File:Apple Computer History 1979-1989.jpg - Wikimedia Commons
COPYRIGHT CREDITS wikipedia commons

European privacy activist group Noyb filed suit Monday 16-12-20 in Germany and Spain alleging that Apple’s tracking tool violates European data collection laws.

The suits concern Apple’s Identifier for Advertisers (IDFA) technology. An IDFA is a unique identifier for each iPhone that provides Apple and third-party advertisers with users’ online, application and mobile behavior.

Noyb claims that the IDFA technology violates Article 5(3) of the EU e-Privacy Directive because the IDFA tracks these behaviors without the user’s consent.

Each iPhone runs on Apple’s iOS operating system. By default, iOS automatically generates a unique “IDFA” (short for Identifier for Advertisers) for each iPhone. Just like a license plate this unique string of numbers and characters allows Apple and other third parties to identify users across applications and even connect online and mobile behaviour (“cross device tracking”). Apple’s operating system creates the IDFA without user’s knowledge or consent. After its creation, Apple and third parties (e.g. applications providers and advertisers) can access the IDFA to track users’ behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU “Cookie Law” (Article 5(3) of the e-Privacy Directive) and requires the users’ informed and unambiguous consent.

Directive 2002/58/EC (“the e-Privacy Directive” [consolidated version])vaims, among other thing, at regulating the way “hidden identifiers and other similar devices can enter the user’s terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users” (see Recital 24 of the e-Privacy Directive)

As the complaint is based on Article 5(3) of the e-Privacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without the need for cooperation among EU Data Protection Authorities as under GDPR.

See the complaint