The French DPA fined Apple for implementing the ‘personalised ads’ setting as default without prior consent and making it hard to change the setting by involving multiple steps.
Excerpt
Our analysis
The CNIL received a complaint regarding ad personalization in the App Store and conducted several investigations in 2021 and 2022 to ensure compliance with regulations. It was found that under the previous version 14.6 of the iPhone operating system, identifiers were automatically read without obtaining consent when a user visited the App Store, which was used for personalization of ads. The complaint focused on the default activation of the "Personalized Advertisements" privacy setting in the iOS and MacOs operating systems of devices sold by Apple. This default setting did not allow users to validly consent to advertising targeting processing, and required them to perform multiple actions to disable it. The DPA stated that this made it difficult for users to give prior consent, as the option was not integrated into the phone's initialization process and was buried too deep in the settings. As a result, the DPA determined that Apple violated Article 82 of the French Data Protection Act.
Outcome
Apple was found to have contravened Article 82 of the French Data Protection Act by the DPA. Although Apple made efforts to address the shortcomings of iOS 14.6 by introducing a new consent box in iOS 15, this was deemed insufficient to fully address the breaches that occurred. Consequently, the DPA imposed a fine of €8,000,000 on Apple after taking into account various mitigating and aggravating factors.
Parties
French DPA (CNIL) and Apple Distribution International
Case number
CNIL: SAN-2022-025
Decision
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
Hard to cancel (aka "Roach Motel") is a deceptive pattern where it is easy to sign up for a service or subscription, but very difficult to cancel it. This typically involves hiding the cancellation option, requiring users to call customer services to cancel, and making the cancellation process overly complex and time-consuming. This can cause users to give up trying to cancel, and continue paying for the service for a longer period.
Obstruction is a type of deceptive pattern that deliberately creates obstacles or roadblocks in the user's path, making it more difficult for them to complete a desired task or take a certain action. It is used to exhaust users and make them give up, when their goals are contrary to the business's revenue or growth objectives. It is also sometimes used to soften up users in preparation for a bigger deception. When users are frustrated or fatigued, they become more susceptible to manipulation.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Users must give informed and unambiguous consent and receive clear information about cookies, including processing purposes and data controller identity, according to the law.