potential problems with our games (analysis and correction purpose) and to offer you non-personalised advertisements based on your browsing habits (non-targeted advertising purpose)." The panel considers that the user who is aware of this information can legitimately expect that no tracking of his or her activity will be carried out for the purpose of personalising ads. In addition, the restricted panel observed that the terms used in this window did not correspond to the reality of the processing carried out by the company. Indeed, the company states that it collects "technical data not involving tracking" in order to offer "non-personalised advertisements based on your browsing habits". However, the restricted panel considers that the fact of collecting information on users' "browsing habits" in order to offer them advertisements necessarily prevents these advertisements from being qualified as "non-personalised", even though the data associated with the identifier only allows for limited personalisation, limited to the context of the application used. It thus considers that the information is likely to mislead users as to the consequences of refusing the "ATT solicitation".
37. 37. In light of the above, the Select Committee considers that by using the ID FRDO for advertising purposes without the user's consent, VOODOO is in breach of the obligations of Article 82 of the French Data Protection Act.
III. On corrective measures and their publicity
38. Under the terms of Article 20, III, of the amended Act of 6 January 1978, "When the controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this Act, the president of the Commission nationale de l'informatique et des libertés may also, where applicable, after having sent him the warning provided for in I of this article or, where applicable, in addition to a formal notice provided for in II, refer the matter to the restricted formation of the Commission with a view to pronouncing, after an adversarial procedure, one or more of the following measures: [...]
2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this Act or to comply with the requests made by the data subject with a view to exercising his or her rights, which may be accompanied, except in cases where the processing is implemented by the State, by a penalty payment the amount of which may not exceed €100,000 for each day of delay from the date set by the restricted panel; [...]
7° With the exception of cases where the processing is implemented by the State, an administrative fine that may not exceed €10 million or, in the case of a company, 2% of the total annual worldwide turnover for the previous financial year, whichever is higher. [...] In determining the amount of the fine, the restricted formation shall take into account the criteria specified in the same Article 83.
39. Article 83 of the RGPD provides that "each supervisory authority shall ensure that administrative fines imposed pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account in deciding whether to impose an administrative fine and in deciding the amount of that fine.
A. On the imposition of an administrative fine and its amount
In its defence, the company argues that the rapporteur's proposal for a fine is insufficiently reasoned. It then points out that the legal framework applicable to tracers has evolved constantly, in part unpredictably and heterogeneously at French and European level from 2019 to 2021.
41. 41. It also highlights the constraints to which its economic activity is subject and in particular its situation of dependence and vulnerability with regard to the monopoly platforms that control the application shops. It points out that the obligation to use the "ATT solicitation" has forced application publishers to develop their own consent gathering mechanism that must be applied in addition to the ATT window. According to the company, APPLE has thus forced publishers "to adopt unsatisfactory consent procedures that are complex for the user". It points out that its revenues depend almost exclusively on the display of advertisements.
42. 42. It considers that any failure it may have committed would be of limited scope insofar as the data collected are not directly identifying, are not intrusive, or even do not constitute personal data. It points out that the duration of the collection is very short, on average 17.4 minutes per month per user, that the processing in question was implemented recently since the ATT dates from April 2021 and that the breach would only concern users with the iOS operating system who had not consented to the "ATT solicitation", i.e. a number of persons concerned that is much lower than the number of downloads put forward by the rapporteur.
43. Finally, the company considers that imposing a penalty on it would not be consistent with the action plan unveiled on 24 November by the CNIL, the aim of which is to support players in the mobile application ecosystem.
44. 44. The restricted formation recalls that Article 20, paragraph III, of the Data Protection Act gives it the power to impose various sanctions, in particular administrative fines, the maximum amount of which may be equivalent to 2% of the total annual worldwide turnover of the previous financial year achieved by the data controller or to 10 million euros. It adds that the determination of the amount of these fines is assessed in the light of the criteria specified in Article 83 of the GDPR.
45. The restricted formation then notes that all the written submissions brought to its attention, both by the rapporteur and by the company, contain all the information needed to assess the amount of the proposed fine.
46. Firstly, with regard to the constraints generated by the introduction of "ATT solicitation", the restricted panel considers that this circumstance cannot exonerate the company from its own liability: in the absence of the user's express consent, the restricted panel considers that the company cannot carry out reading operations on the user's terminal for advertising purposes.
47. 47. Secondly, the restricted formation emphasises that, in this case, it is appropriate to apply the criterion provided for in Article 83(2)(a) of the GDPR relating to the seriousness of the breach, taking into account the scope of the processing and the number of data subjects concerned by it.
48. The restricted formation notes, first of all, that by not obtaining the consent of users to the reading of the PILF, the company deprives them of the possibility of exercising their choice in accordance with the provisions of Article 82 mentioned above. In addition, it observed that the breach was aggravated by the fact that the information presented to the user who refused the "ATT solicitation" legitimately led him to believe that he would not be subject to any form of tracing.
49. With regard to the number of persons concerned, the restricted formation notes that it emerges from the figures provided by the company in its final submissions that the eleven applications that were the subject of the monitoring have a total of 5.8 million users in France on iOS between April 2021 and July 2022. The restricted panel notes that while these are not necessarily 5.8 million unique users and that, according to the company, 43% of them accept the monitoring of their activities, this large volume of people nevertheless reflects the central position occupied by the company in the phone games sector, which claims on its website 150 million active users per month worldwide, making it one of the leading companies in the sector.
