[ad_1]
A rare privacy penalty for Apple: The French data protection watchdog, CNIL, has forced iPhone makers to pay €8 million (approximately €850 million) before releasing information without (and/or) consent from local mobile users. million dollars) sanctions have been imposed. ) advertising identifiers on your device in violation of local data protection laws.
The sanctions decision was issued on December 29th but was only published yesterday (the text of the decision is available in French).
CNIL operates under the European Union’s ePrivacy Directive. This enables data protection authorities at Member State level to take action against local complaints of infringement. There is no need to refer to the country’s main data supervisor for which the company in question is responsible. (as happens with the EU’s new General Data Protection Regulation (GDPR)).
The amount of the fine won’t cause you a sleepless night in Cupertino, but Apple is leveraging its unparalleled user privacy claims to polish its premium brand and equate the iPhone with cheap hardware running Google’s Android platform. Differentiate. Userdata should sting.
CNIL says it is responding to complaints about Apple showing personalized ads on the App Store. This action is related to an older version (14.6) of the iPhone operating system and, following investigations by Watchdog in 2021 and 2022, users were asked in advance about processing their data for targeted advertising served. It turned out that he had not obtained consent from When a user visits Apple’s App Store.
CNIL has found that v14.6 of iOS automatically reads the identifier of a user’s iPhone. It served many purposes, including powering personalized advertising in the App Store. Collect via pre-checked settings by default. The 2019 CNIL Guidance on the ePrivacy Directive states that ad tracking requires consent.
From CNIL press release [translated from French with machine translation]:
For advertising purposes, these identifiers are not strictly necessary for the provision of the Service (App Store). Therefore, they cannot be read or deposited without the user’s prior express consent.However, in reality, the iPhone[設定]Ad targeting available from the icon was pre-checked by default.
Moreover, this possibility was not integrated into the phone’s initialization process, so the user had to perform a number of actions to successfully deactivate this parameter.The user can use the iPhone[設定]Click the icon,[プライバシー]Go to menu and finally[Apple 広告]I had to go to the section called These factors made it impossible to obtain prior user consent.
The CNIL said the fine level reflected the extent of the processing (noting that it was limited to the App Store). Number of French users affected. A regulator that takes into account the profits Apple derives from advertising revenue generated indirectly from the data collected by the identifier and Apple’s subsequent compliance.
Apple has been contacted for comment regarding CNIL sanctions. A company spokesperson confirmed the company plans to appeal and sent the following statement:
Given that the CNIL has previously recognized that the way search advertising is served on the App Store prioritizes user privacy, we are disappointed with this decision and plan to appeal. apple Search Ads is better than any other digital advertising platform we know of by giving users a clear choice as to whether or not they want personalized ads. moreover, apple Search Ads does not track users across third-party apps and websites and uses only first-party data to personalize ads. We believe privacy is a fundamental human right and users should always decide whether and with whom to share their data.
This isn’t the first time Apple has faced critical scrutiny for its double standards of privacy. Back in 2020, the European privacy rights campaign group noyb filed a series of complaints with the EU’s data protection watchdog over the identifiers of advertisers (aka IDFAs) that Apple built into iPhones by default, suggesting that IDFAs existed in similar ways. claimed to be in violation. Prior Consent to Tracking Principles.
The company also recently filed a privacy complaint regarding its treatment of tracking iPhone users’ app activity to serve unique “personalized ads” versus the recently introduced requirement for third-party apps to obtain consent from users. has been accused of hypocrisy. — after introducing the App Tracking Transparency feature (aka ATT) to iOS in 2021.
Apple continues to dispute these claims, claiming that Apple complies with local privacy laws and offers iOS users a higher level of privacy and data protection than rival platforms. .
Meanwhile, France has been very aggressive in recent years in enforcing e-privacy breaches against tech giants. As another example, last month he just fined Microsoft €60 million for his pattern design related to cookie tracking after finding out about it. did not provide a mechanism for the user to decline cookies as easily as a button displayed to accept her cookies.
Amazon, Google and Meta (Facebook) have also been sanctioned by the CNIL for cookie-related infringements since 2020. And last year, Google updated his EU-wide cookie consent popup to (finally) offer a simple “I agree”. “All” or “Deny All” options provided at the top level.
tl;dr: Privacy enforcement works.
The steady stream of enforcement and amendments that CNIL’s intervention has enabled for French users via ePrivacy (a much older EU directive than the GDPR) is a sign of the latter major privacy regulation being scrutinized and enforced. It sheds even more important light on operations. Tech giants continue to be bogged down by forum shopping, related procedural bottlenecks, resource issues, and disputes among regulators over how to resolve these cross-border lawsuits.
But while GDPR claims against tech giants can take years, it can take years to come into force. For example, it took him about 4.8 years to finalize his two meta “compulsory consent” claims to his properties on Facebook and Instagram. That decision is ahead (and other even longer-running complaints are painstakingly nudging towards final decision) — the difference between EU directives and regulations may be localized to the jurisdiction of enforcement means it is pan-EU by default. DPA. In other words, with ePrivacy, broader compliance rollouts are left to the discretion of sanctioned entities, which can result in a more localized impact on users.
Moreover, the (ultimate) GDPR penalties are likely to be more substantial than ePrivacy sting operations. “Effective, proportionate and dissuasive” penalties. (Ergo, user rights here are bound by local politics.)
It is worth noting that the EU has been trying for years to replace the more than 20-year-old ePrivacy Directive with an updated ePrivacy Regulation. But lobbying by big tech companies and parliamentary disputes over the 2017 European Commission proposal colluded to stall the file for most of this period.
Member States have finally agreed to a common negotiating position in February 2021 and can finally begin trilogue negotiations. But debates between EU co-parliamentarians on details big and small continue, and it’s not clear when (or if) consensus can be hashed. That means the veteran’s ePrivacy Directive has a lifespan of many more years and potentially millions of dollars in fines.
[ad_2]
Source link
