Video Games and Privacy Infringement: Voodoo is fined 3 Million Euros

On 29th December 2022, the CNIL (Commission Nationale de l’Informatique et des Libertés), the independent French administrative authority in charge of ensuring legal compliance with regards to the protection of personal information in the gathering, storing and processing of data, announced that it had issued a € 3 million fine to VOODOO SAS, a game developer for smartphones. The enquiry against VOODOO had been launched by CNIL itself, who had noticed that when their games were downloaded and the user denied consent to data-tracking for advertising purposes, a notification would appear on screen informing that the tracking system was inoperative, and that only random and non-targeted advertisements would be displayed. However, this supposed ‘inoperative’ status was not in fact the reality, since the company still accessed and read the technical identifier “IDVF” (“Identifier for Vendors”) assigned to the user. In fact, during a check carried out on 19th August 2021 on an Apple device with an iOS operating system, it was found that when the user opened an application downloaded from VOODOO for the first time, an ‘ATT request’ was displayed to obtain his consent for the tracking of the data processed by all the applications that had been downloaded on his smartphone up to that point in time. Irrespective of the user’s response (who could either give or withhold consent), a second VOODOO-specific window would appear immediately afterwards, however, when the user clicked on ‘Ask the app not to track my activity’, this window did not include any button or checkbox to obtain his consent to other forms of personalised advertising. Rather, the user was only required to declare that he/she was over 16 years old and to accept the company’s data protection policy. This offence perpetrated was in breach of Article 82 of the French Data Protection Act, which, incorporating Article 5(3) of the ePrivacy Directive, states that “any user or subscriber of an electronic communications service must be informed clearly and comprehensively by the responsible data processor or its representative, if not done in advance, of the following:

1. The purpose of any action that intends to access, by electronic means, information already stored in his/her electronic devices, or any information saved in his/her devices;
2. By what means he/she can object to such action”. 

Access to information stored or saved in user’s devices can thus arise only and exclusively on the condition that the user has expressly given their consent, according to the terms set out by the software.  VOODOO’s defence consisted in the claim that information provided to users was not misleading, but rather was not very clear, and in any case was not aimed at infringing Article 82 of the above-mentioned law. They further claimed in their defence that the data-tracking request was issued to the user each time they made a download from VOODOO, (unless the user had deactivated this respective authorisation themself), and not just once for all VOODOO applications. On top of the administrative sanction, the CNIL also ordered VOODOO to ensure compliance with French privacy legislation within a strict deadline of three months, and to use the technical identifier ‘IDFV’ for advertising purposes only and exclusively once the user’s explicit consent has been obtained. Failure to comply with this request will result in the company being subject to a penalty of € 20,000.00 for each day of delay.