A privacy group led by prominent activist Max Schrems has filed complaints against Apple in Germany and Spain, for allegedly enabling app developers to track iPhone users for ad purposes.
The complaints center on the Identifier for Advertising (IDFA) -- an alphanumeric string that allows developers to track mobile users across different apps.
“Apple’s operating system creates the IDFA without user’s knowledge or consent,” Schrem's organization, Nyob, says. The group adds that the IDFA allows Apple and third parties to track users' behavior and provide personalized advertising.
An Apple spokesperson says the claims in the complaint are “factually inaccurate.”
“Apple does not access or use the IDFA on a user’s device for any purpose,” the spokesperson states, adding that the company complies with European law.
The complaint alleges that IDFAs are “very similar” to cookies -- which can be used to track people across the web, but not across apps.
“The IDFA is like a 'digital license plate,' the complaints allege. “Every action of the user can be linked to the 'license plate' and used to build a rich profile about the user.”
The organization says Apple is violating the EU “Cookie Law” -- which predates the General Data Protection Regulation, and which requires that users consent to some forms of tracking.
Currently, consumers who want to prevent advertisers from using the IDFA for ad targeting must activate the "limit ad tracking” option.
But Apple says that beginning next year, its iOS 14 operating system will only allow apps to use the IDFA if consumers explicitly consent on an app-by-app basis.
The U.S. ad industry objects to that decision, and is pressing Apple to reverse course.
In Europe, the Interactive Advertising Bureau France and other groups brought an antitrust complaint against Apple in Europe over the planned privacy settings, arguing that the decision to prevent developers from accessing the IDFA without opt-in consent is “anticompetitive.”
Schrems has brought numerous privacy cases in Europe, including one that resulted in the EU's highest court striking down a transatlantic privacy pact that had allowed companies to easily transfer EU citizens' data to the United States.