Apples ad targeting mechanics revealed in recent French privacy case

2023-01-31

Earlier this month, Apple was fined €8MM by CNIL, the French privacy watchdog, for reading iOS device identifiers without consent for the purposes of ads personalization.

While the CNIL’s printing release on the matter is meager, the text of the decision (machine translated from French) contains a unconfined deal of fascinating detail well-nigh how Apple targets ads. In iOS 14.6, the “Ads Personalization” settings were zingy by default, permitting Apple to personalize ads with its Apple Search Ads platform upon device vivification (and requiring the user to navigate through device Settings to disable this functionality). The CNIL’s visualization provides clarifying insights into how Apple places users into razzmatazz segments and the mechanics it uses to facilitate ad targeting. From the decision:

41. The first step is relative to data collection : when creating an Apple user worth (currently tabbed “Apple Id”), a technical identifier named “directory services identifier” (hereinafter “DSID”) is prescribed to each worth user. The DSID is created on the servers of the company. It is notably used to wangle iCloud and its content, information and services associated with the Apple user account.

42. During his navigation on the App Store, the trace of the worriedness of using it), as well as the information he has entered in his Apple ID worth (i.e. the year of birth, the user’s gender and location), are placid and associated with this DSID on Apple’s “Apple Media Platforms” (hereinafter “AMP”) servers.

43. If the setting relating to the receipt of targeted razzmatazz in the App Store is activated, this data is used to determine the segments that a user will be unauthentic and, therefore, the advertisements that they will receive. A “segment” is a group of at least 5,000 users who share similar characteristics and whose setting for receiving targeted razzmatazz in the App Store is zippy in iPhone settings.

44. The second step relates to the megacosm of identifiers specific to the personalization of ads aimed at promoting applications on the App Store : in order to prevent the distribution and measurement of razzmatazz content from involving the use of identify DSID, the user’s device will generate locally on the user’s terminal two other identifiers:

on the one hand, the “device pack identifier” (hereinafter the “DPID”) which is synchronized via iCloud in order to ensure that all the devices of the same user have the same DPID;

on the other hand the iADID which is specific to each device and does not require synchronization via iCloud.

45. Finally, the third step relates to the exhibit of personalized ads on the user’s terminal: when the user searches for an using in the App Store, his device sends an razzmatazz request to the servers “Ad Platforms” containing the word sought, the DPID, the iADID and the identifiers relating to the segments concerning it, so that they determine the targeted razzmatazz to be unconcentrated as a priority (all of these elements stuff misogynist locally on the terminal, the process makes it possible to stave that the “Ad Platforms” servers can identify the Apple worth associated with each request). The iADID can moreover be used to count the number of “advertising impressions”.

In short:

Apple generates a DSID for a user when they create an Apple account;
App Store behavioral (usage) data as well user characteristics such as location, gender, and year of lineage are are associated with the user’s DSID;
This profile tying to the DSID is used to place a user into razzmatazz segments, which are groups of no less than 5,000 users that can be targeted by some theme or topic (more here);
A DPID (used for device synchronization) and iADID (used for razzmatazz targeting) are generated and stored on the user’s device;
When an razzmatazz impression becomes misogynist to the user, the device sends the search term, the DPID, the iADID, and segment information to the ad server in order to request a viable ads payload.

The CNIL argues that, woolgathering consent, the workflow whilom is in violate of Vendible 82 of the French Data Protection Act, which is transposed from the ePrivacy Directive and “requires consent to the operations of reading and writing information in a user’s terminal” except in specific circumstances (namely: necessity). The CNIL determines that ads personalization is not necessary to fulfill the obligations of the App Store, and that reading these identifiers for the purposes of razzmatazz targeting without having been given explicit consent to do so from users violates French law.

A few aspects of this situation deserve emphasis.

The first is that Apple rejected the territorial jurisdication of the CNIL in this case. Apple personal that the GDPR should wield and therefore the GDPR’s one-stop-shop clause should require that the matter be interrogated by Apple’s relevant EU DPA, which is the Irish DPC, since Apple’s EU entity is domiciled in Ireland. Apple noted that the client-server relationship described whilom is managed by servers operated by Apple Distribution International, LTD, and are located in Ireland. The CNIL countered that it did have jurisdiction on the matter under French law considering Apple operates two subsidiaries in France, Apple Retail France and Apple France, and that previous CJEU judgments supported this requirement to jurisdiction. From the complaint:

67. In relation to the existence of an establishment responsible for treatment on the French territory, the Court of Justice of the European Union (CJEU) has, in its judgment Weltimmo, of October 1, 2015, specified that “the notion of” establishment “, within the meaning of Directive 95/46, extends to any real and constructive activity, plane minimal, exercised by ways of a stable installation”, the yardstick of stability of the installation stuff examined with regard to the presence of “human and technical resources necessary for the provision of the specific services in question”. The CJEU considers that a company, an voluntary legal person, from the same group as the controller, can constitute an establishment of the controller within the meaning of these provisions (CJEU, 13 May 2014, Google Spain, C-131/12, ch. 48).

68. In this case, the Restricted Committee notes that the companies APPLE RETAIL FRANCE and APPLE FRANCE are both subsidiaries of the visitor APPLE INC and have stable premises located in France. It moreover notes that APPLE FRANCE employs virtually […] people. Consequently, the companies APPLE RETAIL FRANCE and APPLE FRANCE each constitute an establishment of the visitor ADI within the meaning of vendible 3 of the same Data Protection Act.

A second noteworthy speciality of this specimen is that Apple pointed out that it had introduced a prompt to collect explicit consent for ads personalization with iOS 15, which was the prevailing version of the operating system misogynist at the time the specimen was stuff litigated. The CNIL countered that its investigation took place when iOS 14.6 was live. It’s unclear whether Apple would have reverted undertow with its default-on policy for ads personalization or introduced its “Personalized Ads” consent prompt woolgathering regulatory scrutiny.

Apple is exposing a prompt in iOS 15 that asks users to opt into "Personalized Ads," but the setting only applies to its own ad network (1/X) https://t.co/Vsz27kdWaN pic.twitter.com/mTRmieA4AE
— Eric Seufert (@eric_seufert) September 2, 2021

And finally, consider that the CNIL determines Apple’s practices to be at odds with French law and the ePrivacy Directive despite the fact that the iADID is generated on-device, it is only used in a first-party setting (ie. not transmitted to any third parties), and it is disassociated from any other identifier or aggregated personal information. From the judgment:

The Restricted Committee recalls once then that the only whoopee tending to wangle information once stored in the user’s terminal equipment located in France entails the using of Vendible 82 of the Data Protection Act…In other words, the Restricted Committee considers that the fact of implementing other measures to protect privacy from the diamond stage does not make it possible to circumvent the rule set by Vendible 82 of the Data Protection Act.

The CNIL makes well-spoken that the act of reading information from the user’s terminal (in this case, iOS device) requires either consent or necessity under French law and the ePrivacy Directive. And given this sanction as well as its recent sanction versus Voodoo Games, the CNIL seemingly doesn’t winnow ads personalization as a necessary function of consumer-facing apps.