50. Finally, as regards the scope of the infringement, the restricted formation considers that the fact that each user plays on average only 17 minutes per month does not mean that the quantity of data collected is insignificant. It noted that during the inspections carried out by the CNIL delegation, it only opened the VOODOO applications for a few minutes, but nevertheless noted, firstly, that numerous requests containing the VDI of the terminal used were sent to several advertising domains and that, secondly, these requests contained information related to the technical characteristics of the terminal (system language, model of the device, screen brightness, battery level, available memory space, in particular) and to its use (application used and time spent). Thus, the use of a VOODOO game, even for a limited period of time, results in the collection of data, which is used for advertising purposes, and which is collected in a way that is significant for the user.
51. The restricted panel also recalls that the GFCI, insofar as it is combined with other information characteristic of the user's terminal, makes it possible, as the company indicates in the window it presents, to monitor people's "browsing habits" and in particular the game categories they prefer, precisely in order to personalise the ads seen by each of them. Under these circumstances, the PII is indeed personal data.
52. Thirdly, the restricted panel considers that the criterion provided for in Article 83(2)(k) of the GDPR relating to any other circumstances applicable to the circumstances of the hope and the financial benefits obtained as a result of the breach should also be applied.
53. The restricted formation notes that the company's business model is based almost exclusively on advertising, since more than [...] of its income comes from this source. Now, even though the monitoring of the user's activity carried out thanks to the IDFV is not on the same scale as the monitoring made possible by the IDFA, the fact remains that the use of the IDFV for advertising purposes without the user's consent undeniably enabled VOODOO to derive a financial benefit from the breach committed.
54. 54. Fourthly, the Restricted Section recalls that, as early as 2013, the CNIL provided support to the players with regard to cookies and trackers, by publishing a recommendation reminding them of the principles that should be respected in order to allow the use of cookies and trackers, while complying with the Data Protection Act. In its deliberation No. 2013-378 of 5 December 2013, the CNIL referred to "the identifier generated by a software or an operating system" as being within the scope of its recommendation. Furthermore, as indicated above, in its guidelines of 17 September 2020, the Commission specified that "these guidelines [...] cover, in particular, [...] identifiers generated by operating systems (whether advertising or not: IDFA, IDFV, Android ID, etc.) [...]". Thus, the regime applicable to PIRA and the CNIL's consistent position with regard to the practices that are the subject of this procedure have been known for a long time. Furthermore, with regard to the unstable nature of the legal framework on tracers, the CNIL points out that the wording of Article 82 of the Data Protection Act has not been amended since 2011, apart from replacing the word "agreement" with "consent" and changing the numbering of the article following the rewriting of the Act by Order No. 2018-1125 of 12 December 2018. While the entry into force of the RGPD, by broadening the meaning given to the notion of consent, has effectively changed the scope of some of the provisions of Article 82 of the Data Protection Act, the scope of the sanction procedure at issue is strictly limited to practices whose regime was not affected by this development, i.e. the use of a tracker without prior consent. The legal framework was therefore perfectly established at the time of the checks.
55. 55. Moreover, the restricted panel notes that the President of the CNIL did not intend, through the CNIL's action plan relating to mobile applications, to halt all proceedings relating to the use of tracking devices without users' consent.
56. Lastly, the Select Committee recalls that, pursuant to the provisions of Article 20, paragraph III, of the Data Protection Act, VOODOO is liable to a financial penalty of a maximum of 2% of its turnover, which amounted to more than [...] euros in 2020 and approximately [...] euros in 2021, or 10 million euros, whichever is higher. The maximum fine in this case is therefore EUR 10 million.
57. Consequently, in light of the relevant criteria of Article 83(2) of the Merger Regulation referred to above, the Restricted Panel considers that a fine of EUR 3 million against VOODOO appears justified.
B. On the issuance of an injunction
58. 58. The rapporteur proposes that the panel issue a compliance order, which could consist of the cessation of the use of the SFDI for advertising purposes in the absence of the user's consent.
59. 59. In its defence, the company presented the rapporteur with two options that it is considering in order to comply: the collection of consent through a window presented before the "ATT solicitation" or the introduction of a "pay wall" before the "ATT solicitation". It considers that the injunction required by the rapporteur has become irrelevant in view of the measures envisaged and regrets that he has not pronounced on the compliance of these proposals.
60. Firstly, the Restricted Section notes that, although the company describes the measures it plans to deploy, none of the measures mentioned have been implemented at this stage. Thus, the Restricted Section considers that the company has not demonstrated, as of the closing date of the investigation, its compliance with the provisions of Article 82 above and that an injunction should therefore be issued on this point.
61. Secondly, the restricted panel recalls that the amount must be both proportionate to the seriousness of the breaches committed and adapted to the financial capacities of the controller.
62. In the light of these elements, the restricted formation considers that the pronouncement of an injunction accompanied by a penalty payment of EUR 20 000 per day of delay as from the notification of the present decision is justified.
63. With regard to the period granted to the company to comply with the injunction, the restricted formation considers, in the light of the company's explanations, that a period of three months from the notification of this decision is sufficient to regularise the situation.
C. On the publicity of the decision
64. The company asked the restricted panel not to make its sanction public. It argued that the seriousness of the facts had not been established, that the duration and scope of the processing operation did not pose a risk to the rights and freedoms of individuals, and that no complaint related to this processing operation had been filed with the CNIL. It also mentions the fact that it operates in a particularly tense international competitive context, with competitors who are mainly American or Israeli, not subject to the RGPD or to the Data Protection Act, who will exploit a possible sanction to their advantage.
65. 65. The restricted formation considers that the publicity of the present decision is justified in view of the seriousness of the infringement in question, the scope of the processing and the number of data subjects.
FOR THESE REASONS
The CNIL's select committee, after deliberation, decides to :
- to impose an administrative fine of €3,000,000 (three million euros) on the company VOODOO for failure to comply with Article 82 of the Data Protection Act;
- to order VOODOO to obtain the user's consent to the use of the SFDI for advertising purposes;
- attach to the injunction a penalty of €20,000 (twenty thousand euros) per day of delay at the end of a three-month period following notification of this decision, with proof of compliance to be sent to the restricted panel within this period;
- make its decision public on the CNIL website and on the Légifrance website, which will no longer identify the company by name at the end of a period of two years from its publication.
The Chairman
Alexandre LINDEN


