French mobile game developer Voodoo was fined 3 million euros by the CNIL along with an injunction under penalty for overriding its users’ refusal to track advertising on iOS.
The National Commission for Computing and Liberties made public, this Tuesday, January 17, a sanction pronounced on December 29, 2022 against Voodoo. The French mobile game publisher was fined 3 million euros for a breach of article 82 of the Data Protection Act. It did not respect the user’s choice regarding advertising tracking.
Voodoo pinned on iOS
Member of the last two promotions of the Next 40 index dear to Bruno Le Maire and French Tech, and valued at nearly 2 billion euros at the latest news (with an annual turnover of several hundred million euros), Voodoo is a start-up that weighs on the global market for publishers. It has over 6 billion downloads and 300 million monthly active users across over 200 games, including Helix Jump, Paper.io, aquapark.io, Crazy Kick or Mob Control.
But the Parisian company, which employs more than 700 people worldwide, has failed in recent years in the eyes of the CNIL. During checks carried out in 2021 and 2022 on voodoo.io and on several applications that the start-up publishes, the data policeman noticed that it was using a tracking/technical identifier for advertising purposes, without user consent, which is essential.
The checks carried out by the CNIL related to the downloading and operation of Voodoo applications on iPhone, therefore on the iOS operating system. Remember that Apple makes available to the publisher, when it offers an application on the App Store, a technical identifier system called IDentifier For Vendors (or IDFV). It allows the publisher to monitor the use made of its applications by users. Each user is assigned an IDFV, which is identical for all applications from the same publisher, in this case Voodoo.
Collecting user consent for biased advertising purposes
When combined with other information provided by the iPhone, the IDFV makes it possible to follow the habits of users, and thus to personalize the advertisements which are proposed to them. In theory, when opening a game, an Apple-powered window (this is called the “ATT Solicitation”, for App Tracking Transparency) opens in order to collect the user’s consent for tracking of his activities on the apps downloaded on his mobile.
Except that when the user refuses it from a game published by Voodoo on iOS, a second window opens, this time on his initiative directly. This states ” that ad tracking has been disabled while specifying that non-personalized ads will still be offered “, explains the CNIL. So far, so good.
But the authority realized that in reality, when a user refuses to be the subject of advertising tracking, Voodoo still reads the technical identifier attached to the user, which we were talking about above. This allows it to always process information that may indicate its browsing habits, for advertising purposes. Voodoo does not collect the user’s consent here and contradicts the second window presented to the mobile user, which constitutes a violation of the law.
In addition to the fine of 3 million euros, the CNIL has placed Voodoo under the threat of a fine of 20,000 euros per day, in the event that the company does not comply with the collection of the consent of the ‘user. She now has 3 months to do so.
Source : CNIL
1