EU Privacy Complaints Target Apple's IDFA

A distinctive device identifier that Apple assigns to each iPhone to enable third parties to track users for advertising purposes—commonly known as the IDFA (Identifier for Advertisers)—is now the subject of two newly submitted complaints by noyb, a European privacy advocacy organization.

The complaints, presented to data protection authorities in Germany and Spain, assert that Apple’s implementation of the IDFA infringes upon regional privacy regulations concerning digital tracking, as iOS users are not requested to provide consent for the initial storage of this identifier.

Noyb is also challenging the ability of others to access the IDFA without prior authorization—with one complainant stating they never granted permission for third-party access, yet discovered multiple applications had shared their IDFA with Facebook, as evidenced by their off-Facebook activity log.

We have contacted the relevant data protection agencies for their response. Update: Spain’s AEPD has acknowledged receipt of noyb’s complaint and indicated it will conduct an investigation—declining to offer further commentary at this time.

Although Apple is not typically the focus of digital privacy concerns, given its primary revenue source is hardware and software sales rather than user profiling for ad targeting—as is the case with adtech companies like Facebook and Google—its public commitment to user privacy appears inconsistent with the existence of an Identifier for Advertisers integrated into its devices.

Within the European Union, this inconsistency raises a specific legal issue—as current legislation mandates explicit user consent for (non-essential) tracking activities. Noyb’s complaints reference Article 5(3) of the EU’s ePrivacy Directive, which requires users to be asked for consent before the storage of ad-tracking technologies, such as cookies. (Noyb contends that the IDFA functions similarly to a tracking cookie, but for iPhones.)

Europe’s highest court reinforced this consent requirement last year by clarifying that approval for non-essential tracking must be obtained before storing or accessing trackers. The CJEU also determined that consent cannot be implied or presumed—for example, through pre-checked “consent” boxes.

In a press statement regarding the complaints, Stefano Rossetti, a privacy lawyer at noyb, explains: “EU law safeguards our devices from external tracking. Tracking is permissible only with explicit user consent. This straightforward principle applies regardless of the tracking technology employed. While Apple has introduced features in its browser to block cookies, it incorporates comparable codes into its phones without obtaining any user consent. This constitutes a clear violation of EU privacy laws.”

Apple has historically maintained control over how third parties utilizing apps on its iOS platform can employ the IDFA, using the threat of removal from its App Store to ensure adherence to its guidelines.

More recently, the company has taken further steps—informing advertisers this summer that they will soon be required to provide users with an option to opt-out of ad tracking, a move presented as enhancing privacy controls for iOS users—although Apple postponed the implementation of this policy until early next year following objections from advertisers regarding the proposed plan. The intention is to introduce a toggle within iOS 14 that users must activate before a third-party app can access the IDFA to monitor in-app activity for ad targeting.

However, noyb’s complaint centers on Apple’s initial assignment of the IDFA—arguing that, as this pseudonymized identifier constitutes personal data under EU law, the company must obtain permission before creating and storing it on devices.

“The IDFA is akin to a ‘digital license plate’. Every user action can be linked to this ‘license plate’ and utilized to construct a detailed user profile. This profile can subsequently be used to deliver personalized advertisements, in-app purchases, promotions, and more. Compared to conventional internet tracking IDs, the IDFA is simply a ‘tracking ID within a mobile phone’ rather than a tracking ID in a browser cookie,” noyb states in one complaint, noting that Apple’s privacy policy does not specify the legal justification for “placing and processing” the IDFA.

Noyb also asserts that Apple’s planned modifications to IDFA access—announced for early 2021—do not go far enough.

“These changes appear to restrict the use of the IDFA for third parties (but not for Apple itself),” it explains. “Similar to how an app requests access to the camera or microphone, the plans envision a new dialog box asking the user if an app should be able to access the IDFA. However, the initial storage of the IDFA and Apple’s utilization of it will still occur without user consent, thus violating EU law. The timing of these changes, and whether they will be implemented, remains uncertain.”

We contacted Apple for a statement regarding noyb’s complaints, but an Apple spokesperson indicated at the time of writing that they did not have an official response. Update: The company has since provided us with the following statement:

In a separate, but related, recent development, publishers and advertisers in France filed an antitrust complaint last month against the iPhone manufacturer concerning its plan to mandate opt-in consent for accessing the IDFA—the coalition arguing that this action constitutes an abuse of market dominance.

Apple responded to the antitrust complaint with a statement asserting: “With iOS 14, we’re empowering users to choose whether or not they want to allow apps to track them by linking their information with data from third parties for the purpose of advertising, or sharing their information with data brokers.”

“We firmly believe that privacy is a fundamental human right and support the European Union’s leadership in protecting privacy with robust laws such as the GDPR (General Data Protection Regulation),” Apple added at that time.

This antitrust complaint may explain noyb’s decision to file its own strategic complaints against Apple’s IDFA. Essentially, if a tracker ID cannot be created—because an iOS user declines to provide consent—there is less opportunity for advertisers to challenge privacy measures by claiming tracking is a competitive necessity.

“We believe that Apple violated the law previously, currently, and will continue to do so after these changes,” stated Rossetti in another statement. “With our complaints, we aim to enforce a simple principle: trackers are unlawful unless a user freely consents. The IDFA should not merely be restricted, but permanently deleted. Smartphones are the most personal devices for many individuals and should be tracker-free by default.”

Another noteworthy aspect of the noyb complaints is that they are being filed under the ePrivacy Directive, rather than under Europe’s (more recent) General Data Protection Regulation. This allows noyb to direct the complaints to specific EU data protection agencies, rather than having them routed to Ireland’s DPC—under the GDPR’s one-stop-shop mechanism for handling cross-border cases.

The organization hopes this approach will expedite regulatory action. “These cases are based on the ‘old’ cookie law and do not trigger the cooperation mechanism of the GDPR. In other words, we are attempting to avoid protracted procedures like those we are currently facing in Ireland,” added Rossetti.