This decision may be appealed to the Council of State within two months of its notification.
</pre>
</pre>

Latest revision as of 10:03, 1 February 2023

CNIL - SAN-2022-026
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law:
Article 5(3) Directive 2002/58/EC
Article 82 Loi Informatiques et Libertés
Type: Investigation
Outcome: Violation Found
Started:
Decided: 29.12.2022
Published: 17.01.2023
Fine: 3,000,000 EUR
Parties: VOODOO (the controller)
National Case Number/Name: SAN-2022-026
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: n/a

The French DPA fined VOODOO, a mobile game developer, €3,000,000 for violating Article 82 of the French data protection act. VOODOO did not collect the consent of users for personalised advertising and provided misleading information regarding tracking behaviour of users.

English Summary

Facts

VOODOO ('provider') was a mobile game developer. The investigation service of the French DPA (the investigation service) carried out several checks on voodoo.io and on several of the provider's mobile applications on iOS, in particular to check cookies and trackers deposited on user devices.

The investigation service followed the path of a user who downloaded one of the provider's apps and opened the application for the first time. The user would be presented with a window, designed by APPLE, called "App Tracking Transparency" (hereinafter "the first window"). The purpose of this first window was to obtain consent from the user to let the provider track the user's activities on the provider's applications.

The user had two options in the first window, either to accept tracking by the provider or to decline it. Whatever option the data subject would choose, a second window, designed by the provider, would show up after the first window. In this second window, the user only had to certify that they were over the age of sixteen. Also, the user had to accept the provider’s personal data protection policy.

When the user clicked on "Ask the app not to track my activities" in the first window, the second window would contain a text indicating that the user's iPhone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". The controller also stated in this second window that "Data protection is a key issue for Voodoo and we respect your choice." The DPA noted that in this scenario, the IDFA, APPLE's own advertising identifier, was not read but replaced by a string of zeros. Therefore, the provider would not be able to read this identifier. However, the DPA found that in this scenario, another cookie called 'the IDFV' was read by the provider for advertising purposes. The IDFV ("Identifier For Vendors") was a cookie provided by Apple to the publisher of an app in the Apple App store. This cookie allowed the publisher to track the use of its application(s) on a user device. A separate IDFV was assigned to each user but was identical for all applications distributed by the same publisher.

The provider also collected other information specific to the user's device (such as system language, device model, etc.) The controller stated in the second window that it collected this information and used the IDFV to provide non-personalised advertisements based on browsing habits.

Holding

According to Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive, any subscriber or user of an electronic communications service must be informed in a clear and complete manner. This is only different when these users have been informed in advance of certain details regarding the cookies: such as the purpose of any action of the provider intended to access information already stored on user devices, or to write information to a device; or details regarding the means available to users to object to these reading/writing operations. Moreover, the consent provided for in the aforementioned Article 82 must be understood within the meaning of Article 4(11) GDPR.

The provider did not dispute that it read the IDFV-identifier on user devices when a user would deny tracking in the first window. The provider also confirmed that the reading of data subjects' IDFV was conducted for advertising purposes. The DPA held that the provider's use of the IDFV did not fall under the one of exceptions defined in Article 82 of the French Data Protection Act. Therefore, the provider would have to obtain the user's prior consent.

The DPA stated that the provider reduced the effectiveness of the choice expressed by the user to decline tracking in the first window. The reason for this was the fact that the user had declined tracking by the provider in that window, but was now still tracked by the provider who simply used a different cookie to do so. The DPA also determined that when the user declined tracking in the first window, the second window presented to the user contained a text indicating that the user's iPhone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". Based on this information, The DPA considered that users would never expect their data to be used for personalised advertising purposes, since they had just rejected tracking in the first window. The French DPA further specified that the information provided by the controller in this second window did not correspond with the reality of the situation. It held that collecting information on data subjects’ browsing habits in order to offer them advertisements necessarily entailed that these advertisements could not be qualified as 'non-personalised', even though the data associated with the identifier only allowed for limited personalisation (limited to the context of the application used).

The DPA thus considered that the information provided by the provider was likely to mislead data subjects regarding the consequences of refusing tracking in the first window.

The French DPA held that by using the IDFV for advertising purposes without the user's consent, the provider breached its obligations under Article 82 of the French Data Protection Act.

The French DPA imposed a €3,000,000 fine on the provider. It justified this amount by the number of people concerned, by the financial benefits obtained as a result of the breach and by the turnover achieved by the provider in 2020 and 2021. In addition to the administrative fine, the French DPA also ordered the provider to obtain the users consent for the use of the IDFV for advertising purposes from now on and within three months of the notification of the decision.

