Apple illegally tracks iPhone users to target them with ads, EU privacy activism group claims in lawsuit

Apple illegally tracks iPhone users to target them with ads, EU privacy activism group claims in lawsuit
The complaint against Apple was filed in Germany and Spain.Britta Pedersen/picture alliance via Getty Images
  • European privacy activism group Noyb has filed two complaints against Apple with regulators in Spain and Germany.
  • Noyb claimed the way Apple tracks iPhone users for advertising purposes is unlawful, because the tech giant doesn't obtain their consent first.
  • The complaint focuses on Apple's use of unique codes assigned to iPhones which track users' behavior, and allow advertisers to target them accordingly.
  • Noyb was started by privacy activist Max Schrems, who in July won a landmark case against Facebook.

Apple is staring down the barrel of a major privacy lawsuit.

In a complaint submitted to German and Spanish regulators on Monday, prominent privacy activist Max Schrems claimed Apple had broken EU privacy law by allowing iPhones to track users for advertising purposes without obtaining consent.

The complaint focuses on Apple's use of IDFA (Identifier for Advertisers) codes. These are unique codes assigned to iPhones which track users' behavior and allow advertisers to target them accordingly.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

"Apple's operating system creates the IDFA without user's knowledge or consent. After its creation, Apple and third parties (e.g. applications providers and advertisers) can access the IDFA to track users' behaviour, elaborate consumption preferences and provide personalized advertising," Schrems' privacy campaign group Noyb — short for "none of your business" — said in a statement.

Noyb argued this was in violation of a part of the EU's e-Privacy Directive focused on cookies. "EU law protects our devices from external tracking. Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used," Stefano Rossetti, a privacy lawyer at Noyb, said in a statement.


"While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws," he added.

Apple was not immediately available for comment when contacted by Business Insider.

Noyb also signalled it is looking into a similar system operated by Google.

Apple announced in June it was going to roll out a new feature with its iOS 14 update that would show users the data their apps are collecting — such as location data, financial information, and browsing history — and ask them to opt into having that data collected, rather than have it collected by default.

In September, Apple announced it was delaying the rollout of the feature to give developers time to adapt to the change. This came after Facebook publicly complained that the change could cut its ad revenue by up to 50%.


The iPhone maker announced on November 5 developers have until December 8 to submit information about what data they hoover up for privacy "nutrition labels" on the App Store.

Read more: Apple's privacy 'nutrition labels' are about to make people very uneasy about the apps they use every day

Noyb's lawyers are not convinced by these proposed changes. It said user data will still be stored by iPhones without consent, even if it is not automatically passed on to third parties.

"We believe that Apple violated the law before, now and after these changes. With our complaints, we want to enforce a simple principle: trackers are illegal, unless a user freely consents. The IDFA should not only be restricted, but permanently deleted. Smartphones are the most intimate device for most people and they must be tracker-free by default," Rosetti said.

Schrems has a proven track record of launching privacy cases against Big Tech companies. In July, the EU's top court ruled in his favor over a case he brought against Facebook in 2011, arguing the way US companies ship European user data back to America was unlawful because of concerns over US government surveillance.


In its case against Apple, Noyb deliberately filed its complaints with specific countries' authorities, rather than go via the EU, because the law it believes Apple is breaching pre-dates Europe's overarching GDPR laws.

Rosetti said the intent was to achieve faster results.

"These cases are based on the 'old' cookie law and do not trigger the cooperation mechanism of the GDPR. In other words, we are trying to avoid endless procedures like the ones we are facing in Ireland," he said.

Ireland is the data regulator for Facebook in Europe. It has wrangled with Facebook over whether the tech giant will have to stop sending EU data back to the US altogether.