Earlier this month, Apple was fined €8MM by CNIL, the French privacy watchdog, for reading iOS device identifiers without consent for the purposes of ads personalization.
While the CNIL’s press release on the matter is meager, the text of the decision (machine translated from French) contains a great deal of fascinating detail about how Apple targets ads. In iOS 14.6, the “Ads Personalization” settings were activated by default, allowing Apple to personalize ads with its Apple Search Ads platform upon device activation (and requiring the user to navigate through device Settings to disable this functionality). The CNIL’s decision provides clarifying insights into how Apple places users into advertising segments and the mechanics it uses to facilitate ad targeting. From the decision:
41. The first step is relative to data collection : when creating an Apple user account (currently called “Apple Id”), a technical identifier named “directory services identifier” (hereinafter “DSID”) is assigned to each account user. The DSID is created on the servers of the company. It is notably used to access iCloud and its content, information and services associated with the Apple user account.
42. During his navigation on the App Store, the trace of the activity of using it), as well as the information he has entered in his Apple ID account (i.e. the year of birth, the user’s gender and location), are collected and associated with this DSID on Apple’s “Apple Media Platforms” (hereinafter “AMP”) servers.
43. If the setting relating to the receipt of targeted advertising in the App Store is activated, this data is used to determine the segments that a user will be affected and, therefore, the advertisements that they will receive. A “segment” is a group of at least 5,000 users who share similar characteristics and whose setting for receiving targeted advertising in the App Store is active in iPhone settings.
44. The second step relates to the creation of identifiers specific to the personalization of ads aimed at promoting applications on the App Store : in order to prevent the distribution and measurement of advertising content from involving the use of identify DSID, the user’s device will generate locally on the user’s terminal two other identifiers:
- on the one hand, the “device pack identifier” (hereinafter the “DPID”) which is synchronized via iCloud in order to ensure that all the devices of the same user have the same DPID;
- on the other hand the iADID which is specific to each device and does not require synchronization via iCloud.
45. Finally, the third step relates to the display of personalized ads on the user’s terminal: when the user searches for an application in the App Store, his device sends an advertising request to the servers “Ad Platforms” containing the word sought, the DPID, the iADID and the identifiers relating to the segments concerning it, so that they determine the targeted advertising to be broadcast as a priority (all of these elements being available locally on the terminal, the process makes it possible to avoid that the “Ad Platforms” servers can identify the Apple account associated with each request). The iADID can also be used to count the number of “advertising impressions”.
- Apple generates a DSID for a user when they create an Apple account;
- App Store behavioral (usage) data as well user characteristics such as location, gender, and year of birth are are associated with the user’s DSID;
- This profile attached to the DSID is used to place a user into advertising segments, which are groups of no less than 5,000 users that can be targeted by some theme or topic (more here);
- A DPID (used for device synchronization) and iADID (used for advertising targeting) are generated and stored on the user’s device;
- When an advertising impression becomes available to the user, the device sends the search term, the DPID, the iADID, and segment information to the ad server in order to request a viable ads payload.
The CNIL argues that, absent consent, the workflow above is in breach of Article 82 of the French Data Protection Act, which is transposed from the ePrivacy Directive and “requires consent to the operations of reading and writing information in a user’s terminal” except in specific circumstances (namely: necessity). The CNIL determines that ads personalization is not necessary to fulfill the obligations of the App Store, and that reading these identifiers for the purposes of advertising targeting without having been given explicit consent to do so from users violates French law.
A few aspects of this situation deserve emphasis.
The first is that Apple rejected the territorial jurisdication of the CNIL in this case. Apple claimed that the GDPR should apply and therefore the GDPR’s one-stop-shop clause should require that the matter be interrogated by Apple’s relevant EU DPA, which is the Irish DPC, since Apple’s EU entity is domiciled in Ireland. Apple noted that the client-server relationship described above is managed by servers operated by Apple Distribution International, LTD, and are located in Ireland. The CNIL countered that it did have jurisdiction on the matter under French law because Apple operates two subsidiaries in France, Apple Retail France and Apple France, and that previous CJEU judgments supported this claim to jurisdiction. From the complaint:
67. In relation to the existence of an establishment responsible for treatment on the French territory, the Court of Justice of the European Union (CJEU) has, in its judgment Weltimmo, of October 1, 2015, specified that “the notion of” establishment “, within the meaning of Directive 95/46, extends to any real and effective activity, even minimal, exercised by means of a stable installation”, the criterion of stability of the installation being examined with regard to the presence of “human and technical resources necessary for the provision of the specific services in question”. The CJEU considers that a company, an autonomous legal person, from the same group as the controller, can constitute an establishment of the controller within the meaning of these provisions (CJEU, 13 May 2014, Google Spain, C-131/12, ch. 48).
68. In this case, the Restricted Committee notes that the companies APPLE RETAIL FRANCE and APPLE FRANCE are both subsidiaries of the company APPLE INC and have stable premises located in France. It also notes that APPLE FRANCE employs around […] people. Consequently, the companies APPLE RETAIL FRANCE and APPLE FRANCE each constitute an establishment of the company ADI within the meaning of article 3 of the aforementioned Data Protection Act.
A second noteworthy aspect of this case is that Apple pointed out that it had introduced a prompt to collect explicit consent for ads personalization with iOS 15, which was the prevailing version of the operating system available at the time the case was being litigated. The CNIL countered that its investigation took place when iOS 14.6 was live. It’s unclear whether Apple would have changed course with its default-on policy for ads personalization or introduced its “Personalized Ads” consent prompt absent regulatory scrutiny.
And finally, consider that the CNIL determines Apple’s practices to be at odds with French law and the ePrivacy Directive despite the fact that the iADID is generated on-device, it is only used in a first-party setting (ie. not transmitted to any third parties), and it is disassociated from any other identifier or aggregated personal information. From the judgment:
The Restricted Committee recalls once again that the only action tending to access information already stored in the user’s terminal equipment located in France entails the application of Article 82 of the Data Protection Act…In other words, the Restricted Committee considers that the fact of implementing other measures to protect privacy from the design stage does not make it possible to circumvent the rule set by Article 82 of the Data Protection Act.
The CNIL makes clear that the act of reading information from the user’s terminal (in this case, iOS device) requires either consent or necessity under French law and the ePrivacy Directive. And given this sanction as well as its recent sanction against Voodoo Games, the CNIL seemingly doesn’t accept ads personalization as a necessary function of consumer-facing apps.