Saturday, May 18, 2024
Latest News
From authoritative to permissive parenting: Which parenting style wins? Will 6G tech deliver where ‘overhyped’ 5G didn’t? An expert sees a holographic future Premier League title race could be settled on Sunday after Kitchee stop rot to prolong Lee Man’s wait Russia Presses Attacks in Northeast Ukraine, Seeking Buffer Zone on Border Slovak prime minister still in serious condition as shooting suspect appears in court Elephant Kills Man: Elephant kills man | Bhubaneswar News EgyptAir plans to increase frequency of its Delhi-Cairo flights, make it a daily Coffee shop Land to Sea in New York is a love letter to co-founders’ Asian-American upbringing – and a space for all Jitesh Sharma to lead Punjab Kings in their final game of the season | Cricket News Sample Seed pitch deck: Goodcarbon's $5.5m deck Do I Owe Taxes on a Retirement Account Distribution? Namaste away: Rangers bar yoga classes at cliffside San Diego park Young Voters: To woo voters, parties aim to catch ’em young | Allahabad News China property: Beijing’s stimulus plan needs more time, money and policy support to resolve long-standing housing crisis 'I said I would bat anywhere, just give me a chance to play': Virat Kohli recalls how Suresh Raina's recommendation worked for him | Cricket News Lack of AI Is Reducing India Software Stocks’ Heft as Tech Bets In Rio de Janeiro, young women in a favela hope to overcome slum violence to play in 2027 Women’s World Cup House GOP infighting fuels bitter primary election season Airport: Airport’s Terminal 2 gets five new aircraft parking stands | Ahmedabad News India, UK reaffirm FTA commitment at strategic dialogue Studio Nicholson founder Nick Wakeman on perfecting modern nostalgia at her London-based fashion label Queen of the Book Club Biden called out over past desegregation remarks Angry mob sets Bihar police station on fire after man, minor wife die by suicide in custody; ASP among 9 cops injured | Patna News 8 ways to boost energy and productivity and be less tired – a Malaysian-Chinese life coach and author’s advice Lionel Messi’s Barcelona napkin, used to promise his first contract with club at age 13, sells for HK$7.6m at auction Nearly 50 vehicles towed, 40 arrests made in Northern California sideshow Man shoots his 6-month-old baby multiple times at home near Phoenix, but child expected to survive INDIA bloc's 'Karan-Arjun' draw attention in Rae Bareli | Chennai News FDI norms in certain sectors likely to be eased under new government: DPIIT Secretary
HomeTechFrance fines Apple over App Store ad targeting ePrivacy breach • TechCrunch

France fines Apple over App Store ad targeting ePrivacy breach • TechCrunch

A rare privacy penalty for Apple: France’s data protection watchdog, the CNIL, has announced it imposed a sanction of €8 million (~$8.5M) on the iPhone maker for not obtaining local mobile users’ consent prior to placing (and/or reading) ad identifiers on their devices in breach of local data protection law.

The sanction decision was issued on December 29 but only made public yesterday (the text of the decision is available here in French).

The CNIL is acting under the European Union’s ePrivacy Directive — which allows for Member State level data protection authorities to take action over local complaints about breaches, rather than requiring they be referred to a lead data supervisor in the country where the company in question has its main EU establishment (as happens with the EU’s newer General Data Protection Regulation, or GDPR).

While the size of this ePrivacy fine isn’t going to cause any sleepless nights in Cupertino, Apple leverages claims of peerless user privacy to polish its premium brand — and differentiate iPhones from cheaper hardware running Google’s Android platform — so any dent in its reputation for protecting user data should sting.

The CNIL says it was acting on a complaint against Apple for showing personalized ads on its App Store. The action relates to an older version (14.6) of the iPhone operating system, under which — after the watchdog investigated in 2021 and 2022 — it found the tech giant had not obtained prior consent from users to process their data for targeted advertising that was served when a user visited Apple’s App Store.

CNIL found that v14.6 of iOS automatically read identifiers on the user’s iPhone — which served a number of purposes, including powering personalizing ads on the App Store — and that processing occurred without Apple obtaining proper consent, in the regulator’s view, as consent was being gathered via a setting that was pre-checked by default. (NB: 2019 CNIL guidance on the ePrivacy Directive stipulates that consent is necessary for ad tracking.)

From the CNIL’s press release [translated from French with machine translation]:

Due to their advertising purpose, these identifiers are not strictly necessary for the provision of the service (the App Store). Consequently, they must not be able to be read and/or deposited without the user having expressed his prior consent. However, in practice, the ad targeting settings available from the iPhone’s ‘Settings’ icon were pre-checked by default.

