CNIL (France) - SAN-2022-026
| CNIL - SAN-2022-026 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 5(3) Directive 2002/58/EC Article 82 Loi Informatiques et Libertés |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 29.12.2022 |
| Published: | 17.01.2023 |
| Fine: | 3,000,000 EUR |
| Parties: | VOODOO (the controller) |
| National Case Number/Name: | SAN-2022-026 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | Légifrance (in FR) |
| Initial Contributor: | n/a |
The French DPA fined VOODOO €3,000,000 for not collecting the consent of data subjects for personalized advertising and for providing them misleading information about the use of their data.
English Summary
Facts
VOODOO (the controller) is a company specialised in smartphone games. Following a decision from the French DPA’s president, a delegation of the French DPA carried out several checks on voodoo.io and on various mobile applications published by VOODOO, particularly to check the cookies and tracers deposited and/or read by the controller. The verifications carried out between June 2021 and July 2022 were performed in the context of downloading and running applications on an iPhone (APPLE), with the iOS operating system.
The delegation followed the path of a data subject who downloaded an application published by the controller and then opened it for the first time on their phone. It noted that when the application was opened, the data subject was presented with an initial window designed by APPLE called "App Tracking Transparency" (hereinafter "the ATT solicitation") to obtain their consent to the tracking of their activities on the applications downloaded to their phone. Then, it found that regardless of the choice expressed by the data subject in response to the ATT Solicitation, a second window relating to the tracking of advertising by the controller was presented to them. The delegation then followed two scenarios, one in which the ATT solicitation was granted and the other in which the ATT solicitation was refused. When the ATT solicitation was accepted, it allowed the data subject's consent to be collected for the monitoring of their activities on the downloaded applications. On the contrary, when the data subject clicked on "Ask the app not to track my activities", the second window that was then presented to them by the controller did not contain any buttons or checkboxes designed to obtain their consent to other forms of personalised advertising. The data subject only had to certify that they were over the age of sixteen and accept the controller’s personal data protection policy.
The delegation noted that in this scenario, the IDFA, which is APPLE's advertising identifier, was not read but replaced by a string of zeros. On the other hand, it noted that the IDFV was read and transmitted to domains for advertising purposes, along with other information specific to the device (system language, device model, screen brightness, battery level, available memory space, etc.) and its use (application used and time spent), without the consent of the data subject to this operation.
What is an IDFV? When a publisher offers an application on the App Store, APPLE provides an "IDentifier For Vendors" (or IDFV) allowing the publisher to track the use of its applications by users. An IDFV is assigned to each user and is identical for all applications distributed by the same publisher (in this case, all the applications of the controller).
By combining it with other information on the smartphone, the IDFV made it possible to track data subjects’ browsing habits, particularly the game categories they preferred, in order to personalize the ads seen by each of them.
Holding
According to Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive, any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless they has been informed in advance, by the controller or its representative, of the purpose of any action intended to access, by electronic transmission, to information already stored in their electronic communications terminal equipment, or to write information into such equipment; and of the means available to them to object to such action. Moreover, the consent provided for in the aforementioned Article 82 must be understood within the meaning of Article 4(11) GDPR (it must be given in a free, specific, informed and unambiguous manner and be manifested by a clear affirmative act). Where the data subject declined the ATT solicitation, the second window presented to the data subject contained a text indicating that the data subject’s phone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". The French DPA therefore considered that the data subjects would never expect their data to be used for personalised advertising purposes. The French DPA held that the terms used in this window did not correspond to the reality of the processing carried out by the controller. The DPA held that collecting information on data subjects’ browsing habits to offer them advertisements necessarily prevented these advertisements from being qualified as non-personalised, even though the data associated with the identifier only allowed for limited personalisation (limited to the context of the application used). It thus considered that the information was likely to mislead data subjects as to the consequences of refusing the ATT solicitation.
Moreover, the controller did not contest that a reading of the data subject’s IDFV was carried out when the data subject refused the ATT solicitation. The controller also confirmed that the reading of data subjects' IDFV was used for advertising purposes. As the controller's use of the IDFV did not fall under the exceptions defined in Article 82 of the French Data Protection Act it could not, therefore, be carried out on the data subject's terminal without their prior consent. The French DPA held that by using the IDFV for advertising purposes without the data subject's consent, the controller breached its obligations under Article 82 of the French Data Protection Act.
The French DPA imposed a €3 million fine on VOODOO. It justified this amount by the number of people concerned, by the financial benefits obtained as a result of the breach and by the turnover achieved by the controller in 2020 and 2021. In addition to the administrative fine, the French DPA also ordered the controller to obtain the data subjects' consent to the use of the IDFV for advertising purposes within three months of the notification of the decision. If it ever failed to do so, the controller would be liable to pay a penalty of €20,000 per day of delay.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
