- The purpose of any action that intends to access, by electronic means, information already stored in his/her electronic devices, or any information saved in his/her devices;
- By what means he/she can object to such action”.
On 29th December 2022, the CNIL (Commission Nationale de l’Informatique et des Libertés), the independent French administrative authority in charge of ensuring legal compliance with regards to the protection of personal information in the gathering, storing and processing of data, announced that it had issued a € 3 million fine to VOODOO SAS, a game developer for smartphones. The enquiry against VOODOO had been launched by CNIL itself, who had noticed that when their games were downloaded and the user denied consent to data-tracking for advertising purposes, a notification would appear on screen informing that the tracking system was inoperative, and that only random and non-targeted advertisements would be displayed. However, this supposed ‘inoperative’ status was not in fact the reality, since the company still accessed and read the technical identifier “IDVF” (“Identifier for Vendors”) assigned to the user. In fact, during a check carried out on 19th August 2021 on an Apple device with an iOS operating system, it was found that when the user opened an application downloaded from VOODOO for the first time, an ‘ATT request’ was displayed to obtain his consent for the tracking of the data processed by all the applications that had been downloaded on his smartphone up to that point in time. Irrespective of the user’s response (who could either give or withhold consent), a second VOODOO-specific window would appear immediately afterwards, however, when the user clicked on ‘Ask the app not to track my activity’, this window did not include any button or checkbox to obtain his consent to other forms of personalised advertising. Rather, the user was only required to declare that he/she was over 16 years old and to accept the company’s data protection policy. This offence perpetrated was in breach of Article 82 of the French Data Protection Act, which, incorporating Article 5(3) of the ePrivacy Directive, states that “any user or subscriber of an electronic communications service must be informed clearly and comprehensively by the responsible data processor or its representative, if not done in advance, of the following: