noyb files complaints against Apple's tracking code "IDFA"

Nov 16, 2020

noyb files complaints against Apple's tracking code "IDFA"

IDFA (Apple’s Identifier for Advertisers) allows Apple and all apps on the phone to track a user and combine information about online and mobile behaviour. Just like for cookies, this would require the users’ consent under EU law. Apple places these tracking codes without the knowledge or agreement of the users. noyb therefore filed two complaints against the company. Our partners at Xnet were able to assist us in Spain.

IDFA – the cookie in every iPhone user’s pocket. Each iPhone runs on Apple’s iOS operating system. By default, iOS automatically generates a unique “IDFA” (short for Identifier for Advertisers) for each iPhone. Just like a license plate this unique string of numbers and characters allows Apple and other third parties to identify users across applications and even connect online and mobile behaviour (“cross device tracking”).

Tracking without user consent. Apple’s operating system creates the IDFA without user’s knowledge or consent. After its creation, Apple and third parties (e.g. applications providers and advertisers) can access the IDFA to track users’ behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU “Cookie Law” (Article 5(3) of the e-Privacy Directive) and requires the users’ informed and unambiguous consent.

"EU law protects our devices from external tracking. Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used. While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws." - Stefano Rossetti, privacy lawyer at noyb.eu

Insufficient “improvement” on third-party access. Recently Apple announced plans for future changes to the IDFA system. These changes seem to restrict the use of the IDFA for third parties (but not for Apple itself). Just like when an app requests access to the camera or microphone, the plans foresee a new dialog that asks the user if an app should be able to access the IDFA. However, the initial storage of the IDFA and Apple’s use of it will still be done without the users’ consent and therefore in breach of EU law. It is unclear when and if these changes will be implemented by the company.

"We believe that Apple violated the law before, now and after these changes. With our complaints we want to enforce a simple principle: trackers are illegal, unless a user freely consents. The IDFA should not only be restricted, but permanently deleted. Smartphones are the most intimate device for most people and they must be tracker-free by default." - Stefano Rossetti, privacy lawyer at noyb.eu

No need for EU cooperation. As the complaint is based on Article 5(3) of the e-Privacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without the need for cooperation among EU Data Protection Authorities as under GDPR.

"These cases are based on the "old" cookie law and do not trigger the cooperation mechanism of the GDPR. In other words, we are trying to avoid endless procedures like the ones we are facing in Ireland." - Stefano Rossetti, privacy lawyer at noyb.eu

Google uses a similar tracking system, which is currently being reviewed by noyb.