French privacy watchdog to Voodoo Games: use of the IDFV requires consent

Last week, France’s privacy regulator, the CNIL, announced that it has fined Voodoo, the French developer of hypercasual games, €3MM for violating the French Data Protection Act. The basis for the CNIL’s sanction is Voodoo’s use of the IDFV, or ID for Vendors, on iOS without user consent. From the CNIL’s press release about the decision:

During its investigations, the CNIL however observed that when a user refuses the advertising tracking, the company VOODOO reads the technical identifier associated to this user (IDFV) anyway and still processes the information linked to the browsing habits for advertising purposes, therefore without consent and in contradiction with what it indicates in the information screen it displays…The use of the IDFV for advertising purposes without the user’s consent constitutes a breach of Article 82 of the French Data Protection Act.

Regular readers of this blog are likely familiar with the IDFV and how it differs from the IDFA, which is regulated by Apple’s App Tracking Transparency (ATT) privacy policy and restricted when users opt out of the ATT prompt. As a quick primer:

  • The IDFA, or ID for Advertisers, is a unique identifier for the device. An app’s access to the IDFA is moderated by ATT: if a user opts out of the ATT prompt, or if an app does not expose the ATT prompt, then the ATT is represented by a string of 0s (known as IDFA zeroing, which was introduced with the Limit Ad Tracking feature back in iOS 10). For apps that have received ATT opt-in, the IDFA is available, and it is universal to all apps; every app sees the same IDFA. More background on how the IDFA is used to facilitate digital advertising targeting can be found here and here.
  • The IDFV, or ID for Vendors, is a device identifier that is unique across a publisher’s apps. Put another way: the IDFV is unique to a device for every app published by a given publisher, but IDFVs differ across publishers. Publisher A would see the same IDFV for a specific device across all of its apps, but the IDFV would be different for the same device in a different publisher’s apps. The IDFV is available within all apps, regardless of ATT opt-in status.

The diagram below illustrates the availability of the IDFA and IDFV across different publishers and ATT opt-in statuses:

The IDFV can be thought of as a first-party identifier: given that it is unique for a specific device for a given publisher, its primary use case is publisher-level analytics, publisher-level cross-promotional advertising targeting, and things like advertising frequency capping and general rate limiting. The IDFV was not designed for use in cross-publisher ads targeting, and it’s difficult to fathom how it could be used for that purpose (although I’m sure an inventive ad tech product manager could make a compelling case for how it’s possible). It’s important to note here that, because it is a first-party identifier that is mostly inscrutable or useless outside of a publisher’s own data environment, Apple leaves the IDFV available to apps even when a user has opted out of the ATT prompt.

The CNIL asserts in its decision that, irrespective of the intended use case, access to the IDFV requires consent under the French Data Protection Act. The CNIL’s English-language press release on this case is sparse and mostly bereft of helpful insight, but its French-language deliberation provides useful clarity on the decision. The below passages are copied from the machine-translated deliberation (all emphasis is mine).

On the need for consent to access data from a user’s device under the French Data Protection Act:

32. Firstly, the Restricted Committee recalls that Article 82 of the Data Protection Act requires consent to operations for reading and writing information in a user’s terminal but provides for specific cases in which certain tracers benefit from an exemption to consent: either when the sole purpose of this consent is to allow or facilitate communication by electronic means, or when it is strictly necessary for the provision of an online communication service at the express request of the user.

On why the use case facilitated by the IDFV is not exempted from consent under the French Data Protection Act:

34. The Restricted Committee notes that this operation is therefore not intended to allow or facilitate communication by electronic means and is not strictly necessary for the provision of an online communication service at the express request of the ‘user. Therefore, such an IDFV reading operation does not fall under any of the exceptions defined in article 82 of the “Informatique et Libertés” law and cannot be carried out on the person’s terminal without prior consent.

On why Voodoo’s use of the IDFV constitutes “tracking,” and why the CNIL deems this use to be particularly egregious in cases of ATT opt-out:

35. The Restricted Committee considers that, even though the IDFV does not allow [tracking] as extensive as that made possible by the IDFA, the fact remains that, as appears from the documents in the file and from the writings of the company and in particular of the window it presents to the user, that this identifier makes it possible to follow the activity of the user within the applications published by VOODOO for advertising purposes and without the prior agreement of the interested parties. The Restricted Committee also notes that by refusing the “ATT solicitation”, the user has already clarified his desire that his activity not be monitored by any actor whatsoever.

A concise and clear determination that access to the IDFV requires consent:

37. In view of the foregoing, the Restricted Committee considers that by using the IDFV identifier, for advertising purposes without the user’s consent, the company VOODOO disregards the obligations of article 82 of the Data Protection Act.

