Privacy rights organisation NOYB has filed complaints against Apple over the company’s use of an online tracking tool.
The group is targeting Apple’s Identifier for Advertisers (IDFA), a randomly generated device identifier that allows companies to track user activity across websites and apps, along with combining that information. Companies use the IDFA to target adverts and follow the impact of campaigns.
Under EU law, cookies, files that track and contain user information, require user consent before they can be used. NOYB is arguing that since Apple places its IDFA, functionally similar to cookies, on iPhones without user consent, it is in violation of EU law.
NOYB was founded by privacy activist Maximillian Schrems, who was instrumental in striking down two major European data transfer tools, Safe Harbour and Privacy Shield, over claims they did not adequately protect the data of EU citizens.
“EU law protects our devices from external tracking. Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used. While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws,” said Stefano Rossetti, a privacy lawyer at NOYB, in a statement from the group.
While the IDFA can be switched off manually, the Limit Ad Tracking (LAT) function is buried deep in the device settings menu, making it difficult for users to find, assuming they know about the option.
With the release of Apple’s latest operating system, iOS 14, in September, Apple was set to introduce new privacy changes that would change tracking from opt-out to opt-in.
Developers would need to receive permission from users before gathering data on their activity, with a pop-up window asking them if they consented to have their data tracked.
However, these new changes were delayed until early next year. Apple claimed they delay would give developers the time needed to make necessary changes to their advertising plans and infrastructure.
The move has troubled advertisers, who will be unable to target ads to consumers based on their activity. It also means that companies will have trouble tracking the end results of user acquisition campaigns, as ad clicks will become incredibly difficult to connect to an app install.
- Leader Insights | Flexibility and security with Alan Smillie, Softworx
- Comment | Now is the time to outsource a good data protection officer
- EDPB releases guidance for EU-US data transfers
However, NOYB noted that the creation of the IDFA code still took place without the users’ consent.
“We believe that Apple violated the law before, now and after these changes. With our complaints we want to enforce a simple principle: trackers are illegal, unless a user freely consents. The IDFA should not only be restricted, but permanently deleted. Smartphones are the most intimate device for most people and they must be tracker-free by default,” Rossetti added.
The data privacy group has lodged the complaint with German and Spanish data protection authorities. NOYB noted that this means the group can bypass the EU, since the complaint is being made against the older e-Privacy Directive instead of GDPR, so individual authorities are able to fine Apple directly.
The rights organisation has also noted that it is currently investigating Google’s similar advertising identifier, GAID.