By Robert Bateman
Apple Inc. faces an investigation by the French privacy regulator after a coalition of French startups alleged that the company was violating EU data-protection law.
France Digitale, an advocacy group comprising nearly 2,000 French businesses, contend that Apple tracked user behavior on iPhones and iPads by default, violating EU privacy laws, including the General Data Protection Regulation (GDPR), which took effect in 2018.
Apple officials retorted that the group’s allegations, filed in a March 8 complaint to the Commission Nationale de l’informatique et des Libertés (CNIL), as “patently false.”
Last June, Apple announced new privacy features for its iOS 14 operating system. Third-party app developers would be required to obtain user consent before tracking their activity.
“Apple is not playing by the rules.”Nicolas Brien, France Digitale.
The changes, initially slated for late last year, are to take effect this spring, according to guidance on Apple’s website.
In the complaint, seen by Digital Privacy News, France Digitale alleged that Apple did not intend to apply its new privacy standards to its own first-party tracking of users.
The group claimed that Apple’s tracking would continue to be enabled by default unless users opted out via their phone settings.
France Digitale accused Apple of violating multiple parts of GDPR, including requirements around consent, notice and lawfulness of data-processing.
“We believe that Apple is not playing by the rules,” Nicolas Brien, France Digitale’s CEO, told Digital Privacy News.
“We are surprised that EU privacy watchdogs let them go, while startups are facing investigations pretty much every week,” he said.
In a statement, an Apple spokesperson said: “The allegations in the complaint are patently false and will be seen for what they are: a poor attempt by those who track users to distract from their own actions and mislead regulators and policymakers.”
Tracking for Analytics
Currently, both Apple and third-party apps can track behavior for analytics and ad-targeting purposes unless users opt out.
Under EU privacy law, businesses must obtain opt-in consent before placing or accessing cookies and similar technologies on devices.
“As a matter of best practice — and not just in the EU, but everywhere — companies should ensure that targeted advertising is ‘off’ by default,” said Veszna Wessenauer, research manager at Ranking Digital Rights, a Washington-based research program that evaluates digital platforms’ respect for user rights.
“We expect companies to enable people to opt-in to receive personalized ads, and then to have control over how their data is used for the purposes of ad targeting,” Wessenauer told Digital Privacy News.
“The allegations in the complaint are patently false and will be seen for what they are.”Apple Inc.
“While iOS does give users the ability to control how their data is used for personalized ads, targeted advertising is not off by default on iOS devices,” she added. “Users have to tap to turn off personalized ads in their privacy settings.”
Apple faces multiple complaints from privacy and antitrust regulators across Europe.
In November, the Austrian nonprofit, None of Your Business: European Center for Digital Rights (NOYB), submitted complaints to privacy regulators in Spain and Berlin.
The complaints allege that Apple was violating another EU law, the ePrivacy Directive, by installing its ID for Advertisers (IDFA) on devices without consent.
In March, the U.K.’s Competition and Markets Authority (CMA) announced an investigation into how Apple distributes third-party apps via its App Store.
“Companies should ensure that targeted advertising is ‘off’ by default.”Veszna Wessenauer, Ranking Digital Rights.
The investigation will consider whether Apple’s terms for developers violate antitrust law.
However, Ranking Digital Rights’ Wessenauer said that Apple compared favorably to other platforms regarding how it collected user data.
“Apple is the only platform in the Ranking Digital Rights index to disclose it does not track users around the web,” she said.
“This really sets Apple apart from other companies that track people around the internet and collect data on their browsing habits and online activities.”
Making Positive Changes
“Apple is doing more than most companies when it comes to elevating privacy and putting it front and center in people’s minds,” Ostrin told Digital Privacy News.
“They have realized that privacy is not just about compliance — it’s a marketing tool as well,” he added. “I, for one, applaud them for it.”
Ostrin said that Apple’s new privacy standards would have “residual effects and unintended consequences” for third-party app developers.
Apple has “realized that privacy is not just about compliance — it’s a marketing tool as well.”Avishai Ostrin, PrivacyTeam consultancy.
“When Apple shuts out companies whom it claims are harming people’s data rights, those companies will claim Apple is doing so simply to concentrate power in its own hands,” he said.
“This will always be a risk — and this is precisely what regulators are for.
“It will be for privacy and competition regulators to balance between the very important right of users’ privacy and Apple’s amassing of monopolistic powers.”
Robert Bateman is a writer in Brighton, U.K.
- Apple: User Privacy and Data Use – App Store
- Digital Privacy News: Apple Under Fire in EU Over iPhone ‘Tracking Code’
- Competition and Markets Authority: CMA investigates Apple over suspected anti-competitive behaviour