Apple IDFV: Mobile games publisher fined 3 million euros by the CNIL

By Paul Lanois

On 17 January 2023, the CNIL announced that it issued a fine of 3 million euros on the company Voodoo, which publishes video games for smartphones, for using the technical identifier IDFV for advertising without the user’s consent.

Usually, when a publisher offers an application on the App Store, Apple provides it with a technical identifier “IDentifier For Vendors” (or IDFV), allowing this publisher to track the use that is made of its applications by the users. An IDFV is assigned to every user and is identical for all the applications distributed by one publisher, and therefore, in this case, for all the Voodoo’s applications. By combining other information from the smartphone, the IDFV allows for tracking people’s browsing habits, including the categories of games they opt for, in order to personalize the ads seen by each of them.

According to the CNIL, what happens when a user opens a game from Voodoo is that a first window designed by Apple (App Tracking Transparency or ATT) is presented to the users in order to collect their consent for the tracking of their activities on applications downloaded on their smartphones. When a user refuses such “ATT request”, a second window is displayed by Voodoo explaining that the advertising tracking has been deactivated and specifying that non-personalized ads will still be offered.

However, the CNIL observed that when a user refuses the advertising tracking, Voodoo still reads the technical identifier associated to this user (IDFV) anyway and still processes the information linked to the browsing habits for advertising purposes, therefore without consent and in contradiction with what it indicates in the information screen it displays.

This was found to be a breach of Article 82 of the French Data Protection Act and the CNIL therefore issued a fine of 3 million euros against Voodoo. The CNIL justified this amount by the number of people concerned, the financial benefits obtained as a result of the breach and the 2020 and 2021 company’s turnovers.

In addition to the administrative fine, the CNIL also issued an order requiring that, within three months from the notification of the decision, Voodoo collects the user’s consent prior to the use of the IDFV for advertising purposes, otherwise, the company will have to pay a 20,000 euros per day of delay.