CNIL (France) - SAN-2022-026: Difference between revisions

From GDPRhub
No edit summary
Line 63: Line 63:
}}
}}


The French DPA fined VOODOO €3,000,000 for not collecting the consent of data subjects for personalized advertising and for providing them misleading information about the use of their data.
The French DPA fined VOODOO, a mobile game develolper, €3,000,000 for violatingf Article 82 of the French data protection act. VOODOO did not collect the consent of users for personalised advertising and for providing misleading information regarding tracking the behaviour of users.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
VOODOO (the controller) is a company specialised in smartphone games. Following a decision from the French DPA’s president, a delegation of the French DPA carried out several checks on voodoo.io and on various mobile applications published by VOODOO, particularly to check the cookies and tracers deposited and/or read by the controller.
VOODOO ('provider') was a mobile game developer. The  investigation service of the French DPA ((the investigation service) carried out several checks on ''voodoo.io'' and on several of the provider's mobile applications, in particularly to check the cookies and tracers deposited on user devices.
The verifications carried out between June 2021 and July 2022 were performed in the context of downloading and running applications on an iPhone (APPLE), with the iOS operating system.
These investigations were carried out between June 2021 and July 2022. The investiagtion was limtited to iOS, APPLE's operating system for iPhones.  


The delegation followed the path of a data subject who downloaded an application published by the controller and then opened it for the first time on their phone. It noted that when the application was opened, the data subject was presented with an initial window designed by APPLE called "App Tracking Transparency" (hereinafter "the ATT solicitation") to obtain their consent to the tracking of their activities on the applications downloaded to their phone. Then, it found that regardless of the choice expressed by the data subject in response to the ATT Solicitation, a second window relating to the tracking of advertising by the controller was presented to them. The delegation then followed two scenarios, one in which the ATT solicitation was granted and the other in which the ATT solicitation was refused. When the ATT solicitation was accepted, it allowed the data subject's consent to be collected for the monitoring of their activities on the downloaded applications. On the contrary, when the data subject clicked on "Ask the app not to track my activities", the second window that was then presented to them by the controller did not contain any buttons or checkboxes designed to obtain their consent to other forms of personalised advertising. The data subject only had to certify that they were over the age of sixteen and accept the controller’s personal data protection policy.  
The investigation service (the investigation service) followed the path of a user who downloaded one of the provider's apps and then opened the application for the first time. The user would be presented with an initial window, which was designed by APPLE called "''App Tracking Transparency''" (hereinafter "the first window"). The purpose of this first window was to obtain consent from the user to let the provider track the user's activities on the provider's applications. This technical mechanism on iPhones had been implemented by Apple and required every third party (parties other than Apple themselves) to obtain consent from users before tracking them on their iOS devices.


The delegation noted that in this scenario, the IDFA, which is APPLE's advertising identifier, was not read but replaced by a string of zeros. On the other hand, it noted that the IDFV was read and transmitted to domains for advertising purposes, along with other information specific to the device (system language, device model, screen brightness, battery level, available memory space, etc.) and its use (application used and time spent), without the consent of the data subject to this operation.   
When the user clicked on "''Ask the app not to track my activities''" in the first window, a second window, designed by the provider, would appear. In this second window, the user only had to certify that they were over the age of sixteen and the user had to accept the provider’s personal data protection policy. This second window also contained contained a text indicating that the user's iPhone settings prevented “''tracking for the purpose of personalising ads and advertisements based on your device's advertising ID''", when the user had declined tracking in the first window. The DPA also noted that in this second scenario, the IDFA, APPLE's own advertising identifier, was not read but replaced by a string of zeros. Therefore, the provider would not be able to read this identifier.   


What is an IDFV? When a publisher offers an application on the App Store, APPLE provides an "IDentifier For Vendors" (or IDFV) allowing the publisher to track the use of its applications by users. An IDFV is assigned to each user and is identical for all applications distributed by the same publisher (in this case, all the applications of the controller).  
However, the DPA noted that another cookie called 'the IDFV' was read by the provider and also transmitted to several other domains for advertising purposes, The IDFV ("IDentifier For Vendors") was a cookie provided by Apple to the publisher of an app in the Apple App store. This cookie allowed the publisher to track the use of its applications on a user device. A seperate IDFV was assigned to each user and was identical for all applications distributed by the same publisher. The provider also collected other information specific to the user's device (such as system language, device model, etc.). By combining the information of the IDFV with other information, the provider could use the IDFV to track data subjects’ browsing habits, particularly the game categories they preferred, in order to personalize advertisements in the respective applications. The personalisation of these advertisements was limited to the context of each application used.


