France fines Apple €150M for “excessive” pop-ups that let users reject tracking
- Thread starter JournalBot
- Start date
No, it’s you who is confused.
They fined Apple because some app developers also displayed their own dialog for asking your permission to track you using some other custom means than IDFA (Identifier for Advertisers) for which there is a dialog provided by the platform.
Apparently, according to French authorities, a single platform provided dialog should cover all cases, i.e. if you say NO it's written to some app specific storage where the app could then read your (non-)consent and hopefully respect it and not track you using any technology.
However, if an app tries to access the IDFA value after user has rejected its use, the API will just return zero (and it has worked like that forever) so app developers could already have used that mechanism for determining the rejection of tracking
Upvote
26
(36
/
-10)
They do this for literally every app that has location permissions.
Upvote
25
(31
/
-6)
France had over €600 billion in public spending in 2022 alone.
A €150 million fine is 0.025% of that.
Fines are also multiple years in the making.
The idea that these fines are to "balance the books" instead of, you know, actually encouraging companies to follow the law, is completely absurd.
Thankfully, you're usually downvoted on Ars for peddling that nonsense narrative. How you've been upvoted for it this time is beyond me.
Upvote
8
(33
/
-25)
Just a reminder that regulatory capture and graft is not limited to officials on this side of the Gulf of Mexico.
Upvote
-1
(8
/
-9)
Honestly, I do not think that agency is wrong. I have been trying out some new mobile games (all trash, of course) to see their ad consent forms on Android and most of them are ridiculous. I have to scroll through hundreds of ad trackers and deactivate their legitimate interest slider because I do not have a single slider/button to disallow all trackers. If that agency's fine leads to an end of this kind of practice, I am all for it.
Upvote
10
(21
/
-11)
This feels so backwards!? Isn't the end user more and most important? Apple did nothing wrong here in my book, I would even go as far as to say its ok for Apple to ignore my initial "its fine" response and remind me down the road that this is going on. I hope they fight this, absurd ruling!
Upvote
0
(14
/
-14)
Every couple of weeks, Android 15 gives me a notification that it's blocked all permissions on a handful of apps I haven't touched in a while, and will re-enable them if I want it too. That seems like a pretty reasonable approach.
Upvote
22
(24
/
-2)
What is Apple supposed to do about this? It controls access to a particular ad identifier, and its consent screen gates access to that. Beyond that, the user's choice is just a signal that apps could use to infer, "No" to every tracking question they might envision. Instead, some apps ask for consent to do things other than user the IDFA.
Upvote
20
(23
/
-3)
Apple is being fined for the fact that third-party apps ask for their own consent, in addition to Apple having its own consent screen. Not for anything to do with its own consent dialogues.
Upvote
28
(32
/
-4)
You're only thinking about the case of the users who want to say "no".
I have no idea why one would to say "yes" but apparently lots of people do say "yes" to everything.
In that case the 3rd party app needs users to say "yes" twice: first say "yes" to IDFA and then say "yes" to other tracking forms proposed by the app.
While apparently Apple's own apps could do it all in one go until iOS 15. Or maybe Apple just doesn't track users beyond IDFA?
Upvote
10
(11
/
-1)
I haven't experienced them yet but if/when I do I would love if there was a "Never see ads from this vendor again" option. Or just an option to shut off all ads please.
I did a few long stints as IT for big marketing companies and people did not like when I asked that question. I would love to talk to those execs now and ask them if the constant bombardment of nearly everyone by ads is what they were hoping would happen.
I did a few long stints as IT for big marketing companies and people did not like when I asked that question. I would love to talk to those execs now and ask them if the constant bombardment of nearly everyone by ads is what they were hoping would happen.
Upvote
9
(9
/
0)
If that's the issue -- which is not at all clear in the article -- then Apple could in principle expand their popup to cover those other issues. There could be an API or other method for the app to notify iOS what permissions are needed. So, what you suggest is not the only possible solution.
That said, and as much as I happy to see more regulation of these giant corporations in the interest of privacy, I disagree with the ruling.
Upvote
4
(5
/
-1)
The kernel of a real issue is that Apple doesn't "track" you according to its definition at all, which it defines as tracking across services from different companies. It doesn't view, for example, using Safari information in Apple News to be "tracking," since it's all once company. The same applies to Google, Facebook, etc--tracking you from one app to another, from the same company, it does not define as "tracking" at all. In terms of answering "Yes," if you answer yes then Apple lets apps have access to the IDFA, but apps themselves might still be legally required to directly get consent for something. As for this, I don't see what Apple could possibly do about it.
