French Data Protection Authority CNIL fines Voodoo and Apple Distribution International millions for app consent violations

The Commission Nationale de l’Informatique et des Libertés (CNIL), France’s Data Protection Agency, has imposed fines of € 3 million on the company Voodoo, a video game developer and publisher, for using an identifier for advertising in their apps without the user’s consent. They have also levied an administrative penalty of € 8 million to Apple Distribution International because it did not collect the consent of iPhone’s French users before depositing and/or writing identifiers used for advertising purposes.

The CNIL is an independent administrative authority in France, composed of 18 members made up of four parliamentarians, two members of the Economic, Social and Environmental Council, six representatives of high courts, five qualified persons, and the President of the Commission for Access to Administrative Documents (CADA). CNIL employees are contractual employees of the State.

Before we talk about the fines, it is important to know the distinction between the ID for Advertisers (IDFA) and ID for Vendors (IDFV) identifiers. The IDFA is a unique identifier at the device level and is used to identify that device. Every app on the device has access to the IDFA, but only if they have consenting mobile device users. The IDFA sits within Apple’s App Tracking Transparency (ATT) framework, designed to give Apple users more control over their data.

The IDFV is a unique identifier at the vendor level, not the device level. So each mobile app developer, such as Voodoo, has an IDFV that is the same identifier across all the apps that they publish via the App Store on that device.

In short, the IDFA is unique at the device level, whereas the IDFV is unique at the app developer level.

Voodoo is a hyper-casual mobile gaming company that publishes mobile games, including Helix Jump, Baseball Boy, Snake vs Block, Hole.io, and Aquapark.io to name a few. Voodoo was fined by the CNIL for using the IDFV in their mobile apps for advertising purposes and without consumers’ consent, and after the user had refused to consent for Voodoo to use the IDFA for advertising targeting.

During its investigations, the CNIL found that when a user refused consent for the IDFA to be used for advertising tracking, Voodoo read the IDFV and processed the information linked to browsing habits for advertising purposes. The CNIL concluded that access to the IDFV for advertising purposes requires consent, and failure to obtain permission to use the IDFV for advertising purposes was in breach of article 82 (in French) of the French Data Protection Act (FDPA).

The official statement on cnil.fr concerning Voodoo.io app consent breaches reads:

During a similar time period, the CNIL also issued a fine to Apple Distribution International. The fine was the culmination of investigations that took place during 2021 and 2022, which were launched after a complaint about ad personalization was received.

The CNIL found that the identifiers that are used for several purposes, including ad personalization, were by default automatically read on the terminal without mobile device users consenting to their use.

The CNIL France statement on the fine to Apple Distribution International reads:

The number of fines relating to app consent breaches has risen sharply in recent years, so ensuring that your app is fully compliant with relevant regulations is imperative. However, achieving privacy compliance for your mobile app need not be a headache. A Consent Management Platform (CMP), such as the one offered by Usercentrics, can help you to manage the processes of obtaining, managing, and optimizing mobile app consent.

Do you have questions? Talk to one of our experts. We’re here to help.

Legal Disclaimer: Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.