The Commission Nationale de l’Informatique et des Libertés (CNIL), France’s Data Protection Agency, has imposed fines of € 3 million on the company Voodoo, a video game developer and publisher, for using an identifier for advertising in their apps without the user’s consent. They have also levied an administrative penalty of € 8 million to Apple Distribution International because it did not collect the consent of iPhone’s French users before depositing and/or writing identifiers used for advertising purposes.
The CNIL is an independent administrative authority in France, composed of 18 members made up of four parliamentarians, two members of the Economic, Social and Environmental Council, six representatives of high courts, five qualified persons, and the President of the Commission for Access to Administrative Documents (CADA). CNIL employees are contractual employees of the State.
How app identifiers work
Before we talk about the fines, it is important to know the distinction between the ID for Advertisers (IDFA) and ID for Vendors (IDFV) identifiers. The IDFA is a unique identifier at the device level and is used to identify that device. Every app on the device has access to the IDFA, but only if they have consenting mobile device users. The IDFA sits within Apple’s App Tracking Transparency (ATT) framework, designed to give Apple users more control over their data.
The IDFV is a unique identifier at the vendor level, not the device level. So each mobile app developer, such as Voodoo, has an IDFV that is the same identifier across all the apps that they publish via the App Store on that device.
In short, the IDFA is unique at the device level, whereas the IDFV is unique at the app developer level.
CNIL investigations and fines of Voodoo and Apple
Voodoo is a hyper-casual mobile gaming company that publishes mobile games, including Helix Jump, Baseball Boy, Snake vs Block, Hole.io, and Aquapark.io to name a few. Voodoo was fined by the CNIL for using the IDFV in their mobile apps for advertising purposes and without consumers’ consent, and after the user had refused to consent for Voodoo to use the IDFA for advertising targeting.
During its investigations, the CNIL found that when a user refused consent for the IDFA to be used for advertising tracking, Voodoo read the IDFV and processed the information linked to browsing habits for advertising purposes. The CNIL concluded that access to the IDFV for advertising purposes requires consent, and failure to obtain permission to use the IDFV for advertising purposes was in breach of article 82 (in French) of the French Data Protection Act (FDPA).
The official statement on cnil.fr concerning Voodoo.io app consent breaches reads:
“From August 2021 to July 2022, the CNIL carried out several investigations on voodoo.io and on different mobile applications published by the company VOODOO, such as the game Helix Jump. Investigations were only carried out within the framework of the downloading and operation of the applications on an iPhone (APPLE), with the iOS operating system. When a publisher offers an application on the App Store, APPLE provides it with a technical identifier “Identifier For Vendors” (or IDFV), allowing this publisher to track the use that is made of its applications by the users. An IDFV is assigned to every user and is identical for all the applications distributed by one publisher, and therefore, in this case, for all the Voodoo applications. By combining other information from the smartphone, the IDFV allows to track people’s browsing habits, including the categories of games they opt for, in order to personalize the ads seen by each of them”.
During a similar time period, the CNIL also issued a fine to Apple Distribution International. The fine was the culmination of investigations that took place during 2021 and 2022, which were launched after a complaint about ad personalization was received.
The CNIL found that the identifiers that are used for several purposes, including ad personalization, were by default automatically read on the terminal without mobile device users consenting to their use.
The CNIL France statement on the fine to Apple Distribution International reads:
“Due to their advertising purpose, these identifiers are not strictly necessary for the provision of the service (the App Store). Therefore, they must not be read and/or deposited without the user’s prior consent. However, in practice, the advertising targeting settings available from the “Settings” icon of the iPhone were pre-checked by default. Moreover, the user had to perform a large number of actions in order to deactivate this setting, since this option was not included in the initialization process of the phone. Therefore, the user had to click on the “Settings” icon of the iPhone, then go to the “Privacy” menu, and finally to the section entitled “Apple advertising”. These elements did not allow to collect the prior consent of users. Consequently, the restricted committee, the CNIL’s body responsible for issuing sanctions, found a breach of Article 82 of the French Data Protection Act and imposed a fine of 8 million euros on APPLE DISTRIBUTION INTERNATIONAL, which was made public.”
Increasing enforcement and consent management for apps
The number of fines relating to app consent breaches has risen sharply in recent years, so ensuring that your app is fully compliant with relevant regulations is imperative. However, achieving privacy compliance for your mobile app need not be a headache. A Consent Management Platform (CMP), such as the one offered by Usercentrics, can help you to manage the processes of obtaining, managing, and optimizing mobile app consent.
Do you have questions? Talk to one of our experts. We’re here to help.
Legal Disclaimer: Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.