Comment

This is another decision by the CNIL in which it fined a provider for the use of cookies. Since December 2022, the CNIL has fined multiple companies for similar cookie violations. Below, you will find GDPRHub summaries for each of these decisions:

It is also important to note that the ATT window (referred to in the summary as 'the first window') is part of a technical mechanism on iOS devices, which has been implemented by Apple in 2021 (iOS version 14.5) and requires every third party developer (parties other than Apple themselves) to obtain consent from users before tracking them on their iOS devices.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation SAN-2022-026 of 29 December 2022
National Commission for Information Technology and Civil Liberties

    Nature of the deliberation: Sanction
    Legal status: In force

    Date of publication on Légifrance: Tuesday 17 January 2023

Deliberation of the restricted formation no SAN-2022-026 of 29 December 2022 concerning the company VOODOO

The Commission nationale de l'informatique et des libertés, meeting in its restricted formation composed of Mr Alexandre LINDEN, chairman, Mr Philippe-Pierre CABOURDIN, vice-chairman, Ms Anne DEBET, Ms Christine MAUGÜÉ and Mr Alain DRU, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and the free movement of such data;

Having regard to Law No. 78-17 of 6 January 1978 on information technology, files and freedoms, in particular Articles 20 et seq;

Having regard to Decree No. 2019-536 of 29 May 2019 taken for the application of Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms;

Having regard to Deliberation No. 2013-175 of 4 July 2013 adopting the internal rules of procedure of the Commission nationale de l'informatique et des libertés;

Having regard to Decision No. 2021-194C of the President of the CNIL of 29 June 2021 to instruct the Secretary General to carry out or have carried out a verification mission of the processing operations implemented by the company VOODOO or on its behalf;

Having regard to the decision of the President of the Commission nationale de l'informatique et des libertés appointing a rapporteur before the restricted formation of 20 June 2022;

Having regard to the report by Mr Claude Castelluccia, the reporting commissioner, notified to the company VOODOO on 22 July 2022;

Having regard to the written observations submitted by VOODOO on 26 September 2022;

Having regard to the rapporteur's response to these observations, notified to the company's counsel on 21 October 2022;

Having regard to the written observations of VOODOO received on 21 November 2022;

Having regard to the other documents in the file;

The following were present at the meeting of the restricted formation on 8 December 2022:

- Mr Claude Castelluccia, Commissioner, heard in his report;

As representatives of the company VOODOO :

- [...]

The company VOODOO having spoken last ;

The restricted formation adopted the following decision:

I. Facts and procedure

1. Created in 2013, VOODOO (hereinafter "the company"), which specialises in the publishing of telephone games, is a simplified joint stock company with its registered office at 17 rue Henry Monnier in Paris (75009). In September 2021, the VOODOO group, which comprises some twenty companies, employed [...] people in France, including [...] within VOODOO. The company has several subsidiaries in several EU Member States whose sole activity is the development of mobile games which are then published and operated by VOODOO.

2. In 2020, VOODOO had a turnover of more than EUR [...] and a profit of almost EUR [...]. In 2021, its turnover amounted to approximately EUR [...] with a net profit of over EUR [...].

3. Pursuant to Decision No. 2021-194C of the President of the CNIL of 29 June 2021, a delegation from the Commission carried out an online inspection on 19 August 2021 on both "www.voodoo.io" from a computer and the "Helix Jump" application from an APPLE telephone. The purpose of the audit was to verify the cookies and tracking devices placed and/or read by VOODOO. On this occasion, the delegation followed the path of a user who downloaded an application published by VOODOO and then opened it for the first time on his phone. It noted that when the application was opened, the user was presented with an initial window designed by APPLE and called "App Tracking Transparency" (hereinafter "the ATT solicitation") in order to obtain his or her consent to the tracking of his or her activities on the applications downloaded to his or her phone. It then noted that, regardless of the choice expressed by the user in response to the "ATT request", a second window relating to the tracking of advertising by VOODOO was presented to the user. The delegation then followed two scenarios, one in which the "ATT solicitation" is granted and the other in which the "ATT solicitation" is refused. Report No. 2021-194/1, drawn up by the delegation at the end of the inspection, was notified to VOODOO the same day.

4. On 2 September 2021, a documentary inspection was also carried out by sending a questionnaire to which the company replied on 21 September 2021.

5. A request for further information was sent to the company on 17 January 2022, which replied on 31 January 2022.

6. For the purpose of examining these elements, the Commission Chair appointed Mr Claude Castelluccia as rapporteur on 20 June 2022, on the basis of Article 39 of Decree no. 2019-536 of 29 May 2019 as amended.

7. On 18 July 2022, at the request of the rapporteur and following a decision by the President of the CNIL, new online checks were carried out both on the site "www.voodoo.io" from a computer and on eleven applications from an APPLE phone, namely "Paper.io 2"; "Aquapark.io"; "Crowd City"; "Hole.io"; "Snake VS Block"; "Shortcut Run"; "Woodturning 3D"; "Spiral Roll"; "Scribble Rider";" Cube Surfer" and "Helix Jump", which are listed on the above-mentioned website as the most downloaded.

8. On 22 July 2022, the rapporteur sent the company a report detailing the breach of Article 82 of Law No. 78-17 of 6 January 1978, as amended, relating to information technology, files and freedoms (hereinafter the "Information Technology and Freedoms Law"), which he considered to have occurred in this case. This report proposed that the restricted panel impose an administrative fine on the company, as well as an injunction, accompanied by a fine, to stop using the "identifier for vendors" (hereinafter "IDFV") on terminals for advertising purposes without the user's consent. It also proposed that the penalty decision be made public, but that it should no longer be possible to identify the company by name after two years from its publication.

