CNIL (France) - SAN-2022-026
|CNIL - SAN-2022-026|
Article 5(3) Directive 2002/58/EC
Article 82 Loi Informatiques et Libertés
|Parties:||VOODOO (the controller)|
|National Case Number/Name:||SAN-2022-026|
|European Case Law Identifier:||n/a|
|Original Source:||Légifrance (in FR)|
The French DPA fined VOODOO, a mobile game developer, €3,000,000 for violating Article 82 of the French data protection act. VOODOO did not collect the consent of users for personalised advertising and provided misleading information regarding tracking behaviour of users.
English Summary[edit | edit source]
Facts[edit | edit source]
VOODOO ('provider') was a mobile game developer. The investigation service of the French DPA (the investigation service) carried out several checks on voodoo.io and on several of the provider's mobile applications on iOS, in particular to check cookies and trackers deposited on user devices.
The investigation service followed the path of a user who downloaded one of the provider's apps and opened the application for the first time. The user would be presented with a window, designed by APPLE, called "App Tracking Transparency" (hereinafter "the first window"). The purpose of this first window was to obtain consent from the user to let the provider track the user's activities on the provider's applications.
The user had two options in the first window, either to accept tracking by the provider or to decline it. Whatever option the data subject would choose, a second window, designed by the provider, would show up after the first window. In this second window, the user only had to certify that they were over the age of sixteen. Also, the user had to accept the provider’s personal data protection policy.
When the user clicked on "Ask the app not to track my activities" in the first window, the second window would contain a text indicating that the user's iPhone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". The controller also stated in this second window that "Data protection is a key issue for Voodoo and we respect your choice." The DPA noted that in this scenario, the IDFA, APPLE's own advertising identifier, was not read but replaced by a string of zeros. Therefore, the provider would not be able to read this identifier. However, the DPA found that in this scenario, another cookie called 'the IDFV' was read by the provider for advertising purposes. The IDFV ("Identifier For Vendors") was a cookie provided by Apple to the publisher of an app in the Apple App store. This cookie allowed the publisher to track the use of its application(s) on a user device. A separate IDFV was assigned to each user but was identical for all applications distributed by the same publisher.
The provider also collected other information specific to the user's device (such as system language, device model, etc.) The controller stated in the second window that it collected this information and used the IDFV to provide non-personalised advertisements based on browsing habits.
Holding[edit | edit source]
According to Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive, any subscriber or user of an electronic communications service must be informed in a clear and complete manner. This is only different when these users have been informed in advance of certain details regarding the cookies: such as the purpose of any action of the provider intended to access information already stored on user devices, or to write information to a device; or details regarding the means available to users to object to these reading/writing operations. Moreover, the consent provided for in the aforementioned Article 82 must be understood within the meaning of Article 4(11) GDPR.
The provider did not dispute that it read the IDFV-identifier on user devices when a user would deny tracking in the first window. The provider also confirmed that the reading of data subjects' IDFV was conducted for advertising purposes. The DPA held that the provider's use of the IDFV did not fall under the one of exceptions defined in Article 82 of the French Data Protection Act. Therefore, the provider would have to obtain the user's prior consent.
The DPA stated that the provider reduced the effectiveness of the choice expressed by the user to decline tracking in the first window. The reason for this was the fact that the user had declined tracking by the provider in that window, but was now still tracked by the provider who simply used a different cookie to do so. The DPA also determined that when the user declined tracking in the first window, the second window presented to the user contained a text indicating that the user's iPhone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". Based on this information, The DPA considered that users would never expect their data to be used for personalised advertising purposes, since they had just rejected tracking in the first window. The French DPA further specified that the information provided by the controller in this second window did not correspond with the reality of the situation. It held that collecting information on data subjects’ browsing habits in order to offer them advertisements necessarily entailed that these advertisements could not be qualified as 'non-personalised', even though the data associated with the identifier only allowed for limited personalisation (limited to the context of the application used).
The DPA thus considered that the information provided by the provider was likely to mislead data subjects regarding the consequences of refusing tracking in the first window.
The French DPA held that by using the IDFV for advertising purposes without the user's consent, the provider breached its obligations under Article 82 of the French Data Protection Act.
The French DPA imposed a €3,000,000 fine on the provider. It justified this amount by the number of people concerned, by the financial benefits obtained as a result of the breach and by the turnover achieved by the provider in 2020 and 2021. In addition to the administrative fine, the French DPA also ordered the provider to obtain the users consent for the use of the IDFV for advertising purposes from now on and within three months of the notification of the decision.
Comment[edit | edit source]
- Apple: CNIL (France) - Délibération SAN-2022-025
- Tiktok: CNIL (France) - Délibération SAN-2022-027 du 29 décembre 2022
- Microsoft: CNIL (France) - Deliberation SAN-2022-024 of December 20, 2022
It is also important to note that the ATT window (referred to in the summary as 'the first window') is part of a technical mechanism on iOS devices, which has been implemented by Apple in 2021 (iOS version 14.5) and requires every third party developer (parties other than Apple themselves) to obtain consent from users before tracking them on their iOS devices.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.