Sat 22 Feb 2025
French privacy watchdog to Voodoo Games: use of the IDFV requires consent
Andriod Auto

French privacy watchdog to Voodoo Games: use of the IDFV requires consent

2023-01-31

Last week, France’s privacy regulator, the CNIL, announced that it has fined Voodoo, the French developer of hypercasual games, €3MM for violating the French Data Protection Act. The understructure for the CNIL’s sanction is Voodoo’s use of the IDFV, or ID for Vendors, on iOS without user consent. From the CNIL’s printing release well-nigh the decision:

During its investigations, the CNIL however observed that when a user refuses the razzmatazz tracking, the visitor VOODOO reads the technical identifier associated to this user (IDFV) anyway and still processes the information linked to the browsing habits for razzmatazz purposes, therefore without consent and in contradiction with what it indicates in the information screen it displays…The use of the IDFV for razzmatazz purposes without the user’s consent constitutes a violate of Vendible 82 of the French Data Protection Act.

Regular readers of this blog are likely familiar with the IDFV and how it differs from the IDFA, which is regulated by Apple’s App Tracking Transparency (ATT) privacy policy and restricted when users opt out of the ATT prompt. As a quick primer:

  • The IDFA, or ID for Advertisers, is a unique identifier for the device. An app’s wangle to the IDFA is moderated by ATT: if a user opts out of the ATT prompt, or if an app does not expose the ATT prompt, then the ATT is represented by a string of 0s (known as IDFA zeroing, which was introduced with the Limit Ad Tracking full-length when in iOS 10). For apps that have received ATT opt-in, the IDFA is available, and it is universal to all apps; every app sees the same IDFA. More preliminaries on how the IDFA is used to facilitate digital razzmatazz targeting can be found here and here.
  • The IDFV, or ID for Vendors, is a device identifier that is unique wideness a publisher’s apps. Put flipside way: the IDFV is unique to a device for every app published by a given publisher, but IDFVs differ wideness publishers. Publisher A would see the same IDFV for a specific device wideness all of its apps, but the IDFV would be variegated for the same device in a variegated publisher’s apps. The IDFV is misogynist within all apps, regardless of ATT opt-in status.

The diagram unelevated illustrates the availability of the IDFA and IDFV wideness variegated publishers and ATT opt-in statuses:

The IDFV can be thought of as a first-party identifier: given that it is unique for a specific device for a given publisher, its primary use specimen is publisher-level analytics, publisher-level cross-promotional advertising targeting, and things like razzmatazz frequency capping and unstipulated rate limiting. The IDFV was not designed for use in cross-publisher ads targeting, and it’s difficult to fathom how it could be used for that purpose (although I’m sure an inventive ad tech product manager could make a compelling specimen for how it’s possible). It’s important to note here that, considering it is a first-party identifier that is mostly inscrutable or useless outside of a publisher’s own data environment, Apple leaves the IDFV misogynist to apps plane when a user has opted out of the ATT prompt.

The CNIL asserts in its visualization that, irrespective of the intended use case, wangle to the IDFV requires consent under the French Data Protection Act. The CNIL’s English-language printing release on this specimen is sparse and mostly unample of helpful insight, but its French-language deliberation provides useful clarity on the decision. The unelevated passages are copied from the machine-translated deliberation (all accent is mine).

On the need for consent to wangle data from a user’s device under the French Data Protection Act:

32. Firstly, the Restricted Committee recalls that Article 82 of the Data Protection Act requires consent to operations for reading and writing information in a user’s terminal but provides for specific cases in which unrepealable tracers goody from an exemption to consent: either when the sole purpose of this consent is to indulge or facilitate liaison by electronic means, or when it is strictly necessary for the provision of an online liaison service at the express request of the user.

On why the use specimen facilitated by the IDFV is not exempted from consent under the French Data Protection Act:

34. The Restricted Committee notes that this operation is therefore not intended to indulge or facilitate liaison by electronic ways and is not strictly necessary for the provision of an online liaison service at the express request of the ‘user. Therefore, such an IDFV reading operation does not fall under any of the exceptions specified in vendible 82 of the “Informatique et Libertés” law and cannot be carried out on the person’s terminal without prior consent.