Upvote
28
(29
/
-1)
Because Apple doesn't require apps to do it twice. Apple only requires that they do it once. The second time is required by GDPR.
So the solution will be to eliminate the Apple requirement - however it is the Apple requirement that actually has technological enforcement. The other one is just a pinky promise.
Upvote
34
(37
/
-3)
You're talking about people who got so offended at the idea that people might experience a single hour of their life without ads that they went and spent real money to bolt 30 foot electronic billboards to pontoon boats and had them cruise up and down the beach all day. THE BEACH.
Of course this is what they were hoping would happen.
Upvote
14
(14
/
0)
While repeat confirmations is indeed not appropriate, France has glossed over something here: the complaint was brought by advertisers on behalf of small businesses financing their apps via the ad network. The complaint is that by having a blanket confirmation in addition to any that the apps themselves have presented, Apple is making the process burdonsomely arduous.
But the fault at least partially lies with the advertisers themselves. They are requiring the small businesses to send THEM tracking data and telemetry that is burdonsome for the small businesses. This component should ALSO be investigated by the government, as it should be unnecessary for this information to be collected and distributed to the third parties (triggering the warnings) in order for the small businesses to receive ad revenue.
That bit has absolutely nothing to do with Apple.
But the fault at least partially lies with the advertisers themselves. They are requiring the small businesses to send THEM tracking data and telemetry that is burdonsome for the small businesses. This component should ALSO be investigated by the government, as it should be unnecessary for this information to be collected and distributed to the third parties (triggering the warnings) in order for the small businesses to receive ad revenue.
That bit has absolutely nothing to do with Apple.
Upvote
16
(19
/
-3)
I really, really like how Android revokes permissions after a time of non-usage for all apps.
Upvote
13
(14
/
-1)
It's quite apparent that the EU is going to slowly harass US tech firms until European tech firms can figure out how to compete. I'm not particularly angry about that - it's no worse than Biden or Trumps tariffs on cars, etc.
Upvote
-18
(9
/
-27)
This isn't about websites. It's about in-app tracking.
I don't understand the "double" part. I only ever see the request once per app (unless I delete and reinstall it). But for France's advertisers, I guess that's too much.
Upvote
3
(7
/
-4)
Let’s see if I’ve got this right. Apple puts up a tracking consent pop-up that doesn’t meet GDPR, so app developers have to add a second pop-up that does meet GDPR, in the case the user consents in the first.
Apple’s own consent system doesn’t require two separate pop-ups in that manner. (Not sure exactly why, though. Does Apple just lump that together? Or is it because the GDPR consent is only necessary when data is shared with a third-party?)
Seems like it would make sense for Apple to expand the functionality of that tracking consent pop-up to let it also (optionally by developer) include the functionality necessary to be the GDPR pop-up. Frankly, that would probably be a useful feature for a variety of reasons. A single consent pop-up could be more user-friendly, consistent UI between apps is probably helpful for the user, marginally easier for a developer to utilize a standard system pop-up, etc.
I appreciate any corrections be, as I’m not quite sure I got it all correct.
Apple’s own consent system doesn’t require two separate pop-ups in that manner. (Not sure exactly why, though. Does Apple just lump that together? Or is it because the GDPR consent is only necessary when data is shared with a third-party?)
Seems like it would make sense for Apple to expand the functionality of that tracking consent pop-up to let it also (optionally by developer) include the functionality necessary to be the GDPR pop-up. Frankly, that would probably be a useful feature for a variety of reasons. A single consent pop-up could be more user-friendly, consistent UI between apps is probably helpful for the user, marginally easier for a developer to utilize a standard system pop-up, etc.
I appreciate any corrections be, as I’m not quite sure I got it all correct.
Upvote
22
(22
/
0)
Translation: Tracking by big American companies is "bad" tracking. Tracking by small European companies is "good" tracking.
Upvote
2
(19
/
-17)
I agree w/ the EU.
Instead of asking us to stop being tracked multiple times, we should just have a single setting that, once selected, opts us out of all tracking in the future, without any further popups.
Instead of asking us to stop being tracked multiple times, we should just have a single setting that, once selected, opts us out of all tracking in the future, without any further popups.
Upvote
-13
(9
/
-22)
Upvote
4
(7
/
-3)
The court isn't saying that some tracking is good, other tracking is bad.
