Apple hit with privacy complaints over iPhone tracking tool

Apple's Identifier for Advertisers activates without consent and violates the EU's Cookie Law, say privacy campaigners

An Apple store with a giant Apple logo

A privacy group has filed complaints against Apple over a tool in iOS 14 that allegedly tracks iPhone user behaviour without consent.  

The Noyb group, led by privacy campaigner Max Schrems, has filed complaints with the German and Spanish data protection authorities under the EU's Cookie Law

The group claims that Apple's Identifier for Advertisers (IDFA) activates when a user sets up an iPhone without offering a chance to consent or even notifying them of its existence. The IDFA is a type of code that stores online behavioural data. It acts as 'license plate' for each iPhone, that third-parties can use to target individuals with advertising.  

The complaint is based on Article 5(3) of the EU Cookie Law, or ePrivacy Directive, which allows both Spanish and German authorities to impose penalties on Apple without cooperation with the EU. 

The Cookie Law is an older legal act that was passed in 2002 to deal with cookies, data retention and unsolicited e-mailing. Although a directive and not regulation, the law is legally binding in all member states, much like GDPR, but it's open to some interpretation. 

Noyb has chosen this avenue of complaint to avoid GDPR and what it called its "endless procedures".

"As the complaint is based on Article 5(3) of the e-Privacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without the need for cooperation among EU Data Protection Authorities as under GDPR," the group says. 

Noyb is also involved in legal action against Facebook, which is GDPR-based. However, this is the first privacy complaint filed against Apple in the EU.

Apple has recently announced plans to change its IDFA system, restricting use for third-parties, but not for Apple itself, according to Noyb. 

"We believe that Apple violated the law before, now and after these changes," said Stefano Rossetti, Noyb's privacy lawyer.

"With our complaints, we want to enforce a simple principle: trackers are illegal unless a user freely consents. The IDFA should not only be restricted but permanently deleted. Smartphones are the most intimate device for most people and they must be tracker-free by default." 

In a statement given to IT Pro, an Apple spokesperson slammed Nyob's accusations as "inaccurate" and said it "looks forward to making that clear to privacy regulators should they examine the complaint."

"Apple does not access or use the IDFA on a user’s device for any purpose. Our aim is always to protect the privacy of our users and our latest software release, iOS 14, is giving users even greater control over whether or not they want to allow apps to track them by linking their information with data from third parties for the purpose of advertising, or sharing their information with data brokers," the spokesperson continued.

"Our practices comply with European law and support and advance the aims of the GDPR and the ePrivacy Directive, which is to give people full control over their data.”

There is a similar system used by Google, according to Noyb, which it is also looking into.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
350,000 Spotify users hacked in credential stuffing attack
Security

350,000 Spotify users hacked in credential stuffing attack

24 Nov 2020