On why Voodoo’s use of the IDFV constitutes “tracking,” and why the CNIL deems this use to be particularly egregious in cases of ATT opt-out:

35. The Restricted Committee considers that, plane though the IDFV does not indulge [tracking] as wide-stretching as that made possible by the IDFA, the fact remains that, as appears from the documents in the file and from the writings of the visitor and in particular of the window it presents to the user, that this identifier makes it possible to follow the worriedness of the user within the applications published by VOODOO for razzmatazz purposes and without the prior try-on of the interested parties. The Restricted Committee moreover notes that by refusing the “ATT solicitation”, the user has once clarified his desire that his worriedness not be monitored by any two-face whatsoever.

A transitory and well-spoken determination that wangle to the IDFV requires consent:

37. In view of the foregoing, the Restricted Committee considers that by using the IDFV identifier, for razzmatazz purposes without the user’s consent, the visitor VOODOO disregards the obligations of vendible 82 of the Data Protection Act.

At first blush, this specimen may seem similar to the recent ruling by the European Data Protection Board, implemented by the Irish DPC, regarding Meta’s use of first-party data for the purposes of razzmatazz targeting, which I imbricate here. While these cases are conceptually similar, they are litigated by variegated mechanisms: the Meta specimen relates to a unswayable violation of GDPR, and the Irish DPC is the regulator in question considering the GDPR’s one-stop-shop mechanism offers companies that operate in the EU the use of a single regulatory touchpoint, which is the Data Protection Validity (DPA) for the member state in which the company’s EU headquarters is domiciled. Many non-European technology companies host EU headquarters in Ireland considering of that country’s business-friendly taxation and regulatory regime, and so the Irish DPC is the privacy regulator for these companies in cases of GDPR compliance.

But Voodoo is stuff sanctioned in this specimen by the French privacy regulator under French law and not the GDPR. The CNIL determines that Voodoo violated the French Data Protection Act — specifically, Vendible 86, which is an implementation of the EU’s ePrivacy Directive, which is often referred to as the EU Cookie Law considering it precipitated the widespread use of cookie consent pop-ups without it was passed. An EU directive differs from an EU regulation in that a directive does not impose EU-wide legal prescriptions but rather establishes objectives that EU member states are responsible for implementing into national law. Vendible 86 of the French Data Protection Act transposes Vendible 5(3) of the ePrivacy Directive, which, per the quote from the deliberation above, “requires consent to operations for reading and writing information in a user’s terminal.”

Highlighting this stardom is important considering the French CNIL outlines in its strategic plan for 2022-2024 that the “collection of personal data in smartphone applications” is a particular priority for the agency. This is relevant considering Voodoo is not the first visitor that the CNIL has sanctioned on this understructure recently; on December 29th, 2022, the CNIL unswayable that Apple’s use of proprietary device identifiers for the purpose of personalized razzmatazz through its Apple Search Ads platform violated Vendible 82 of the French Data Protection Act, and the CNIL issued Apple with an €8MM fine as a result. Apple argued that the pertinent legislation under which the specimen should be considered was not the French Data Protection Act but rather the GDPR, and therefore its privacy regulator, the Irish DPC, should be the validity to examine the so-called wrongdoing. The French court, the Conseil d’Etat, unswayable — based on previous decisions by the Magistrate of Justice of the European Union (CJEU) — that French law was workable considering Apple operates two subsidiaries in France — Apple France and Apple Retail France — and considering relevant processing took place in France:

Every iPhone sold in France contained the App Store, which came with the companies identifiers. Therefore, the establishment Apple Retail France helped data subjects owning an iPhone accessing the App store and siphon out searches, which would result in these data subjects stuff personalized by the identifiers. With regard to the other subsidiary/establishment, Apple France, the DPA noted that it employed ‘search ads specialists’, who assisted app-developers with their ad campaigns. Therefore, the DPA terminated that there was a well-spoken link between the activities of Apple’s subsidiaries and the reading/writing operations regarding the identifiers used by Apple.