They're saying that Apple's system, as it currently stands, allows tremendous broad-ranging access to track a user across many different parts of the system with just one "consent".... IFF you are Apple itself, or a major player like Google who's got its fingers into a dozen different everyday apps that only touch the giant company's own sprawling back-end systems. Whereas a smaller company that only makes one specialized app and relies on external networks for parts of it needs a more involved, multiple-popups process to get the same consent.
They don't appear to be saying that either way is good or bad, and they don't much care about the exact technical and implementation details – they are simply finding that a system which results in a much more obtrusive level of user consent checking for small one-app developers who outsource ad functions, versus a more streamlined and unobtrusive consent for big full-ecosystem developers who do it all "in house" using their own ad tracking platforms, is inherently unfair according to competition law.
Upvote
8
(14
/
-6)
The issue was Microsoft turned it on by default, which broke the spirit of the uneasy compromise. Other browsers had it default-off.
Upvote
-2
(1
/
-3)
I hate that shit, and would turn it off if I could. Instead you have to dig into a subdialog for each individual app you want to exempt.
Upvote
-1
(3
/
-4)
As someone who works with GDPR extensively in my day job, this makes absolutely no sense to me.
Which provision in GDPR, and for which party, is this required?
Upvote
-3
(4
/
-7)
Only because companies are not adhering to the law, and are getting away with screwing consumers over.
According to law, consent must be freely given, specific, informed, and unambiguous (article 4-11). But from this it also follows that it must be as easy to opt-out as it is to opt-in (recital 42).
In essence, if there’s a big “Accept All” button, there should be an equally visible “Reject All” button, or at least a “Customize” option that doesn’t take more effort than accepting everything.
Additionally, default should be opt-out, meaning passive accept through pre-filled check boxes does NOT constitute valid consent.
These details are often omitted deliberately, and dark patterns are used to make it a PITA to opt-out of tracking.
If you took a company to the EDPB you would easily win the complaint. But as consequences are not as severe as other parts of the GDPR (at least not yet) it's an area lacking attention.
Upvote
15
(15
/
0)
i think their consent is some vendor may seems working hard to prevent other from tracking you while harvesting your data and sold them cheaply without even needing a single consent in the first place?
Upvote
-3
(0
/
-3)
It wouldn't be difficult for the OS to allow the app to pass a list of additional checkbox options to which can be tailored to the country or state it's being run in (France, a bunch of GDPR checkboxes, California, a do not sell my data checkbox) and display them in the tracking dialog.
Upvote
1
(4
/
-3)
Finally. So many unanswered feedbacks and Apple never went back to revisit the implementation and how poorly it approaches the problem. Apple’s entire portfolio on privacy somehow always ends around “introducing a feature that sounds awesome in a keynote” and never far enough to make it actually useful to both consumers and businesses. Happy they got a slap on the wrist.
Upvote
-12
(5
/
-17)
Not to get too far off topic... "Ask Woody" had this article today:
"Apple has been analyzing your photos since September 2024"
I don't know if this is a serious issue as I'm not in the walled garden...
Upvote
-15
(2
/
-17)
Upvote
10
(11
/
-1)
No, that's not quite right.
Apple has a consent step for its own tracking framework, and it meets the GDPR if the data is kept in that ecosystem.
Large players who either integrate to that or rely on it as its sole source of insight will be fine with that.
However, smaller parties who choose to use a third party provider for collection and analysis will have to share data, and this requires a broader consent. Apple does not support this - but they also don't allow smaller parties to bypass their own consent-step and only use their own (which would satisfy the legal requirement).
As a result, Apple itself and larger parties that don't need third parties for insight get an unfair advantage.
That is exactly why. The distinction is because for small parties the Controller and Processor are different entities, and the Controller passes the data on to a third party.
From a legal perspective, the better option would be to allow smaller parties to obtain consent without first going through Apples consent-step, as it is irrelevant and unusable.
But it's important to note that Apple is getting slammed for making things harder for "everyone but themselves + Meta", and not for any actual violation the GDPR. The French authorities believe Apple is being anti-competitive.
I think the verdict is sound. The size of the fine is due to Apples enormous size. Sort of like punitive damages in the US.
That said, I'd prefer it if tracking was simply made illegal.
Upvote
5
(15
/
-10)
Upvote
5
(6
/
-1)
Are you an Apple device user?
Why should anyone get access to my Apple advertising tracking ID without having to ask first?
Upvote
13
(14
/
-1)