CNIL (France) - SAN-2023-014

From GDPRhub
Revision as of 14:47, 17 October 2023 by Ar (talk | contribs)
CNIL - SAN-2023-014
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 4(11) GDPR
Article 82 Loi Informatiques et Libertés
Type: Investigation
Outcome: Other Outcome
Started:
Decided:
Published:
Fine: n/a
Parties: VOODOO
National Case Number/Name: SAN-2023-014
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: ar

Following a first decision of 29 December 2022, the French DPA found that VOODOO, a game developer, complied with its order to obtain users consent for the use of the IDFV ("Identifier For Vendors") within the time limit set.

English Summary

Facts

On 29 December 2022, the French DPA fined VOODOO, a mobile game developer, €3,000,000 for violating Article 82 of the French data protection act, whose reference to consent must be understood within the meaning of Article 4(11) GDPR, since VOODOO (the provider) did not collect the consent of users for personalised advertising and provided misleading information regarding tracking behaviour of users.

Additionally, on 16 January 2023, the DPA requested the provider to obtain users consent for the use of the IDFV ("Identifier For Vendors"); a cookie provided by Apple to the publisher of an app in the Apple App store, which allows the publisher to track the use of its application(s) on a user device. Such consent had to be requested within three months of the notification of the decision by the DPA.

On 14 April 2023, the provider furnished evidence to the DPA to demonstrate its compliance implementation. The evidence showed that when one of the provider’s games is opened, its own request appears prior to the one from Apple. The Apple request is called "App Tracking Transparency" (ATT), and it aims to obtain consent from users to let the provider track the user's activities on the provider's applications for targeting advertising purposes.

Holding

In light of the evidence provided, the French DPA acknowledged from the information provided by the provider that a window appears when one of its games is opened, prior to the Apple ATT request. This first window clearly requests the user's consent for the provider and its partners to collect certain technical data, such as the user's advertising identifier and IP address, to offer personalised advertising, measure the performance of content and improve the provider’s games and applications. It also acknowledged that this window presented sliding buttons set by default to "no consent" for each of these two purposes.

It additionally found that a second level of information displays the list of recipient partners according to each purpose, details of the purposes, informs users of the possibility of withdrawing their consent at any time and warns them that their refusal will entail access to an alternative version of the game including a potentially higher volume of non-targeted advertising.

Thus, the DPA found on the basis of the evidence that the provider complied with the injunction within the time limit set.

Comment

The decision by the French DPA of 29 December 2022 (SAN-2022-026) can be found here.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of the restricted panel no. SAN-2023-014 of September 28, 2023 relating to the injunction pronounced against the company VOODOO by deliberation no. SAN-2022-026 of December 29, 2022

The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Ms. Anne DEBET and Christine MAUGÜÉ, and MM. Alain DRU and Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to law n° 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms, in particular its articles 20 et seq.;

Having regard to Decree No. 2019-536 of May 29, 2019 as amended taken for the application of Law No. 78-17 of January 6, 1978 relating to computing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;

Considering deliberation no. SAN-2022-026 of December 29, 2022 adopted by the restricted panel against the company VOODOO;

Considering the elements transmitted by the company VOODOO on April 14, 2023 to demonstrate their compliance with the injunction;

Considering the other documents in the file;

After deliberating at the meeting of July 13, 2023, adopted the following decision:

I. FACTS AND PROCEDURE

1. Decision no SAN-2022-026 of December 29, 2022, notified to the company VOODOO on January 16, 2023, ordered the latter to:

"to collect the user's consent to the use of the IDFV for advertising purposes".

2. This injunction was accompanied by a penalty of twenty thousand euros (20,000) euros per day of delay at the end of a period of three months following notification of the deliberation of the restricted formation, the supporting documents for the in compliance must be sent to the restricted training within this deadline.

3. On April 14, 2023, the VOODOO company sent the president of the restricted training elements with a view to justifying its compliance, by presenting the implementation, during the opening of a game published by the VOODOO company on a terminal equipped with the iOS operating system, a device for collecting consent for the use of the "identifier for vendors" (IDFV) for the purposes of targeted advertising, measuring content performance and improvement of its games and applications.

4. It appears from the elements produced by the company that when opening a VOODOO game, the request it presents appears prior to that of the APPLE company (also called "ATT request"), by which the latter asks the user for permission to track their activities on all applications on their terminal by reading the “identifier for advertisers” (IDFA) for targeted advertising purposes. The company VOODOO specifies that in the event of refusal to use the IDFV, it cannot be read by the partners or by the company itself for advertising purposes, whatever the choice. made by the user at the ATT request.

II. REASONS FOR DECISION

5. The restricted training of the CNIL notes that it appears from the information provided by the company that a first window appears when one of the games it publishes is opened, prior to the ATT request. This window requests the user's consent so that the company VOODOO and its partners can collect "certain technical data, in particular the advertising identifier and the user's IP address", in order, on the one hand, to "offer personalized advertisements" and, on the other hand, to "measure the performance of content and improve VOODOO games and applications".

6. This window presents sliding buttons positioned by default on “no consent” for each of these two purposes.

7. The restricted training also notes that a second level of information makes it possible to display the list of recipient partners according to each purpose, to detail the purposes, to inform users of the possibility of withdrawing their consent at any time and to warn them that their refusal will involve access to an “alternative version of the game including a potentially greater volume of non-targeted advertising”.

8. Thus, with regard to the elements presented by the company VOODOO justifying the implementation of a means to collect the user's consent to the use of the IDFV for advertising purposes, the restricted panel considers that the company complied with the injunction within the stipulated time limit.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides:

- to say that there is no need to liquidate the penalty;

- to make public, on the CNIL website and on the Légifrance website, this deliberation which will no longer identify the company by name at the end of a period of two years, the starting point being the publication of the deliberation no. SAN-2022-026 of December 29, 2022.

President

Alexandre LINDEN