In addition, the user had to perform a large number of actions to successfully deactivate this parameter since this possibility was not integrated into the initialization process of the telephone. The user had to click on the ‘Settings’ icon of the iPhone, then go to the ‘Privacy’ menu and finally to the section entitled ‘Apple Advertising’. These elements did not make it possible to collect the prior consent of users.

The CNIL said the level of fine reflects the scope of the processing (which it notes was limited to the App Store); the number of French users affected; and the profits Apple derives from ad revenue indirectly generated from the data collected by the identifiers — as well as the regulator factoring in Apple having since brought itself into compliance.

Apple was contacted for comment on the CNIL sanction. A company spokesman confirmed it plans to appeal — sending us this statement:

We are disappointed with this decision given the CNIL has previously recognized that how we serve search ads in the App Store prioritizes user privacy, and we will appeal. Apple Search Ads goes further than any other digital advertising platform we are aware of by providing users with a clear choice as to whether or not they would like personalized ads. Additionally, Apple Search Ads never tracks users across 3rd party apps and websites, and only uses first-party data to personalize ads. We believe privacy is a fundamental human right and a user should always get to decide whether to share their data and with whom.

It’s not the first time Apple has faced critical scrutiny over privacy double standards. Back in 2020, European privacy rights campaign group noyb filed a series of complaints with EU data protection watchdogs about an Identifier for Advertisers (aka IDFA) baked into the iPhone by default by Apple, arguing the existence of the IDFA was a similar breach of the prior consent to tracking principle.

The company has also been accused of privacy hypocrisy in recent years over its different treatment vis-a-vis the tracking of iPhone users’ app activity to serve its own ‘personalized ads’ vs a recently introduced requirement that third party apps obtain consent from users — after it introduced the App Tracking Transparency feature (aka ATT) to iOS back in 2021.

Apple has continued to dispute these lines of arguments — claiming it complies with local privacy laws and offers a higher level of privacy and data protection for iOS users than rival platforms.

France, meanwhile, has been very active in enforcing breaches of ePrivacy against tech giants in recent years, with another example just last month when it hit Microsoft with a €60 million penalty over dark pattern design in relation to cookie tracking — after finding the company had not offered a mechanism for users to refuse cookies that was as easy as the button it presented to them for accepting cookies.

Amazon, Google and Meta (Facebook) have also all been hit with CNIL sanctions for cookie-related breached since 2020. And last year Google went on to update its cookie consent pop-up across the EU to (finally) offer a simple ‘accept all’ or ‘refuse all’ option offered at the top level.

tl;dr: Regulatory enforcement of privacy works.

The steady flow of enforcements and corrections that the CNIL’s interventions have been able to achieve for users in France via ePrivacy — a much older EU directive than the GDPR — has cast further critical light on the operation of the latter flagship privacy regulation where scrutiny and enforcement on tech giants continues to be bogged down by forum shopping, associated procedural bottlenecks and resourcing issues, as well as by disputes between regulators over how to settle these cross-border cases.

But while a GDPR complaint against a tech giant can take years, plural to get enforced — such as the ~4.8 years it took to finalize ‘forced consent’ complaints against two Meta properties, Facebook and Instagram, and still with likely years of appeals of that decision ahead (and with other even longer-standing complaints still inching painstakingly toward a final decision) — the difference between an EU directive and a regulation means that enforcement is pan-EU by default, rather than being localized to the jurisdiction of the enforcing DPA. That means, with ePrivacy, any wider compliance rollouts are at the discretion of a sanctioned entity — so the impact for users may be more localized.

Additionally, any (eventual) GDPR penalties may also be more substantial than ePrivacy stings — with the GDPR allowing for fines of up to 4% of global annual turnover, while ePrivacy is stuck with an older regime that leaves it up to Member States to set “effective, proportionate and dissuasive” penalties. (Ergo, user rights here are tethered to local politics.)

Although corrective orders can have far more bite for big tech than financial sanctions given how much revenue these giants pull in — as even fines that run to hundreds of millions or more may be written off as just a cost of doing business. Whereas orders to change practices to comply with privacy laws can force meaningful reforms.

It’s worth noting that the EU has been attempting — for years — to replace the now more-than-two-decades-old ePrivacy Directive with an updated ePrivacy Regulation. However big tech lobbying and lawmaker disputes over a 2017 Commission proposal have conspired to stall the file for most of this period.

Member States did, at long last, agree a common negotiating position in February 2021 — finally enabling trilogue negotiations to kick off. But debates between the EU’s co-legislators over big and small details continue — and it’s not clear when (or even if) a consensus can be hashed out.

And that means the veteran ePrivacy Directive may still have years more working life — and millions more in big tech fines — ahead of it.

Source link



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Latest News