9. On 26 September 2022, the company submitted its observations in response to the penalty report.

10. The rapporteur replied to the company's observations on 21 October 2022.

11. On 21 November 2022, the company submitted further observations in response to the rapporteur's comments.

12. By letter dated 22 November 2022, the rapporteur informed the company's counsel that the investigation was closed, pursuant to Article 40, III, of amended Decree no. 2019-536 of 29 May 2019.

13. 13. By letter of the same date, the company's counsel was informed that the case had been placed on the agenda of the restricted formation of 8 December 2022.

14. The rapporteur and the company presented oral observations at the meeting of the restricted formation.

II. Reasons for the decision

A. On the personal data processing at issue and the liability of VOODOO

15. With regard to the processing operations at issue, the restricted panel notes that the procedure concerns the reading and writing operations carried out on users' terminal equipment and which fall within the scope of the "ePrivacy" Directive, in particular, the reading of the "Identifier For Advertisers" (hereinafter "IDFA") and the IDFV, of users' terminals using the iOS operating system.

16. The IDFA is a unique identifier assigned to each device by APPLE's iOS operating system. It is a series of hexadecimal characters created to allow advertisers to uniquely identify the device across all installed mobile applications that use this identifier.

17. 17. The RFID is an identifier that is made available to publishers by APPLE, allowing them to track user usage of their applications. Unlike the RSI, the RSI only has the same value for applications identified as coming from the same publisher. The VRI is thus distinct for each application publisher, but identical for all applications distributed by the same publisher.

18. With regard to the responsibility for these processing operations, the restricted panel notes, first of all, that Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data (hereinafter "RGPD") is applicable to the present proceedings because of the use of the concept of "controller" in Article 82 of the Data Protection Act, which is justified by the reference made by Article 2 of the ePrivacy Directive to Directive 95/46/EC on the protection of personal data, which the RGPD has replaced.

19. According to Article 4(7) of the GDPR, the controller is "the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing".

20. The Select Committee then noted that the information in the file showed that VOODOO indicated that it determined the purposes and means of processing the personal data of users of the applications. The information in the file corroborates this statement.

21. 21. VOODOO must therefore be considered to be responsible for processing consisting of accessing or recording information in the terminals of users residing in France when using the applications it publishes.

B. On the procedure

22. The company considers that the procedure followed by the CNIL does not respect the principle of the right to a fair trial insofar as the rapporteur did not conduct his investigation in a manner that was both incriminating and exculpatory. The company considers that the rapporteur did not take into account the figures it provided on 3 August 2022 regarding the number of users of the VOODOO applications targeted by the inspection, which are much more representative of the number of people concerned than the number of downloads on which the rapporteur based his initial report. In view of these elements, the company asks the restricted formation to remove the inspection report of 18 July 2022 from the proceedings.

23. Firstly, the restricted formation notes that, if the sanction procedure is indeed subject to certain requirements of the right to a fair trial, the company does not provide any element tending to show that the procedure in question did not respect the rights of the defence.

24. Secondly, with regard to the figures relating to the number of downloads or unique active users in France on iOS, the restricted formation notes that, as he explained at the meeting, the rapporteur referred to the number of downloads of the VOODOO applications in order to highlight the number of people potentially concerned by the infringement that he considers to have occurred. It also notes that the adversarial phase between the rapporteur and VOODOO enabled figures relating to the number of people concerned to be submitted to the debates and that, at the meeting, the rapporteur took this volume into account in order to adjust the amount of the proposed fine.

25. In view of these elements, the restricted formation considers that the procedure is not vitiated by any irregularity.

C. On the breach of Article 82 of the Data Protection Act

26. Under Article 82 of the Data Protection Act, transposing Article 5(3) of the ePrivacy Directive, "any subscriber or user of an electronic communications service must be informed in a clear and comprehensive manner, unless he or she has been informed in advance by the controller or its representative :

1° The purpose of any action to access, by electronic transmission, information already stored in his or her electronic communications terminal equipment, or to write information into that equipment;

2° Of the means available to him/her to oppose it.

Such access or recording may only take place on condition that the subscriber or user has expressed, after having received this information, his consent, which may result from the appropriate parameters of his connection device or any other device under his control.

These provisions shall not apply if access to information stored in the user's terminal equipment or the writing of information in the user's terminal equipment :

1° Either, has the sole purpose of enabling or facilitating communication by electronic means;

2° Or is strictly necessary for the provision of an online communication service at the express request of the user.

27. Since the entry into force of the RGPD, the "consent" provided for in the above-mentioned Article 82 must be understood within the meaning of Article 4(11) of the RGPD, i.e. it must be given in a free, specific, informed and unambiguous manner and manifested in a clear positive act.

28. The CNIL specified in its Deliberation No. 2020-091 of 17 September 2020 adopting guidelines on the application of Article 82 of the amended Act of 6 January 1978 to read and write operations on a user's terminal (in particular "cookies and other tracers") and repealing Deliberation No. 2019-093 of 4 July 2019: "These guidelines concern all terminal equipment covered by this definition, regardless of the operating systems or application software (such as web browsers) used. They cover, in particular, the use of HTTP cookies, through which these read or write actions are most often performed, but also other technologies such as [...] identifiers generated by operating systems (whether advertising or not: IDFA, IDFV, Android ID, etc.), hardware identifiers (MAC address, serial number or any other device identifier), etc. "(§§ 12 and 13).

