France’s $160 Million Apple Fine Puts App Tracking on Alert

Tech companies of all sizes are bracing for heightened scrutiny after France’s antitrust regulator fined Apple Inc. $162 million because its App Tracking Transparency framework made it impossible for third-party publishers to meet privacy requirements, thereby violating competition law.

Tech companies have long struggled to reconcile privacy rights with access, but Apple’s case has sparked some angst—including from the tech giant itself—because France’s antitrust watchdog didn’t suggest an alternate framework for the company to use.

The case also “exposes a broader pattern across the digital ecosystem” of consent mechanisms that enable companies to “reshape who gets access to personal data and on what terms,” Itxaso Domínguez de Olazábal, policy advisor at European Digital Rights, a Brussels-based consumer advocacy group, wrote in an email.

The Autorité de la Concurrence’s fine on Monday ended a four-year-long probe into the Apple’s App Tracking Transparency system, which the regulator said prevented third-party application makers and advertisers from complying with the European Union’s privacy law, the General Data Protection Regulation.

Apple introduced the feature to give users greater control over their data, but the regulator said it required third-party apps to display a second consent pop-up after Apple’s preset prompt, rendering their use excessively complex and leading to fewer opt-ins from consumers.

As organizations seek to better control and leverage customer data for targeted advertising and other business purposes, the enforcement action highlights the tricky balance between stringent privacy protections and a fair marketplace.

“This is not a problem, not a challenge unique to Apple,” said Michael A. Gold, chair of the cybersecurity and privacy group at Jeffer Mangels Butler & Mitchell LLP. It “may not even necessarily be a challenge unique to the mega large tech firms.”

Apple’s app tracking transparency framework “gives users more control of their privacy” and has received “strong support” from “consumers, privacy advocates, and data protection authorities around the world,” a company spokesperson said Tuesday in an emailed statement. Apple said it was “disappointed” with the decision and that the regulator hasn’t required “any specific changes” to the framework.

Growing Scrutiny

Apple’s fine is the first of its kind in the European Union, lawyers said, but it comes amid heightened scrutiny of Big Tech’s collection of consumer data.

Google grappled with the tension between the two areas of law when it sought to cut off its Chrome web browser from third-party tracking tools. Google’s plan to phase out the tools—also known as cookies—was flagged by UK antitrust regulators who worried the change would stifle competition among digital advertisers.

In August 2024, Google backtracked from its years-long plan and decided to continue relying on cookies, trading some antitrust scrutiny for privacy risks as regulators warned against relying on “opaque” forms of tracking.

Meta Platforms Inc.‘s “Pay or OK model,” which requires customers to choose between paying a fee or accepting tracking, was challenged under data protection laws for undermining freely given consent while preserving Meta’s access to data.

The European Data Protection Board warned last year that “offering only a paid alternative to services which involve the processing of personal data for behavioral advertising purposes should not be the default way forward for controllers.” Organizations exploring alternative consent models should ensure that the models achieve requirements listed under the GDPR, the EU regulator said.

In the US, consumers and regulators have been pushing for more clarity about how user data is obtained and shared among companies, Gold said, leading some organizations to take steps to be more transparent.

But Apple’s fine signals that moving too far away from privacy law requirements—even in the interest of improving transparency—brings risk.

“That’s what you’re seeing in this French case—they just added a layer which was considered too much. It was considered unnecessary and disproportionate,” said Morten Nissen, co-head of Bird & Bird’s international Competition & EU group.

The trend should be a warning to organizations that deploy technology that controls data access across sites or apps, regardless of their size, especially if data protection and competition enforcement authorities continue to work together.

“The question is not only whether gatekeepers (and other service providers) comply with consent requirements, but how those requirements are shaped, and who benefits from their design,” Domínguez de Olazábal said in an email.

What’s Next?

The regulator didn’t specify changes Apple should make as part of its enforcement decision. But the French data protection authority, the Commission Nationale de l’Informatique et des Libertés, had previously indicated steps the tech giant could take to better align with GDPR requirements.

The data protection authority noted that Monday’s decision highlights a “new example of cooperation” between the two regulators.

Apple is facing investigations over similar concerns in Germany, Poland, Italy, and Romania. And the EU regulators are likely collaborating on their enforcement strategy, Nissen said.

Germany and other European countries have raised other cases that sit between competition and data privacy laws, including one against Meta.

“So will this impact other countries? Yeah, probably,” Nissen said.

Apple and Meta also face fines under the EU’s Digital Markets Act, perhaps next week, Bloomberg reported. EU regulators said they won’t shy away from taking on US companies despite threats of retaliatory tariffs from President Donald Trump.

“The French case sort of indicates that when you have this very, very special position of gatekeeper or monopolist in this area, then you can’t do much wrong before you end up in an infringement,” Nissen said.

“A fine that size,” he added, “is normally aimed at sending a message.”