By Susan Hintze and Hansenard Piou 

Note that the Autorité has not yet been published the decision in question as it is in process of redacting information relating to trade secrets. Please check back for updates. 

On March 31st, 2025, the French Competition Authority (the Autorité), in collaboration with CNIL, announced Decision 25-D-02 of March 28, 2025, which fined Apple €150 million for allegedly abusing its market position with its App Tracking Transparency (ATT) system. The Autorité, in its summary of the decision, claimed Apple unfairly advantages its own apps and advertising practices while harming third party apps and advertising efforts, including those of small publishers.  

Launched in April 2021, the ATT system requires third-party iOS and iPadOS apps to obtain user consent for collection of data for targeted advertising purposes through a consent-management popup before the app’s use. Upon such consent, the app would gain access to the device’s Identifier for Advertisers (IDFA). Prior to the launch of the ATT system, several associations raised concern that the ATT process was “an obstacle to the possibilities of carrying out targeted advertising for users of Apple devices,” but the Autorité declined to issue interim measures. 

While acknowledging that Apple’s privacy objectives for the ATT system are legitimate, the Autorité noted Apple’s ability to influence the business models of third-party mobile app publishers and stated that Apple must implement its privacy objectives in a way that balances its responsibility as a dominant operator of a digital platform. The Autorité held that under the French competition law, the ATT system is an abuse of Apple’s dominance as its means for implementing the system is neither necessary nor proportionate to meet those privacy objectives. Instead, the Autorité found Apple’s privacy implementation places an asymmetric burden on third party publishers as compared to Apple’s treatment of its own applications. 

The Autorité based this finding of asymmetry on three factors:

• A December 2022 CNIL opinion stated that third party mobile app publishers are unable to rely on the Apple ATT system’s popup for compliance with their own consent requirements under data protection law. Consequently, mobile apps are forced to obtain two separate consents, resulting in excessively complex consent collection for the user.

• While these systems require two acceptances to grant lawful consent, the denial of consent needs only to be given once.

• While third-party publishers have to collect double consent, such a structure does not apply to Apple’s own apps. Since small adjustments could have prevented this asymmetry, the Autorité found it unnecessary and noncompliant with competition law. 

The Autorité noted that the ATT system affects all app publishers, but it is particularly harmful for smaller publishers without other targeted advertising methods for revenue. 

This collaboration between the Autorité and CNIL, pursuant to its joint December 2023 statement and CNIL’s recommendations for mobile apps, highlights the agencies’ willingness to act jointly to investigate and enforce matters that impact competition and privacy law. 

The case also represents the need for platform providers with market power to consider implementing privacy frameworks that not only safeguard consumers but also safeguard against the potential harmful economic impacts to competitors. Such privacy frameworks should not be unnecessarily complex for users and should not place higher burdens on third parties than the platform provider places on itself. 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Susan Hintze is Co-Managing Partner at Hintze Law PLLC. Recognized by Chambers, Legal 500, & Best Lawyers, Susan and her firm are leaders in their field. Susan serves on the International Association of Privacy Professionals (IAPP) Board of Directors and is an IAPP Westin Emeritus Fellow. She is also co-chair of the firm’s Regulatory Defense Group.

Hansenard Piou is an Associate at Hintze Law PLLC with experience in global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.