Advertising purposes and non-compliance of consent or how Apple is fined by the CNIL

From user profiling to targeted advertising: the real consent issue raised by the CNIL

The dream of every advertiser is to be able to "profile" its customers/users without constraint and without limit, in the physical or digital world. The digital space offers the possibility to track almost everything, such as the number of clicks, the time spent on a screen, the location of the Internet user, his consumption behavior (compulsive or reasoned...). Fortunately for consumers, the data protection control authorities watch over, monitor and sanction when a violation of the law is proven.

In this case, the background is outlined in the CNIL's summary article on this sanction:  Following a complaint about the personalization processing of advertisements displayed in the App Store, the CNIL conducted several inspections in 2021 and 2022 to verify compliance with the applicable regulations.

The CNIL services found that under the old version 14.6 of the iPhone operating system, when a user visited the App Store, identifiers for several purposes, including the personalization of advertisements displayed on the App Store, were by default automatically read on the terminal without consent.

On December 29, 2022, the CNIL's restricted panel fined APPLE DISTRIBUTION INTERNATIONAL 8 million euros for failing to obtain the consent of French iPhone users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals.

In this short extract from the CNIL article, we can see that two concepts are at stake: (i) that of the advertising purpose and especially (ii) that of consent. 

The notion of "user design" can be added to the design of the operating system's default settings. The Apple case provides a very operational illustration of how to apply this legal principle of privacy by design.

Let's start with the definition of the advertising purpose and the issue of its effectiveness before explaining how to articulate it with the consent of the person concerned (often the prospect or the consumer).

Targeted (or personalized) advertising is an advertising technique that aims to identify people individually in order to deliver specific advertising messages based on individual characteristics. In order to carry out targeted advertising, it is therefore necessary to know the person viewing the advertisement and to have information about him or her in order to choose advertising content that is more likely to make him or her interact, for example concerning one of his or her supposed interests or a purchase intention. For this purpose, advertising companies create "profiles" that are associated with users. On the Internet, this information on the interests of the person is often obtained via trackers such as cookies or is purchased from third parties. Because it is impossible to process all this information manually, targeted advertising is almost exclusively programmatic. Programmatic advertising makes it possible to plan the automatic purchase of inventory elements according to predefined criteria (price, audience characteristics, geolocation, etc.). 

To be effective, this advertising requires a large volume of personal data in order to offer extreme personalization. Each individual has ads specially chosen and developed for him. This massive collection allows to profile a person very precisely (preferences and tastes of the moment thanks to the content consulted online, lifestyle, socio-cultural level...). These profiles are built by many actors who accumulate personal data over time and this paints a more or less complete picture of a personality. It is possible to reveal information that you would not want to disclose (e.g. your health status thanks to your search history on the internet and the identification of elements of your connected bracelet which gives constants).

The data has value, the ethical information and the consent of the user too!

Obviously, the more complete a profile is, the more it will be valued and become a financial windfall for the reselling company (you wonder how much your personal data costs?

DrData has evaluated it thanks to its Simulator!). It is therefore in the interest of these personal data sales organizations to collect as much information as possible about a person and thus to deposit as many traces as possible on the tools (computer, smartphone, connected object) of the person concerned.

However, the person concerned does not always have the information about this collection, which can be carried out without his or her knowledge. This is the second element that will be illustrated here, the expression of the person's choice obtained with his/her consent. Article 82 of the French Data Protection Act, which transposes one of the measures of the ePrivacy Directive, states that: "Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless previously informed, by the controller or its representative:

• Of the purpose of any action tending to access, by way of electronic transmission, information already stored in his electronic communications terminal equipment, or to write information in this equipment;

• Of the means available to him to oppose it.

Such access or recording may only take place if the subscriber or user has expressed, after having received this information, his consent, which may result from appropriate settings of his connection device or any other device under his control."

In order to complete this provision of Article 82, it is necessary to specify the conditions for proper consent.

Consent is valid if and only if it is : 

• Free (without coercion for the person);

• Informed (the person is informed of the purposes for which the consent was obtained);

• Unambiguous (has a single meaning, is not ambiguous);

• Specific (for a precise purpose of treatment and not a multitude of purposes)

It is this consent that will authorize the deposit of tracking devices and the collection of data from the person concerned. In the Apple case, the company did not collect this consent. The deposit of the identifier used for advertising purposes on the terminals of Apple customers was done illegally. In addition, in the settings of the iPhone, the settings for targeting advertising were pre-checked by default without being presented during the initialization of the phone. The user had to perform a large number of actions before finally being able to deactivate this feature.

This operation obviously does not allow for prior consent from the user. It is also not in line with the principle of Privacy by Design, i.e. protection of privacy by design imposed by GDPR. Of course, this regulation does not apply in this case, but the Apple case is a shining example of what not to do! Apple should propose to its customers a box unchecked by default for the deposit of advertising identifiers.

What does the European Data Protection Board say ?

This complaint against Apple concerned France, but the case is not isolated in the European Union.

The European control authorities are working together on the subject of cookies and advertising banners. Several hundred complaints about the design and the characteristics of the cookie banners were brought by the association NOYB.

On January 17, 2023, the European Data Protection Board (EDPS), composed of the European supervisory authorities, adopted a report from the working group formed in response to these complaints.  The report indicates that the vast majority of authorities consider that the absence of any option to refuse or reject cookies at the same level as the option to accept their deposit constitutes a breach of the legislation (Article 5(3) of the ePrivacy Directive). Regarding the design of the banners, the authorities concluded that the information provided must allow Internet users to understand what they are consenting to and how to express their choice.

On the other hand, the authorities considered that it was not possible to impose a standard cookie design on all websites. A case-by-case examination is still required in order to finalize the investigation of the complaints referred to the European authorities.