At first blush, this case may seem similar to the recent ruling by the European Data Protection Board, implemented by the Irish DPC, regarding Meta’s use of first-party data for the purposes of advertising targeting, which I cover here. While these cases are conceptually similar, they are litigated by different mechanisms: the Meta case relates to a determined violation of GDPR, and the Irish DPC is the regulator in question because the GDPR’s one-stop-shop mechanism offers companies that operate in the EU the use of a single regulatory touchpoint, which is the Data Protection Authority (DPA) for the member state in which the company’s EU headquarters is domiciled. Many non-European technology companies host EU headquarters in Ireland because of that country’s business-friendly taxation and regulatory regime, and so the Irish DPC is the privacy regulator for these companies in cases of GDPR compliance.

But Voodoo is being sanctioned in this case by the French privacy regulator under French law and not the GDPR. The CNIL determines that Voodoo violated the French Data Protection Act — specifically, Article 86, which is an implementation of the EU’s ePrivacy Directive, which is often referred to as the EU Cookie Law because it precipitated the widespread use of cookie consent pop-ups after it was passed. An EU directive differs from an EU regulation in that a directive does not impose EU-wide legal prescriptions but rather establishes objectives that EU member states are responsible for implementing into national law. Article 86 of the French Data Protection Act transposes Article 5(3) of the ePrivacy Directive, which, per the quote from the deliberation above, “requires consent to operations for reading and writing information in a user’s terminal.”

Highlighting this distinction is important because the French CNIL outlines in its strategic plan for 2022-2024 that the “collection of personal data in smartphone applications” is a particular priority for the agency. This is relevant because Voodoo is not the first company that the CNIL has sanctioned on this basis recently; on December 29th, 2022, the CNIL determined that Apple’s use of proprietary device identifiers for the purpose of personalized advertising through its Apple Search Ads platform violated Article 82 of the French Data Protection Act, and the CNIL issued Apple with an €8MM fine as a result. Apple argued that the pertinent legislation under which the case should be considered was not the French Data Protection Act but rather the GDPR, and therefore its privacy regulator, the Irish DPC, should be the authority to examine the alleged wrongdoing. The French court, the Conseil d’Etat, determined — based on previous decisions by the Court of Justice of the European Union (CJEU) — that French law was applicable because Apple operates two subsidiaries in France — Apple France and Apple Retail France — and because relevant processing took place in France:

Every iPhone sold in France contained the App Store, which came with the companies identifiers. Therefore, the establishment Apple Retail France helped data subjects owning an iPhone accessing the App store and carry out searches, which would result in these data subjects being personalized by the identifiers. With regard to the other subsidiary/establishment, Apple France, the DPA noted that it employed ‘search ads specialists’, who assisted app-developers with their ad campaigns. Therefore, the DPA concluded that there was a clear link between the activities of Apple’s subsidiaries and the reading/writing operations regarding the identifiers used by Apple.

There are important implications from this case. The CNIL asserts its authority by drawing a very clear distinction between the remit of the French Data Protection Act and the GDPR (emphasis mine):

59. The restricted formation points out, first of all, that a distinction must be made, on the one hand, between reading and writing operations on a terminal, which are governed by the provision of Article 82 of the Data Protection Act and for which the French legislature has entrusted the CNIL with a monitoring task and in particular the power to penalise and infringement of that article and, on the other hand, the subsequent use of the data produced or collected via these operations, which is governed by the GDPR and may, therefore, if necessary, be subject to the “one-stop shop” system.

This highlights important realities of the privacy environment in Europe that should be acknowledged by advertisers and ad platforms alike.

First: ATT is a platform policy, not a legal framework, and compliance with ATT does not necessarily entail compliance with all relevant privacy legislation. In this case, while Voodoo was compliant with ATT, the CNIL determined that Voodoo’s data access practices were not compliant with the French Data Protection Act — specifically, the Article transposed from the ePrivacy directive.

Second: GDPR is not the only relevant legal framework with which data practices must comply. The CNIL makes clear that it deems “reading and writing operations on a terminal” to be under the remit of the French Data Protection Act.

And third: recent determinations within the scope of both the GDPR and the ePrivacy directive seem to point to consent as the only valid legal basis for collecting and processing data — even first-party data — for the purposes of advertising targeting. The GDPR provides six legal bases for processing user data; the European Data Protection Board deemed a contractual basis through Meta’s terms of service to be invalid for processing first-party data for ads targeting in its recent decision. While some believe that the legitimate interest basis can be used for this purpose, obviating the need to collect consent, I remain skeptical, given that TikTok abandoned plans to use the legitimate interest basis for that purpose after consulting with its privacy regulator, the Irish DPC.

My sense is that consent will ultimately be the only basis through which consumer data, even when collected in a first-party context, can be collected and processed for advertising targeting in the EU. And note that in both the Meta case (GDPR) and the Voodoo case (French Data Protection Act / ePrivacy Directive), advertising personalization was not deemed to be necessary or essential to the functioning of the product.