There are important implications from this case. The CNIL asserts its validity by drawing a very well-spoken stardom between the remit of the French Data Protection Act and the GDPR (emphasis mine):

59. The restricted insemination points out, first of all, that a stardom must be made, on the one hand, between reading and writing operations on a terminal, which are governed by the provision of Vendible 82 of the Data Protection Act and for which the French legislature has entrusted the CNIL with a monitoring task and in particular the power to penalise and infringement of that vendible and, on the other hand, the subsequent use of the data produced or placid via these operations, which is governed by the GDPR and may, therefore, if necessary, be subject to the “one-stop shop” system.

This highlights important realities of the privacy environment in Europe that should be undisputed by advertisers and ad platforms alike.

First: ATT is a platform policy, not a legal framework, and compliance with ATT does not necessarily entail compliance with all relevant privacy legislation. In this case, while Voodoo was compliant with ATT, the CNIL unswayable that Voodoo’s data wangle practices were not compliant with the French Data Protection Act — specifically, the Vendible transposed from the ePrivacy directive.

Second: GDPR is not the only relevant legal framework with which data practices must comply. The CNIL makes well-spoken that it deems “reading and writing operations on a terminal” to be under the remit of the French Data Protection Act.

And third: recent determinations within the telescopic of both the GDPR and the ePrivacy directive seem to point to consent as the only valid legal understructure for collecting and processing data — plane first-party data — for the purposes of advertising targeting. The GDPR provides six legal bases for processing user data; the European Data Protection Board deemed a contractual understructure through Meta’s terms of service to be invalid for processing first-party data for ads targeting in its recent decision. While some believe that the legitimate interest understructure can be used for this purpose, obviating the need to collect consent, I remain skeptical, given that TikTok x-rated plans to use the legitimate interest understructure for that purpose without consulting with its privacy regulator, the Irish DPC.

My sense is that consent will ultimately be the only understructure through which consumer data, plane when placid in a first-party context, can be placid and processed for razzmatazz targeting in the EU. And note that in both the Meta specimen (GDPR) and the Voodoo specimen (French Data Protection Act / ePrivacy Directive), razzmatazz personalization was not deemed to be necessary or essential to the functioning of the product.

.

Featured Posts

The Affordable New Oneplus 12 Phones Could Make You Reconsider Options From Samsung

The Affordable New Oneplus 12 Phones Could Make You Reconsider Options From Samsung

Exclusive
04/Apr/2024
The Best Android TV Box 2024: Our Pick of the Top Android TV Devices

The Best Android TV Box 2024: Our Pick of the Top Android TV Devices

Android TV
28/Mar/2024
The 8 Best Smart TVs For Streaming - Spring 2024 Reviews

The 8 Best Smart TVs For Streaming - Spring 2024 Reviews

Videos
28/Mar/2024
New Ways Android is Improving Your Drive

New Ways Android is Improving Your Drive

Andriod Auto
20/Mar/2024
Galaxy S24 Plus Hands-On: Samsung's Ultra Might Not Be the One to Buy

Galaxy S24 Plus Hands-On: Samsung's Ultra Might Not Be the One to Buy

Exclusive
13/Mar/2024

Recents Posts

The 6 Best Android TV in 2024

The 6 Best Android TV in 2024.

Android TV
08/Mar/2024
What Is Android Auto? Full Review and User Guide

What Is Android Auto? Full Review and User Guide.

Andriod Auto
05/Mar/2024
Google TV vs Android TV: which is better for you?

Google TV vs Android TV: which is better for you?.

Android TV
20/Feb/2024
Samsung Galaxy S23 Ultra vs S22 Ultra: Night mode and zoom shootout

Samsung Galaxy S23 Ultra vs S22 Ultra: Night mode and zoom shootout.

Exclusive
27/Mar/2023

Related Posts

5 Android Apps You Shouldnt Miss This Week Android Apps Weekly

5 Android Apps You Shouldnt Miss This Week Android Apps Weekly

05/Mar/2024
Samsung Galaxy Tab S9: Everything We Know So Far

Samsung Galaxy Tab S9: Everything We Know So Far

05/Mar/2024
10 The Best Apple Watch Faces You Should Try

10 The Best Apple Watch Faces You Should Try

05/Mar/2024