"Apple’s IDFA gets targeted in strategic EU privacy complaints", 16 November 2020

A unique device identifier that Apple assigns to each iPhone for third parties to track users for ad targeting — aka the IDFA (Identifier for Advertisers) — is itself now the target of two new complaints filed by European privacy campaign not-for-profit, noyb.

The complaints, lodged with German and Spanish data protection authorities, contend that Apple’s setting of the IDFA breaches regional privacy laws on digital tracking because iOS users are not asked for their consent for the initial storage of the identifier.

While Apple isn’t the typical target for digital privacy campaigners...its marketing rhetoric around taking special care over user privacy can look awkward when set against the existence of an Identifier for Advertisers baked into its hardware.

In the European Union there’s a specific legal dimension to this awkwardness — as existing laws require explicit consent from users to (non-essential) tracking. Noyb’s complaints cite Article 5(3) of the EU’s ePrivacy Directive, which mandates that users must be asked for consent to the storage of ad-tracking technologies such as cookies. (And noyb argues the IDFA is just like a tracking cookie but for iPhones.)

Europe’s top court further strengthened the requirement last year when it made it clear that consent for non-essential tracking must be obtained prior to storing or accessing the trackers. The CJEU also ruled that such consent cannot be implied or assumed — such as by the use of pre-checked “consent” boxes...

The company has now sent us this statement:

The claims made against Apple in this complaint are factually inaccurate and we look forward to making that clear to privacy regulators should they examine the complaint...