By combining it with other information on the smartphone, the IDFV made it possible to track data subjects’ browsing habits, particularly the game categories they preferred, in order to personalize the ads seen by each of them.
=== Holding ===
According to Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive, any subscriber or user of an electronic communications service must be informed in a clear and complete manner. This is only different when they have been informed in advance, by the provider or its representative, of certain details regarding the cookies: such as the purpose of any action of the provider intended to access information already stored in their device, or to write information to a device; or details regarding the means available to users to object to these reading/writing operations. Moreover, the consent provided for in the aforementioned Article 82 must be understood within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]].  


=== Holding ===
The DPA determined that when the user declined tracking in the first window, the second window presented to the user contained a text indicating that the user's iPhone settings prevented “''tracking for the purpose of personalising ads and advertisements based on your device's advertising ID''". Based on this information, The French DPA considered that users would never expect their data to be used for personalised advertising purposes, since they had just rejected tracking of their activities in the first window.  
According to Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive, any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless they has been informed in advance, by the controller or its representative, of the purpose of any action intended to access, by electronic transmission, to information already stored in their electronic communications terminal equipment, or to write information into such equipment; and of the means available to them to object to such action. Moreover, the consent provided for in the aforementioned Article 82 must be understood within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]] (it must be given in a free, specific, informed and unambiguous manner and be manifested by a clear affirmative act). Where the data subject declined the ATT solicitation, the second window presented to the data subject contained a text indicating that the data subject’s phone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". The French DPA therefore considered that the data subjects would never expect their data to be used for personalised advertising purposes. The French DPA held that the terms used in this window did not correspond to the reality of the processing carried out by the controller. The DPA held that collecting information on data subjects’ browsing habits to offer them advertisements necessarily prevented these advertisements from being qualified as non-personalised, even though the data associated with the identifier only allowed for limited personalisation (limited to the context of the application used). It thus considered that the information was likely to mislead data subjects as to the consequences of refusing the ATT solicitation.
 
The French DPA held that the information provided by the controller in this second window did not correspond with the reality of the situation. The DPA held that collecting information on data subjects’ browsing habits in order to offer them advertisements necessarily entailed that these advertisements could not be qualified as non-personalised, even though the data associated with the identifier only allowed for limited personalisation (limited to the context of the application used). It thus considered that the information in the second windows was likely to mislead data subjects regarding the consequences of refusing tracking in the first window.


Moreover, the controller did not contest that a reading of the data subject’s IDFV was carried out when the data subject refused the ATT solicitation. The controller also confirmed that the reading of data subjects' IDFV was used for advertising purposes. As the controller's use of the IDFV did not fall under the exceptions defined in Article 82 of the French Data Protection Act it could not, therefore, be carried out on the data subject's terminal without their prior consent. The French DPA held that by using the IDFV for advertising purposes without the data subject's consent, the controller breached its obligations under Article 82 of the French Data Protection Act.
Moreover, the provider did not dispute that it read the IDFV-identifier on user devices when a user would deny tracking in the first window. The provider also confirmed that the reading of data subjects' IDFV was conducted for advertising purposes. Because the provider's use of the IDFV did not fall under the one of exceptions defined in Article 82 of the French Data Protection Act, the provider would have to obtain the user's prior consent. The provider did obviously not obtian this prior consent since it was ignoring the users refusal to tracking in the first window. The French DPA held that by using the IDFV for advertising purposes without the user's consent, the provider breached its obligations under Article 82 of the French Data Protection Act.


The French DPA imposed a €3 million fine on VOODOO. It justified this amount by the number of people concerned, by the financial benefits obtained as a result of the breach and by the turnover achieved by the controller in 2020 and 2021. In addition to the administrative fine, the French DPA also ordered the controller to obtain the data subjects' consent to the use of the IDFV for advertising purposes within three months of the notification of the decision. If it ever failed to do so, the controller would be liable to pay a penalty of €20,000 per day of delay.
The French DPA imposed a €3,000,000 fine on provider. It justified this amount by the number of people concerned, by the financial benefits obtained as a result of the breach and by the turnover achieved by the provider in 2020 and 2021. In addition to the administrative fine, the French DPA also ordered the provider to obtain the users consent for the use of the IDFV for advertising purposes from now on and within three months of the notification of the decision.  