29. The rapporteur observes that during the inspection carried out on 19 August 2021 on an APPLE device running the iOS operating system, when a user opens an application published by VOODOO for the first time, the "ATT solicitation" is presented to the user in order to obtain his or her consent to the tracking of his or her activities on the applications downloaded to his or her phone. The user then has the option of clicking on "Ask the app not to track my activities" or "Authorise". Whichever choice the user makes in response to the "ATT request", a second window, specific to VOODOO, is presented to them. When the user clicks on "Ask the app not to track my activities", the window that is then presented to him/her by VOODOO does not contain any buttons or checkboxes designed to obtain his/her consent to other forms of personalised advertising. The user must only certify that they are over the age of sixteen and accept the company's personal data protection policy.

30. The rapporteur notes that in this scenario the IDFA, which is APPLE's advertising identifier, is not read but replaced by a string of zeros ("00000000-0000-0000-0000-000000000000"). On the other hand, he notes that the PII is read and transmitted to domains for advertising purposes, along with other information specific to the device (system language, device model, screen brightness, battery level, available memory space, etc.) and its use (application used and time spent), without the user having given his or her consent to this operation. He observed that VOODOO did not dispute the advertising purpose of this reading operation and concluded that by using the ID FDV for this purpose without the user's prior consent, VOODOO was in breach of the obligations of Article 82 of the French Data Protection Act. The rapporteur also notes that the breach committed by VOODOO is particularly serious in that the information it presents to the user is misleading. Indeed, when the user has refused the "ATT solicitation", the second window presented to the user contains a text indicating that the settings of his or her telephone "prevent tracking for the purpose of personalising ads and advertisements according to the advertising ID of your device". The rapporteur therefore considers that the user has a legitimate expectation that no tracking of any kind will be carried out for advertising purposes.

31. 31. In its defence, the company contested the rapporteur's assertion that the 'ATT solicitation' was no longer presented to users who had downloaded several VOODOO applications once they had refused to be tracked for advertising purposes when they opened the first application. It specifies that the "ATT solicitation" is presented to the user each time a new VOODOO application is downloaded, unless the user has deactivated the "Authorise app tracking requests" option available in the "Privacy" / "Tracking" settings of his or her iPhone, and not only once for all VOODOO applications. It considers that its system for obtaining consent to the use of identifiers for advertising purposes and the information provided to users are partially compliant with the provisions of Article 82 of the French Data Protection Act. The company states that, as regards the information provided to users, this is admittedly clumsy, but cannot be qualified as misleading and does not have the seriousness emphasised by the rapporteur. Indeed, if, in the window it displays, the company mentions that it collects data for "non-targeted advertising purposes" "based on [users'] browsing habits", this information must be interpreted in relation to the tracking of "browsing habits" made possible by the IDFA, which allows tracking across all the applications downloaded by a user on his or her terminal running the iOS operating system. The company argues that, in contrast, when collected, IDFV only allows tracking across apps offered by a single publisher. The company states that it is in this sense that VOODOO claimed that it does not "track" users if they refuse the ATT.

32. Firstly, the restricted panel recalls that Article 82 of the Data Protection Act requires consent to read and write information in a user's terminal, but provides for specific cases in which certain tracers benefit from an exemption from consent: either when the sole purpose is to enable or facilitate communication by electronic means, or when it is strictly necessary for the provision of an online communication service at the express request of the user.

33. In the present case, the restricted panel notes that the company does not contest that a reading operation of the VDI specific to the user's terminal is carried out when the user refuses the "ATT solicitation" - which solicitation allows, when accepted, to collect the user's consent to the monitoring of his or her activities on the downloaded applications. The company also confirms that the reading of users' PII is for advertising purposes.

34. The Panel notes that the purpose of this operation is not to enable or facilitate communication by electronic means and is not strictly necessary for the provision of an online communication service at the express request of the user. Consequently, such an operation of reading the FVI does not fall under any of the exceptions defined in Article 82 of the French Data Protection Act and cannot be carried out on the person's terminal without prior consent.

35. 35. The Select Committee considers that, even though the SFDI does not allow tracking as extensive as that made possible by the SFDI, the fact remains that, as is apparent from the documents in the file and the company's written submissions and in particular the window it presents to the user, this identifier makes it possible to track the user's activity within the applications published by VOODOO for advertising purposes and without the prior consent of the interested parties. The restricted panel further notes that by refusing the "ATT solicitation", the user has already expressed his wish that his activity not be tracked by any actor whatsoever. Thus, the fact that the company still carries out reading and/or writing operations for advertising purposes deprives the choice expressed by the user of effectiveness.

36. Secondly, the Panel notes that in case of refusal of the "ATT solicitation", the following information is presented to the user: "You have deactivated the tracking of advertising on your terminal" (in red) and "Data protection is a key issue for Voodoo and we respect your choice. Please note that your device settings prevent tracking for the purpose of personalising ads and advertisements based on your device's ad ID. Other technical data that does not involve tracking (such as information related to the type of device, type of connection or its IP address for example) may still be collected as described in our Privacy Policy, in particular to allow you to enjoy our games but also so that we can continue to improve and solve potential problems with our games (analysis and correction purpose) and to offer you non-personalised advertisements based on your browsing habits (non-targeted advertising purpose)." The panel considers that the user who is aware of this information can legitimately expect that no tracking of his or her activity will be carried out for the purpose of personalising ads. In addition, the restricted panel observed that the terms used in this window did not correspond to the reality of the processing carried out by the company. Indeed, the company states that it collects "technical data not involving tracking" in order to offer "non-personalised advertisements based on your browsing habits". However, the restricted panel considers that the fact of collecting information on users' "browsing habits" in order to offer them advertisements necessarily prevents these advertisements from being qualified as "non-personalised", even though the data associated with the identifier only allows for limited personalisation, limited to the context of the application used. It thus considers that the information is likely to mislead users as to the consequences of refusing the "ATT solicitation".

