(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
Recently, Apple faced two privacy complaints in Europe over use of the IDFA tracking code on iPhones. The complaints allege that the iPhone-maker is in breach of European privacy laws. The complaints were filed by Austrian privacy activist Max Schrems’ not-for-profit group, Noyb.
What is IDFA?
IDFA (Identifier for Advertisers) is a unique code that Apple assigns to each iPhone for third parties to track users for ad-targeting. It replaced Unique Device Identifier (UDID) with the release of iOS 6.
Apple defines IDFA as an alphanumeric string unique to each device that third-party app developers use only for advertising. Apple’s operating system creates the IDFA without a user’s knowledge or consent and it could be used for tracking and identifying users without revealing their personal information. It is like a tracking ID in a mobile phone instead of a browser cookie.
There’s an Android equivalent of IDFA, called a GPS ADID (Google Play Services ID for Android). Users can access their GPS ADID in the settings menu. Noyb is currently reviewing Google’s tracking system as well.
What are the complaints?
The complaints filed in Germany and Spain allege that Apple’s IDFA breaches the regional privacy laws since the iPhone-maker does not seek consent from iOS users for the initial storage of the identifier.
The complaint compared IDFA to a cookie and said, Apple and third parties can access this piece of information stored on users’ devices to track their behaviour, consumption preferences, and provide relevant advertising.
One of Noyb’s complaint noted that others were able to access the IDFA without permission, and while they were never asked for consent for third party access, many apps had shared their IDFA with Facebook.
Such tracking is strictly regulated by the EU “Cookie Law”, Article 5(3) of the EU’s ePrivacy Directive, according to which member states shall ensure that storing of information or even gaining access to the information already stored in the devices is only allowed with the user’s previous consent.
How does IDFA breach European Laws?
"EU law protects our devices from external tracking. Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used. While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws." - Stefano Rossetti, privacy lawyer at Noyb said in a statement.
Since IDFA is stored and retrieved from the user device, Article 5(3) applies in this case. In addition to this, it also applies to device fingerprinting, a tracking technique which uses the information acquired from a device to create digital identity of the user.
“Just like profiling cookies, the Apple advertising identifier is an information stored on the Complainant’s iPhone during the setup, and just like device fingerprinting, it is then retrieved from the device when users access Apple services or third parties’ apps,” the complaint read.
It also went on to call IDFA as a ‘digital license plate.’
Additionally, in accordance with § 15(3) TMG, as interpreted by the German Supreme Court in light of EU law, both the installation of the IDFA and the access to it should be previously authorised by the user.
However, an exception to the general rule of Article 5(3) of the e-Privacy Directive is that previous consent is not required when the storage or the access to the information is strictly necessary to provide the service requested by the user or carry out the transmission over an electronic communications network.
As the complaint is based on Article 5(3) of the e-Privacy Directive and not the GDPR (General Data Protection Regulation), the primary law regulating how companies protect EU citizens' personal data, the Spanish and German authorities can directly fine Apple, without the need for cooperation among EU Data Protection Authorities as under GDPR.
Storing and using the IDFA violates European privacy laws and amounts to an administrative offence which can lead to a fine of up to fifty thousand euros, the complaint added.
Apple’s response to the complaints
Apple denied the claims, calling them factually inaccurate and said the company will make this clear to the regulators. The iPhone maker added that it does not access or use the IDFA on a user’s device for any purpose.
The Cupertino-based firm said its aim was to protect the privacy of its users and that its latest privacy feature will give users more control over the data they want to share with third parties for targeted advertising.
Albeit, Noyb’s complaint focuses on Apple’s setting of the IDFA in the first place, arguing that the identifier that carried personal and private data needs permission before creating and storing it under EU law.
Apple’s new privacy feature
In a bid to increase privacy control for its iOS users, Apple said this summer that it would provide the option for users to opt-in to ad tracking.
But Apple delayed the new policy change to 2021 after warnings on the impact of the change on Facebook and other mobile advertisers. The decision to delay the policy change was criticised by human rights and privacy organisations. Their concern was that data could be used for targeting advertising at a critical time like the US 2020 elections.
The iPhone-maker said it did so to give developers time to incorporate changes and update their system and data practices.
In response to delaying the new privacy feature, Apple slammed Facebook and others for their ad-targeting practices. In a written reply sent to many human rights and privacy organisations, Apple attacked Facebook’s advertising and user tracking approach.
Facebook responded by saying that Apple is trying to distract users from its own privacy issues and using its dominant market position to block competitors from running their ad business.