== Comment ==
== Comment ==

Revision as of 15:37, 30 January 2023

CNIL - SAN-2022-026
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law:
Article 5(3) Directive 2002/58/EC
Article 82 Loi Informatiques et Libertés
Type: Investigation
Outcome: Violation Found
Started:
Decided: 29.12.2022
Published: 17.01.2023
Fine: 3,000,000 EUR
Parties: VOODOO (the controller)
National Case Number/Name: SAN-2022-026
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: n/a

The French DPA fined VOODOO, a mobile game develolper, €3,000,000 for violatingf Article 82 of the French data protection act. VOODOO did not collect the consent of users for personalised advertising and for providing misleading information regarding tracking the behaviour of users.

English Summary

Facts

VOODOO ('provider') was a mobile game developer. The investigation service of the French DPA ((the investigation service) carried out several checks on voodoo.io and on several of the provider's mobile applications, in particularly to check the cookies and tracers deposited on user devices. These investigations were carried out between June 2021 and July 2022. The investiagtion was limtited to iOS, APPLE's operating system for iPhones.

The investigation service (the investigation service) followed the path of a user who downloaded one of the provider's apps and then opened the application for the first time. The user would be presented with an initial window, which was designed by APPLE called "App Tracking Transparency" (hereinafter "the first window"). The purpose of this first window was to obtain consent from the user to let the provider track the user's activities on the provider's applications. This technical mechanism on iPhones had been implemented by Apple and required every third party (parties other than Apple themselves) to obtain consent from users before tracking them on their iOS devices.

When the user clicked on "Ask the app not to track my activities" in the first window, a second window, designed by the provider, would appear. In this second window, the user only had to certify that they were over the age of sixteen and the user had to accept the provider’s personal data protection policy. This second window also contained contained a text indicating that the user's iPhone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID", when the user had declined tracking in the first window. The DPA also noted that in this second scenario, the IDFA, APPLE's own advertising identifier, was not read but replaced by a string of zeros. Therefore, the provider would not be able to read this identifier.

However, the DPA noted that another cookie called 'the IDFV' was read by the provider and also transmitted to several other domains for advertising purposes, The IDFV ("IDentifier For Vendors") was a cookie provided by Apple to the publisher of an app in the Apple App store. This cookie allowed the publisher to track the use of its applications on a user device. A seperate IDFV was assigned to each user and was identical for all applications distributed by the same publisher. The provider also collected other information specific to the user's device (such as system language, device model, etc.). By combining the information of the IDFV with other information, the provider could use the IDFV to track data subjects’ browsing habits, particularly the game categories they preferred, in order to personalize advertisements in the respective applications. The personalisation of these advertisements was limited to the context of each application used.

Holding

According to Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive, any subscriber or user of an electronic communications service must be informed in a clear and complete manner. This is only different when they have been informed in advance, by the provider or its representative, of certain details regarding the cookies: such as the purpose of any action of the provider intended to access information already stored in their device, or to write information to a device; or details regarding the means available to users to object to these reading/writing operations. Moreover, the consent provided for in the aforementioned Article 82 must be understood within the meaning of Article 4(11) GDPR.

The DPA determined that when the user declined tracking in the first window, the second window presented to the user contained a text indicating that the user's iPhone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". Based on this information, The French DPA considered that users would never expect their data to be used for personalised advertising purposes, since they had just rejected tracking of their activities in the first window.

The French DPA held that the information provided by the controller in this second window did not correspond with the reality of the situation. The DPA held that collecting information on data subjects’ browsing habits in order to offer them advertisements necessarily entailed that these advertisements could not be qualified as non-personalised, even though the data associated with the identifier only allowed for limited personalisation (limited to the context of the application used). It thus considered that the information in the second windows was likely to mislead data subjects regarding the consequences of refusing tracking in the first window.

Moreover, the provider did not dispute that it read the IDFV-identifier on user devices when a user would deny tracking in the first window. The provider also confirmed that the reading of data subjects' IDFV was conducted for advertising purposes. Because the provider's use of the IDFV did not fall under the one of exceptions defined in Article 82 of the French Data Protection Act, the provider would have to obtain the user's prior consent. The provider did obviously not obtian this prior consent since it was ignoring the users refusal to tracking in the first window. The French DPA held that by using the IDFV for advertising purposes without the user's consent, the provider breached its obligations under Article 82 of the French Data Protection Act.

The French DPA imposed a €3,000,000 fine on provider. It justified this amount by the number of people concerned, by the financial benefits obtained as a result of the breach and by the turnover achieved by the provider in 2020 and 2021. In addition to the administrative fine, the French DPA also ordered the provider to obtain the users consent for the use of the IDFV for advertising purposes from now on and within three months of the notification of the decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.