VOODOO (the controller) – €3,000,000 Fine (France, 2022)

VOODOO ('provider') was a mobile game developer. The investigation service of the French DPA (the investigation service) carried out several checks on voodoo.io and on several of the provider's mobile applications on iOS, in particular to check cookies and trackers deposited on user devices. The investigation service followed the path of a user who downloaded one of the provider's apps and opened the application for the first time. The user would be presented with a window, designed by APPLE, called "App Tracking Transparency" (hereinafter "the first window"). The purpose of this first window was to obtain consent from the user to let the provider track the user's activities on the provider's applications. The user had two options in the first window, either to accept tracking by the provider or to decline it. Whatever option the data subject would choose, a second window, designed by the provider, would show up after the first window. In this second window, the user only had to certify that they were over the age of sixteen. Also, the user had to accept the provider’s personal data protection policy. When the user clicked on "Ask the app not to track my activities" in the first window, the second window would contain a text indicating that the user's iPhone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". The controller also stated in this second window that "Data protection is a key issue for Voodoo and we respect your choice." The DPA noted that in this scenario, the IDFA, APPLE's own advertising identifier, was not read but replaced by a string of zeros. Therefore, the provider would not be able to read this identifier. However, the DPA found that in this scenario, another cookie called 'the IDFV' was read by the provider for advertising purposes. The IDFV ("Identifier For Vendors") was a cookie provided by Apple to the publisher of an app in the Apple App store. This cookie allow