Turns out it’s actually better to ask for permission than for forgiveness, at least when it comes to privacy compliance in Europe.
Apple and Meta are living proof.
On Wednesday, Apple was hit with an 8 million euro fine in France (just under $8.5 million) for failing to collect tracking consent from French iPhone users.
Separately, and also on Wednesday, European regulators ruled that Meta’s practice of using its terms of service to require people to consent to tracking for targeted advertising is illegal under the General Data Protection Regulation (GDPR).
Bad Apple
France’s data protection watchdog, the CNIL, levied its fine against Apple following multiple complaints, including one brought in March 2021 by France Digitale, a lobbying group representing French startups.
The group had argued that Apple was in breach of GDPR because Apple tracked iOS 14.6 users within its own apps without asking for consent.
The CNIL agreed, taking particular issue with the fact that users had to perform “a large number of actions” to deactivate Apple’s prechecked ad targeting settings. Le friction n’est pas bon.
(As a side note, for this particular ruling, the CNIL relied on the French Data Protection Act, rather than GDPR. Ireland has supervisory authority over GDPR enforcement against Apple in Europe.)
Following the 2021 complaint, Apple proactively started collecting consent to enable personalized advertising using a non-ATT pop-up on devices running on iOS 15 or later. But the CNIL still dinged Apple for enabling personalized advertising by default on older versions of its mobile operating system.
The CNIL’s ruling can be considered a victory, but IAB France was less than impressed with the size of the fine, noting in a statement that “for many years Apple has had an undue comparative advantage over all the other players in the mobile ecosystem that have not been given the same impunity, creating de facto distortions of competition.”
Out of service
Meanwhile, the European Data Protection Board’s judgment against Meta, which comes along with a 390 million euro fine (roughly $414 million), was not unexpected but does represent a major blow to its advertising business in Europe.
After GDPR went into effect in May 2018, Facebook began using a provision under the law called “contractual necessity” as a legal basis for processing personal data. Contractual necessity allows a company to process data as long as the processing is necessary for the service provided and is clearly defined in whatever contract the company has with the individual.
In other words, Facebook started requiring users to consent to tracking as part of its terms of service, effectively opting European users into tracking by default, because it’s impossible to use Facebook’s apps without agreeing to its T&Cs.
Austrian privacy activist and professional Facebook foe Max Schrems took issue with this setup and filed multiple complaints against Meta.
Ireland’s data protection authority originally issued a draft decision in Meta’s favor to say the company’s approach was legal. But after a report in early December 2022 that EU regulators were planning to rule against Meta, Ireland intimated that a new decision would be forthcoming in January.
The anvil finally dropped on Wednesday, when the European Data Protection Board overturned Ireland’s draft decision.
Although Meta has the opportunity to appeal, this ruling has the potential to upend the social media giant’s ad business in Europe.
Not only do “people now need to be asked if they want their data to be used for ads or not – they must have a ‘yes or no’ option and can change their mind at any time,” Schrems said in a statement. “The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”