37. 37. In light of the above, the Select Committee considers that by using the ID FRDO for advertising purposes without the user's consent, VOODOO is in breach of the obligations of Article 82 of the French Data Protection Act.

III. On corrective measures and their publicity

38. Under the terms of Article 20, III, of the amended Act of 6 January 1978, "When the controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this Act, the president of the Commission nationale de l'informatique et des libertés may also, where applicable, after having sent him the warning provided for in I of this article or, where applicable, in addition to a formal notice provided for in II, refer the matter to the restricted formation of the Commission with a view to pronouncing, after an adversarial procedure, one or more of the following measures: [...]

2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this Act or to comply with the requests made by the data subject with a view to exercising his or her rights, which may be accompanied, except in cases where the processing is implemented by the State, by a penalty payment the amount of which may not exceed €100,000 for each day of delay from the date set by the restricted panel; [...]

7° With the exception of cases where the processing is implemented by the State, an administrative fine that may not exceed €10 million or, in the case of a company, 2% of the total annual worldwide turnover for the previous financial year, whichever is higher. [...] In determining the amount of the fine, the restricted formation shall take into account the criteria specified in the same Article 83.

39. Article 83 of the RGPD provides that "each supervisory authority shall ensure that administrative fines imposed pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account in deciding whether to impose an administrative fine and in deciding the amount of that fine.

A. On the imposition of an administrative fine and its amount

In its defence, the company argues that the rapporteur's proposal for a fine is insufficiently reasoned. It then points out that the legal framework applicable to tracers has evolved constantly, in part unpredictably and heterogeneously at French and European level from 2019 to 2021.

41. 41. It also highlights the constraints to which its economic activity is subject and in particular its situation of dependence and vulnerability with regard to the monopoly platforms that control the application shops. It points out that the obligation to use the "ATT solicitation" has forced application publishers to develop their own consent gathering mechanism that must be applied in addition to the ATT window. According to the company, APPLE has thus forced publishers "to adopt unsatisfactory consent procedures that are complex for the user". It points out that its revenues depend almost exclusively on the display of advertisements.

42. 42. It considers that any failure it may have committed would be of limited scope insofar as the data collected are not directly identifying, are not intrusive, or even do not constitute personal data. It points out that the duration of the collection is very short, on average 17.4 minutes per month per user, that the processing in question was implemented recently since the ATT dates from April 2021 and that the breach would only concern users with the iOS operating system who had not consented to the "ATT solicitation", i.e. a number of persons concerned that is much lower than the number of downloads put forward by the rapporteur.

43. Finally, the company considers that imposing a penalty on it would not be consistent with the action plan unveiled on 24 November by the CNIL, the aim of which is to support players in the mobile application ecosystem.

44. 44. The restricted formation recalls that Article 20, paragraph III, of the Data Protection Act gives it the power to impose various sanctions, in particular administrative fines, the maximum amount of which may be equivalent to 2% of the total annual worldwide turnover of the previous financial year achieved by the data controller or to 10 million euros. It adds that the determination of the amount of these fines is assessed in the light of the criteria specified in Article 83 of the GDPR.

45. The restricted formation then notes that all the written submissions brought to its attention, both by the rapporteur and by the company, contain all the information needed to assess the amount of the proposed fine.

46. Firstly, with regard to the constraints generated by the introduction of "ATT solicitation", the restricted panel considers that this circumstance cannot exonerate the company from its own liability: in the absence of the user's express consent, the restricted panel considers that the company cannot carry out reading operations on the user's terminal for advertising purposes.

47. 47. Secondly, the restricted formation emphasises that, in this case, it is appropriate to apply the criterion provided for in Article 83(2)(a) of the GDPR relating to the seriousness of the breach, taking into account the scope of the processing and the number of data subjects concerned by it.

48. The restricted formation notes, first of all, that by not obtaining the consent of users to the reading of the PILF, the company deprives them of the possibility of exercising their choice in accordance with the provisions of Article 82 mentioned above. In addition, it observed that the breach was aggravated by the fact that the information presented to the user who refused the "ATT solicitation" legitimately led him to believe that he would not be subject to any form of tracing.

49. With regard to the number of persons concerned, the restricted formation notes that it emerges from the figures provided by the company in its final submissions that the eleven applications that were the subject of the monitoring have a total of 5.8 million users in France on iOS between April 2021 and July 2022. The restricted panel notes that while these are not necessarily 5.8 million unique users and that, according to the company, 43% of them accept the monitoring of their activities, this large volume of people nevertheless reflects the central position occupied by the company in the phone games sector, which claims on its website 150 million active users per month worldwide, making it one of the leading companies in the sector.

50. Finally, as regards the scope of the infringement, the restricted formation considers that the fact that each user plays on average only 17 minutes per month does not mean that the quantity of data collected is insignificant. It noted that during the inspections carried out by the CNIL delegation, it only opened the VOODOO applications for a few minutes, but nevertheless noted, firstly, that numerous requests containing the VDI of the terminal used were sent to several advertising domains and that, secondly, these requests contained information related to the technical characteristics of the terminal (system language, model of the device, screen brightness, battery level, available memory space, in particular) and to its use (application used and time spent). Thus, the use of a VOODOO game, even for a limited period of time, results in the collection of data, which is used for advertising purposes, and which is collected in a way that is significant for the user.

51. The restricted panel also recalls that the GFCI, insofar as it is combined with other information characteristic of the user's terminal, makes it possible, as the company indicates in the window it presents, to monitor people's "browsing habits" and in particular the game categories they prefer, precisely in order to personalise the ads seen by each of them. Under these circumstances, the PII is indeed personal data.

