CNIL (France) - SAN-2022-026
| CNIL - SAN-2022-026 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 5(3) Directive 2002/58/EC Article 82 Loi Informatiques et Libertés |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 29.12.2022 |
| Published: | 17.01.2023 |
| Fine: | 3,000,000 EUR |
| Parties: | VOODOO (the controller) |
| National Case Number/Name: | SAN-2022-026 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | Légifrance (in FR) |
| Initial Contributor: | n/a |
The French DPA fined VOODOO, a mobile game develolper, €3,000,000 for violatingf Article 82 of the French data protection act. VOODOO did not collect the consent of users for personalised advertising and for providing misleading information regarding tracking the behaviour of users.
English Summary
Facts
VOODOO ('provider') was a mobile game developer. The investigation service of the French DPA ((the investigation service) carried out several checks on voodoo.io and on several of the provider's mobile applications, in particularly to check the cookies and tracers deposited on user devices. These investigations were carried out between June 2021 and July 2022. The investiagtion was limtited to iOS, APPLE's operating system for iPhones.
The investigation service (the investigation service) followed the path of a user who downloaded one of the provider's apps and then opened the application for the first time. The user would be presented with an initial window, which was designed by APPLE called "App Tracking Transparency" (hereinafter "the first window"). The purpose of this first window was to obtain consent from the user to let the provider track the user's activities on the provider's applications. This technical mechanism on iPhones had been implemented by Apple and required every third party (parties other than Apple themselves) to obtain consent from users before tracking them on their iOS devices.
When the user clicked on "Ask the app not to track my activities" in the first window, a second window, designed by the provider, would appear. In this second window, the user only had to certify that they were over the age of sixteen and the user had to accept the provider’s personal data protection policy. This second window also contained contained a text indicating that the user's iPhone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID", when the user had declined tracking in the first window. The DPA also noted that in this second scenario, the IDFA, APPLE's own advertising identifier, was not read but replaced by a string of zeros. Therefore, the provider would not be able to read this identifier.
However, the DPA noted that another cookie called 'the IDFV' was read by the provider and also transmitted to several other domains for advertising purposes, The IDFV ("IDentifier For Vendors") was a cookie provided by Apple to the publisher of an app in the Apple App store. This cookie allowed the publisher to track the use of its applications on a user device. A seperate IDFV was assigned to each user and was identical for all applications distributed by the same publisher. The provider also collected other information specific to the user's device (such as system language, device model, etc.). By combining the information of the IDFV with other information, the provider could use the IDFV to track data subjects’ browsing habits, particularly the game categories they preferred, in order to personalize advertisements in the respective applications. The personalisation of these advertisements was limited to the context of each application used.
Holding
According to Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive, any subscriber or user of an electronic communications service must be informed in a clear and complete manner. This is only different when they have been informed in advance, by the provider or its representative, of certain details regarding the cookies: such as the purpose of any action of the provider intended to access information already stored in their device, or to write information to a device; or details regarding the means available to users to object to these reading/writing operations. Moreover, the consent provided for in the aforementioned Article 82 must be understood within the meaning of Article 4(11) GDPR.
The DPA determined that when the user declined tracking in the first window, the second window presented to the user contained a text indicating that the user's iPhone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". Based on this information, The French DPA considered that users would never expect their data to be used for personalised advertising purposes, since they had just rejected tracking of their activities in the first window.
The French DPA held that the information provided by the controller in this second window did not correspond with the reality of the situation. The DPA held that collecting information on data subjects’ browsing habits in order to offer them advertisements necessarily entailed that these advertisements could not be qualified as non-personalised, even though the data associated with the identifier only allowed for limited personalisation (limited to the context of the application used). It thus considered that the information in the second windows was likely to mislead data subjects regarding the consequences of refusing tracking in the first window.
Moreover, the provider did not dispute that it read the IDFV-identifier on user devices when a user would deny tracking in the first window. The provider also confirmed that the reading of data subjects' IDFV was conducted for advertising purposes. Because the provider's use of the IDFV did not fall under the one of exceptions defined in Article 82 of the French Data Protection Act, the provider would have to obtain the user's prior consent. The provider did obviously not obtian this prior consent since it was ignoring the users refusal to tracking in the first window. The French DPA held that by using the IDFV for advertising purposes without the user's consent, the provider breached its obligations under Article 82 of the French Data Protection Act.
The French DPA imposed a €3,000,000 fine on provider. It justified this amount by the number of people concerned, by the financial benefits obtained as a result of the breach and by the turnover achieved by the provider in 2020 and 2021. In addition to the administrative fine, the French DPA also ordered the provider to obtain the users consent for the use of the IDFV for advertising purposes from now on and within three months of the notification of the decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
