By John Gruber
Dekáf Coffee Roasters
You won’t believe it’s decaf. That’s the point.
30% off with code: DF
France Fines Apple $162M for App Tracking Transparency, Taking the Side of Surveillance Advertisers Over Users
Monday, 31 March 2025
Jon Brodkin, reporting for Ars Technica, “France Fines Apple €150M for “Excessive” Pop-Ups That Let Users Reject Tracking”:
France’s competition regulator fined Apple €150 million, saying the iPhone maker went overboard in its implementation of pop-up messages that let users consent to or reject tracking that third-party applications use for targeted advertising.
The App Tracking Transparency (ATT) framework used by Apple on iPhones and iPads since 2021 makes the use of third-party applications too complex and hurts small companies that rely on advertising revenue, said a press release today by the Autorité de la concurrence (Competition Authority). The system harms “smaller publishers in particular since, unlike the main vertically integrated platforms, they depend to a large extent on third-party data collection to finance their business,” the agency said.
User consent obtained via the ATT framework “authorizes the application in question to collect user data for targeted advertising purposes,” the agency said. “If consent is given, the application can access the Identifier for Advertisers (‘IDFA’), the identifier by which each device can be tracked through its use of third-party applications and sites.” The French investigation was triggered by a complaint lodged by advertising industry associations.
Ben Lovejoy, correctly calling the decision “bizarre” at 9to5Mac:
Complaints were made in a number of countries — some arguing that it was unfair because Apple exempts its own apps (which are in reality subject to even tighter controls), others saying the loss of revenue forced developers to raise prices to compensate. [...]
Although expected, the decision is still inexplicable. ATT involves precisely one popup asking a simple yes/no question. Additionally, Apple lets users switch on a toggle (shown above) to block apps from even asking the question. It’s especially odd given that ATT is a privacy feature, and Europe has the strongest privacy laws in the world. The EU has also previously vindicated Apple’s introduction of ATT.
It’s not inexplicable or odd if you view the decision as coming from a perspective where government bureaucracy is viewed as an inherent good, and well-intentioned process is all that matters, not actual results. Read the Autorité de la Concurrence’s decision (which they helpfully do make available in English) and it’s pretty clear:
The Autorité found that the ATT framework imposed by Apple is not necessary, insofar as the consent obtained is not valid under the applicable laws, in particular the French Data Protection Act.
In practice, the fact that publishers that so wish cannot rely on the ATT framework to comply with their legal obligations means that they must continue to use their own consent collection solutions, known as consent management platforms (“CMPs”). The result is that multiple consent pop-ups are displayed, making the use of third-party applications in the iOS environment excessively complex, as observed by the French data protection authority (Commission nationale de l’informatique et des libertés — CNIL) in a 2022 opinion issued at the request of the Autorité.
It’s ostensibly “not necessary” because French and EU privacy laws are supposedly enough, and all that’s needed. And it’s unfair because now, under ATT, third-party surveillance advertisers who seek to track users across apps on iOS need to ask permission twice — first through the clear-as-a-bell “Ask App Not to Track” / “Allow Tracking” prompt required by Apple, and again through the byzantine but ultimately toothless permission requirements of France and the EU. ATT has had measurable effects because users understand it, and they prefer not to be tracked. EU and French privacy laws are largely ineffective because, in practice, they bury users with confusion. The bureaucratic hurdles they impose are to the benefit, not detriment, of the surveillance ad industry. That’s now proven out by industry groups — the ones ATT successfully tempered — successfully getting France’s regulators to penalize Apple. Users don’t know how to lobby government bureaucracies. What the Autorité de la Concurrence is saying, in so many words, is that two layers of consent is too much, and the only one that’s necessary is the one that advertising lobbying groups don’t object to, not the one they do (but which users understand and like).
It’s clear that only one of these two things — Apple’s ATT or French/EU privacy regulations — was actually effective at reducing tracking: ATT. No one claimed that French or EU privacy laws resulted in Meta losing a fortune because they had to adjust their kleptomaniacal thievery of users’ privacy. But by all accounts, including Meta’s own, ATT cost Meta billions. And yes, ATT hurt small businesses too — small businesses that were built upon surreptitious tracking that users had neither awareness of nor control over. It’s like a consortium of sketchy pawn shops complaining to the authorities after a popular retailer successfully cracked down on an organized shoplifting/pickpocketing ring, and the authorities then fining the retailer for the damage to the pawnbrokers’ business fencing stolen goods — and for exposing the police as ineffective.
App Tracking Transparency actually accomplished, in practice, via user-focused plain-language consent, what the EU’s privacy laws were intended to do but do not. This fine boils down to France declaring that Apple shouldn’t have actually done what the EU was pretending to do. They’re acting at the behest of the very developers and advertising companies who were (and still are) trying to conduct cross-app tracking that App Tracking Transparency successfully gave users some control over.