On December 29, 2022, the French data protection agency — the Commission nationale de l’informatique et des libertés (CNIL) – imposed a €3 million fine on VOODOO for violating Article 82 of the French Data Protection Act. VOODOO, founded in 2013 and headquartered in France, publishes video games for smartphones.
Like other publishers of smartphone applications, VOODOO receives a technical identifier called “Identifier For Vendors” or “IDFV” that allows it to track the use made of the company’s applications. Likewise, every user is assigned an IDFV for all applications associated with a particular publisher that are downloaded to the user’s smartphone, allowing companies to track people’s browsing habits and thereby personalize the advertisements sent to each individual. When a user opens a video game application, an App Tracking Transparency window appears, asking for the user’s consent to the collection of data tracking the individual’s activities on downloaded applications. Users have the option of denying consent; at which time a second window appears – this one displayed by VOODOO when the downloaded application is published by it – explaining that tracking has been deactivated, and non-personalized advertisements will be offered. However, in its investigation the CNIL found that in the event consent is denied, VOODOO still reads the IDFV associated with the user, and tracks browsing information for advertising purposes.
The restricted committee of the CNIL in charge of assessing penalties determined that the use of IDFV for advertising purposes without the user’s consent constitutes a breach of Article 82 of the French Data Protection Act, which prohibits access to or recording of data from a personal device without the express consent of the user, and a clear explanation of the intended use.
In consequence, the restricted committee imposed a fine of €3 million on VOODOO, based on the company’s recorded gross turnover, the number of users involved, and the financial benefit derived by VOODOO as a result of the breach. In addition to the fine, the CNIL issued an order giving the company three months to obtain users’ consent to the use of the IDFV for targeted advertising, after which a penalty of €20,000 per day must be paid.