NOYB files complaints against Apple for allowing apps to track users via apps

The privacy focused non-profit group NOYB, lead by Max Schrems, has filed 2 complaints against Apple for using Apple’s Identifier for Advertisers (“IDFA”) that allows Apple and all the app developers to track end users and combine information from their online behaviour. Just like with cookies, the ePrivacy Directive applies to the use of IDFAs and opt-in consent should be obtained for its usage.


Interestingly, at the same time Apple is facing an antitrust complaint in France over its plans to actually start forcing apps to obtain opt-in consent in accordance with the EU law. This change is allegedly anticompetitive and according to the complainants, only a few users would provide their consent to be tracked.


IDFA is like a cookie in every iPhone user’s pocket. By default, iOS automatically creates a unique IDFA for every iPhone that allows Apple, app developers as well as third party advertising networks to identify and track end users across apps.


The ePrivacy Directive’s Article 5(3) requires opt-in consent when storing ‘information’ in the end users’ terminal equipment or when using information already stored in the terminal equipments, provided that such ‘reading’ or ‘writing’ is not strictly mandatory.


According to the complaints, Apple seems to rely solely on legitimate interests to conduct its tracking and advertising activities and argues asking consent for using IDFA’s does not require consent since IDFA’s would not be ‘personal data’.


It is worth mentioning that even the Court of Justice of the EU clarified in its decision C-673/17, that the consent requirements are not to be interpreted differently according to whether or not the information stored or accessed on end user’s terminal equipment is personal data.


In addition, looking at the UK’s Information Commissioner’s Office’s ("ICO") guidelines on legitimate interests, they are quite clear that relying on legitimate interests would be unlawful if ePrivacy Directive or its national transpositions such as PECR requires consent.

See NOYB’s press release here.
See the complaint filed with the Berlin data protection authority (“BBDI”) here.
See the complaint filed with the Spanish data protection authority (“AEPD”) here.