Search

Is Apple’s Tracking Transparency compatible with the GDPR?

Apple’s App Tracking Transparency is the first step toward compliance with the GDPR.

What is the App Tracking Transparency?

As we explain in this article, the “App Tracking Transparency (ATT)” allows Apple to track an iPhone user as he navigates between the different applications he has downloaded, for tracking and targeting purposes.

This is made possible via the iOS 14.5 update that offers this new feature. It can be authorized or refused by the user.

App Tracking Transparency and GDPR: a matter of compliance?

Asking the user for consent when opening an application is a step towards personal data protection but still quite insufficient.

In case the user is located within the European Union, due to the territorial scope (Article 3), the General Data Protection Regulation (GDPR) applies, as Apple, which is based in Cupertino, California, will be processing data from users residing in the EU.

The choice displayed on the user’s screen when updating rather “clear, with simple terms“, is not enlightened. If the user who is in the EU agrees to be tracked, there is no mention on the choice window of the elements required by the GDPR in Articles 12, 13, and 14 (information of persons).

Once the user accepts the tracking – depending on the accesses requested by the application to the iPhone – the following set of data can be retrieved:

  • its IP address,
  • its access ID used for the application in question,
  • his email address,
  • his credit card number,
  • its geolocation data,
  • its postal address,
  • his phone number,
  • his name,
  • his first name,
  • his voice recordings,
  • his photos,
  • its biometric data (fingerprints, facial recognition, etc.).

Below is an analysis of the adequacy of Apple’s App Tracking Transparency with the principles imposed by the GDPR when processing personal data:

Apple & GDPR

Source: Orange Cyberdefense

Conclusion

Apple’s App Tracking Transparency is the first step towards compliance with the GDPR. However, as the chart above shows, there is still work to be done to be fully compliant with European data protection laws.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT