Global Privacy Updates

French Competition Authority Fines Apple €150M Alleging Market Power Abuse of Ad Privacy System

By Susan Hintze and Hansenard Piou 

Note that the Autorité has not yet been published the decision in question as it is in process of redacting information relating to trade secrets. Please check back for updates. 

On March 31st, 2025, the French Competition Authority (the Autorité), in collaboration with CNIL, announced Decision 25-D-02 of March 28, 2025, which fined Apple €150 million for allegedly abusing its market position with its App Tracking Transparency (ATT) system. The Autorité, in its summary of the decision, claimed Apple unfairly advantages its own apps and advertising practices while harming third party apps and advertising efforts, including those of small publishers.  

Launched in April 2021, the ATT system requires third-party iOS and iPadOS apps to obtain user consent for collection of data for targeted advertising purposes through a consent-management popup before the app’s use. Upon such consent, the app would gain access to the device’s Identifier for Advertisers (IDFA). Prior to the launch of the ATT system, several associations raised concern that the ATT process was “an obstacle to the possibilities of carrying out targeted advertising for users of Apple devices,” but the Autorité declined to issue interim measures. 

While acknowledging that Apple’s privacy objectives for the ATT system are legitimate, the Autorité noted Apple’s ability to influence the business models of third-party mobile app publishers and stated that Apple must implement its privacy objectives in a way that balances its responsibility as a dominant operator of a digital platform. The Autorité held that under the French competition law, the ATT system is an abuse of Apple’s dominance as its means for implementing the system is neither necessary nor proportionate to meet those privacy objectives. Instead, the Autorité found Apple’s privacy implementation places an asymmetric burden on third party publishers as compared to Apple’s treatment of its own applications. 

The Autorité based this finding of asymmetry on three factors:

  • A December 2022 CNIL opinion stated that third party mobile app publishers are unable to rely on the Apple ATT system’s popup for compliance with their own consent requirements under data protection law. Consequently, mobile apps are forced to obtain two separate consents, resulting in excessively complex consent collection for the user.

  • While these systems require two acceptances to grant lawful consent, the denial of consent needs only to be given once.

  • While third-party publishers have to collect double consent, such a structure does not apply to Apple’s own apps. Since small adjustments could have prevented this asymmetry, the Autorité found it unnecessary and noncompliant with competition law. 

The Autorité noted that the ATT system affects all app publishers, but it is particularly harmful for smaller publishers without other targeted advertising methods for revenue. 

This collaboration between the Autorité and CNIL, pursuant to its joint December 2023 statement and CNIL’s recommendations for mobile apps, highlights the agencies’ willingness to act jointly to investigate and enforce matters that impact competition and privacy law. 

The case also represents the need for platform providers with market power to consider implementing privacy frameworks that not only safeguard consumers but also safeguard against the potential harmful economic impacts to competitors. Such privacy frameworks should not be unnecessarily complex for users and should not place higher burdens on third parties than the platform provider places on itself. 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Susan Hintze is Co-Managing Partner at Hintze Law PLLC. Recognized by Chambers, Legal 500, & Best Lawyers, Susan and her firm are leaders in their field. Susan serves on the International Association of Privacy Professionals (IAPP) Board of Directors and is an IAPP Westin Emeritus Fellow. She is also co-chair of the firm’s Regulatory Defense Group.

Hansenard Piou is an Associate at Hintze Law PLLC with experience in global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.  

Analysis of the Unpublished 2022 Decisions of the Polish DPA

By Deb Gray

Our friends at KL&M Law, in Warsaw Poland, were kind enough to share unpublished decisions from the data protection authority (DPA) of Poland (UODO) that they obtained as part of a recent information request. The resulting report, on nearly 80 decisions, is divided into thematic sections: Marketing, Financial sector, Insurance sector, COVID and health information, Publicly available data, Labor issues, Claims, Video surveillance, Personal data breach, and Miscellaneous.

Read More

Is our U.S. company subject to GDPR? New guidance on territorial scope from EDPB

By Jennifer Ruehr and Susan Lyon-Hintze

Non-EU organizations that process personal data as data controllers or processors frequently ask whether they are subject to the General Data Protection Regulation (“GDPR”). The answer depends in part on the “territorial scope” provisions in Article 3 of the GDPR. Organizations fall under the territorial scope of the GDPR when they meet one of two main criteria: the “establishment” criterion under Article 3(1) or the “targeting” criterion under Article 3(2). On November 16, 2018, the European Data Protection Board (“EDPB”) released “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)-Version for public consultation.” These guidelines provide interpretation and clarification of the Article 3 criteria that can help organizations understand and evaluate how the GDPR applies to their data processing. 

Read More

EU-U.S. Privacy Shield Details Released

On February 29, 2016, the European Commission issued a draft “adequacy decision” introducing the EU-U.S. Privacy Shield (“Privacy Shield”). The Privacy Shield replaces the U.S.-EU Safe Harbor Framework (“Safe Harbor”) as the new data transfer agreement legitimizing transfer of EU personal data to the U.S. by certifying participants. As described and linked to in the Commission’s press release, several U.S. government agencies have provided written commitments to enforce the Privacy Shield. These commitments will be published in the U.S. Federal Register.

Read More