European privacy activist noyb has filed a complaint to Data Protection Authorities in Germany and Spain against Apple due to its use of an opt-out tracking cookie on all iPhones.
The issue is due to Apple’s tracking code “IDFA”. IDFA (Apple’s Identifier for Advertisers) allows Apple and all apps on the phone to track a user and combine information about online and mobile behaviour. Just like for cookies, this would require the users’ consent under EU law. Apple places these tracking codes without the knowledge or agreement of the users.
By default, iOS automatically generates a unique “IDFA” (short for Identifier for Advertisers) for each iPhone. IDFA allows Apple and other third parties to identify users across applications and even connect online and mobile behaviour (“cross device tracking”).
Apple’s operating system creates the IDFA without user’s knowledge or consent. After its creation, Apple and third parties (e.g. applications providers and advertisers) can access the IDFA to track users’ behaviour, elaborate consumption preferences and provide personalised advertising. noyb says such tracking is strictly regulated by the EU “Cookie Law” (Article 5(3) of the e-Privacy Directive) and requires the users’ informed and unambiguous consent.
“EU law protects our devices from external tracking. Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used. While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws.” – Stefano Rossetti, privacy lawyer at noyb.eu.
The system is currently Opt-out, meaning users are automatically tracked.
Recently Apple announced plans for future changes to the IDFA system to Opt-in. Just like when an app requests access to the camera or microphone, the plans foresee a new dialogue that asks the user if an app should be able to access the IDFA. These changes seem to restrict the use of the IDFA for third parties, but crucially not for Apple itself. The initial storage of the IDFA and Apple’s use of it will still be done without the users’ consent and therefore in breach of EU law. It is also unclear when and if these changes which will restrict 3rd party developers will be implemented by the company.
“We believe that Apple violated the law before, now and after these changes. With our complaints we want to enforce a simple principle: trackers are illegal unless a user freely consents. The IDFA should not only be restricted but permanently deleted. Smartphones are the most intimate device for most people and they must be tracker-free by default.” – Stefano Rossetti, privacy lawyer at noyb.eu
Google uses a similar tracking system, which is currently being reviewed by noyb.
As the complaint is based on Article 5(3) of the e-Privacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without the need for cooperation among EU Data Protection Authorities as under GDPR.
“These cases are based on the “old” cookie law and do not trigger the cooperation mechanism of the GDPR. In other words, we are trying to avoid endless procedures like the ones we are facing in Ireland.” said Stefano Rossetti, privacy lawyer at noyb.eu