52. Thirdly, the restricted panel considers that the criterion provided for in Article 83(2)(k) of the GDPR relating to any other circumstances applicable to the circumstances of the hope and the financial benefits obtained as a result of the breach should also be applied.

53. The restricted formation notes that the company's business model is based almost exclusively on advertising, since more than [...] of its income comes from this source. Now, even though the monitoring of the user's activity carried out thanks to the IDFV is not on the same scale as the monitoring made possible by the IDFA, the fact remains that the use of the IDFV for advertising purposes without the user's consent undeniably enabled VOODOO to derive a financial benefit from the breach committed.

54. 54. Fourthly, the Restricted Section recalls that, as early as 2013, the CNIL provided support to the players with regard to cookies and trackers, by publishing a recommendation reminding them of the principles that should be respected in order to allow the use of cookies and trackers, while complying with the Data Protection Act. In its deliberation No. 2013-378 of 5 December 2013, the CNIL referred to "the identifier generated by a software or an operating system" as being within the scope of its recommendation. Furthermore, as indicated above, in its guidelines of 17 September 2020, the Commission specified that "these guidelines [...] cover, in particular, [...] identifiers generated by operating systems (whether advertising or not: IDFA, IDFV, Android ID, etc.) [...]". Thus, the regime applicable to PIRA and the CNIL's consistent position with regard to the practices that are the subject of this procedure have been known for a long time. Furthermore, with regard to the unstable nature of the legal framework on tracers, the CNIL points out that the wording of Article 82 of the Data Protection Act has not been amended since 2011, apart from replacing the word "agreement" with "consent" and changing the numbering of the article following the rewriting of the Act by Order No. 2018-1125 of 12 December 2018. While the entry into force of the RGPD, by broadening the meaning given to the notion of consent, has effectively changed the scope of some of the provisions of Article 82 of the Data Protection Act, the scope of the sanction procedure at issue is strictly limited to practices whose regime was not affected by this development, i.e. the use of a tracker without prior consent. The legal framework was therefore perfectly established at the time of the checks.

55. 55. Moreover, the restricted panel notes that the President of the CNIL did not intend, through the CNIL's action plan relating to mobile applications, to halt all proceedings relating to the use of tracking devices without users' consent.

56. Lastly, the Select Committee recalls that, pursuant to the provisions of Article 20, paragraph III, of the Data Protection Act, VOODOO is liable to a financial penalty of a maximum of 2% of its turnover, which amounted to more than [...] euros in 2020 and approximately [...] euros in 2021, or 10 million euros, whichever is higher. The maximum fine in this case is therefore EUR 10 million.

57. Consequently, in light of the relevant criteria of Article 83(2) of the Merger Regulation referred to above, the Restricted Panel considers that a fine of EUR 3 million against VOODOO appears justified.

B. On the issuance of an injunction

58. 58. The rapporteur proposes that the panel issue a compliance order, which could consist of the cessation of the use of the SFDI for advertising purposes in the absence of the user's consent.

59. 59. In its defence, the company presented the rapporteur with two options that it is considering in order to comply: the collection of consent through a window presented before the "ATT solicitation" or the introduction of a "pay wall" before the "ATT solicitation". It considers that the injunction required by the rapporteur has become irrelevant in view of the measures envisaged and regrets that he has not pronounced on the compliance of these proposals.

60. Firstly, the Restricted Section notes that, although the company describes the measures it plans to deploy, none of the measures mentioned have been implemented at this stage. Thus, the Restricted Section considers that the company has not demonstrated, as of the closing date of the investigation, its compliance with the provisions of Article 82 above and that an injunction should therefore be issued on this point.

61. Secondly, the restricted panel recalls that the amount must be both proportionate to the seriousness of the breaches committed and adapted to the financial capacities of the controller.

62. In the light of these elements, the restricted formation considers that the pronouncement of an injunction accompanied by a penalty payment of EUR 20 000 per day of delay as from the notification of the present decision is justified.

63. With regard to the period granted to the company to comply with the injunction, the restricted formation considers, in the light of the company's explanations, that a period of three months from the notification of this decision is sufficient to regularise the situation.

C. On the publicity of the decision

64. The company asked the restricted panel not to make its sanction public. It argued that the seriousness of the facts had not been established, that the duration and scope of the processing operation did not pose a risk to the rights and freedoms of individuals, and that no complaint related to this processing operation had been filed with the CNIL. It also mentions the fact that it operates in a particularly tense international competitive context, with competitors who are mainly American or Israeli, not subject to the RGPD or to the Data Protection Act, who will exploit a possible sanction to their advantage.

65. 65. The restricted formation considers that the publicity of the present decision is justified in view of the seriousness of the infringement in question, the scope of the processing and the number of data subjects.

FOR THESE REASONS

The CNIL's select committee, after deliberation, decides to :

- to impose an administrative fine of €3,000,000 (three million euros) on the company VOODOO for failure to comply with Article 82 of the Data Protection Act;

- to order VOODOO to obtain the user's consent to the use of the SFDI for advertising purposes;

- attach to the injunction a penalty of €20,000 (twenty thousand euros) per day of delay at the end of a three-month period following notification of this decision, with proof of compliance to be sent to the restricted panel within this period;

- make its decision public on the CNIL website and on the Légifrance website, which will no longer identify the company by name at the end of a period of two years from its publication.

The Chairman

Alexandre LINDEN

This decision may be appealed to the Council of State within two months of its notification.