France data protection authority hints Apple advertising may violate GDPR

Posted:
in General Discussion
France's data protection authority is scrutinizing whether Apple's first-party advertising practices comply with privacy regulations in the European Union.

Credit: AppleInsider
Credit: AppleInsider


In a note dated Dec. 17 and seen by Politico, the Commission on Informatics and Liberty (CNIL) gave an opinion to France's competition authority to inform a dispute between Apple and four organizations representing the French advertising ecosystem.

Specifically, the note suggests Apple's own targeted advertising practices for first-party platforms like the App Store and Apple News may run afoul of GDPR rules.

"Apple's advertising processing requires consent when it involves reading or writing data on the user's device. Apple's practices suggest a lack of consent collection," the CNIL advises.

The case that pitted Apple against the advertising organization centered on whether the company's upcoming App Tracking Transparency feature is anti-competitive. On March 17, CNIL and France's competition regulators both backed Apple's side in the case.

According to the internal CNIL document, signed by agency president Marie-Laure Denis, the privacy feature feature is in line with GDPR rules.

However, it appears that the CNIL believes Apple's own targeted advertising practices are another story. The internal CNIL note is worded carefully, since the group was only asked to inform and not investigate the case. It still hints that Apple could be on the wrong side of regulations.

More specifically, it suggests that Apple is not getting consent to collect user data. Apple, for its part, argues that it doesn't need to do so because it doesn't engage in tracking. The CNIL hints that Apple's definition of tracking may be too narrow.

If it's confirmed that Apple does need to collect consent, and that consent isn't properly collected, "the situation would be a major breach of regulations," the CNIL wrote.

According to Politico>, Apple provided a reply to the points raised by the CNIL in January. The content of Apple's response isn't currently known.

Currently, the CNIL is investigating the matter in the context of the aforementioned ATT complaint filed by French advertisers.

Comments

  • Reply 1 of 13
    I think Apple's move in general complies with the European GDPR laws.  Seems like France has their head in a dark place and loving the smell.

    Please tell me if I'm wrong.
    lkruppwatto_cobra
  • Reply 2 of 13
    rerollreroll Posts: 56member
    macseeker said:
    I think Apple's move in general complies with the European GDPR laws.  Seems like France has their head in a dark place and loving the smell.

    Please tell me if I'm wrong.
    GDPR, just like CCPA, is ultimately about a consent for some data collection on specified purposes. I do not remember consenting to anything in that regard for Apple ads or related on my iPhone or Mac. So if they are indeed collecting data then they would breach regulations (or I forgot I gave my consent...). I would be very surprised this is the case, and from what I gathered from the article no one is saying Apple breached anything, there’s simply a commission doing its job and checking everything is compliant.
    edited March 23 Skepticalprismatics
  • Reply 3 of 13
    nadrielnadriel Posts: 42member
    macseeker said:
    I think Apple's move in general complies with the European GDPR laws.  Seems like France has their head in a dark place and loving the smell.

    Please tell me if I'm wrong.
    Seems that they do comply, but it’s always good to check that they actually do. This is standard practice for checking if company X follow regulation Y. It also gives company X legal ground that they’ve been checked and they have been proved to follow the regulation in question in case of a lawsuit.

    There’s also the question on how either party defines tracking. But big part of GDPR is consent, and users understand what they consent to, if they do. But yeah this article doesn’t mean that there are any actual problems, it’s just Apple gets noted (and leaked to news) easier than the other hundred companies CNIL contacts.
    edited March 23 watto_cobra
  • Reply 4 of 13
    ppietrappietra Posts: 247member
    If they end up saying that Apple is violating then basically that means that all apps need to get consent for any tracking they do inside themselves, which means that ATT is not doing enough since it only asks about tracking with third parties!
    That would also beg the question of why haven’t the French authorities investigated this kind of things before since it is so flagrant that millions of apps actually read data from user devices in order to track! It has been on the news thousands of times.

    But still we have to question why does Apple put itself in this place. It would have been so easy for them to avoid this kid of attack (one question during setup)... it is not like they need any kind of tracking in order to make enough money.
    Skeptical
  • Reply 5 of 13
    I like the concept of GDPR. It's just a pity that all these websites that force you to say "Okay" to cookies are considered GDPR-compliant. 
    elijahgwatto_cobra
  • Reply 6 of 13
    crowleycrowley Posts: 7,638member
    I seem to be getting a lot more notifications and banners in Settings.app advertising Apple's service to me recently.  Not a fan.  Especially not a fan of how Music.app feels severely compromised if you don't subscribe to Apple Music.
    elijahg
  • Reply 7 of 13
    gatorguygatorguy Posts: 22,828member
    Wouldn't the simple solution be asking users for permission anyway, whether Apple might rather argue they don't need to? What's the harm in asking the device owner if it's OK?  I doubt they'd be the first or last company to play it safe and get permission from a visitor or member even if it's not entirely clear they need to. 
    edited March 24
  • Reply 8 of 13
    omasouomasou Posts: 133member
    Apple has a documented policy... https://www.apple.com/legal/privacy/en-ww/governance/

    What I do not remember is when/where I provided consent? Is it when I install the OS, probably?

    What is not readily apparent, is how I request my data or request to be forgotten, those provisions are part of GDPR.

    Like others have said, regulations attempting to protect consumers are nice but the implementation is awfully annoying. I cannot visit a web site, without replying 2-3 alerts popping up, cookie policy, email sign up, etc.
    edited March 24 watto_cobra
  • Reply 9 of 13
    lkrupplkrupp Posts: 9,010member
    macseeker said:
    I think Apple's move in general complies with the European GDPR laws.  Seems like France has their head in a dark place and loving the smell.

    Please tell me if I'm wrong.
    It’s the French. What can I say?
  • Reply 10 of 13
    lkrupplkrupp Posts: 9,010member

    gatorguy said:
    Wouldn't the simple solution being asking users for permission anyway, whether Apple might rather argue they don't need to? What's the harm in asking the device owner if it's OK?  I doubt they'd be the first or last company to play it safe and get permission from a visitor or member even if it's not entirely clear they need to. 
    Well, Google collects customer data whether the the customer wants to or not. Of course you will reply that Google is the Virgin Mary Immaculate as far as privacy is concerned, right?
    watto_cobra
  • Reply 11 of 13
    macseekermacseeker Posts: 504member
    Thank you Reroll, Nadriel, and LKrupp.
  • Reply 12 of 13
    elijahgelijahg Posts: 2,076member
    crowley said:
    I seem to be getting a lot more notifications and banners in Settings.app advertising Apple's service to me recently.  Not a fan.  Especially not a fan of how Music.app feels severely compromised if you don't subscribe to Apple Music.

    It really narks me that Apple uses the News app for which I pay for Apple News+ to advertise crap at me. News+ should remove ads. Just more ways to sate Cook's insatiable desire for profit profit profit above all else.
    edited March 24
  • Reply 13 of 13
    elijahgelijahg Posts: 2,076member
    This appears to be very similar to the hypocrisy around Apple forcing third party devs to have the privacy nutrition labels, whilst not displaying any themselves. Which was staunchly defended here by the usual, then Apple fixed it and there was much egg on face.
    muthuk_vanalingam
Sign In or Register to comment.