France fines Apple €150M for “excessive” pop-ups that let users reject tracking
212 comments
·March 31, 2025nottorp
tedunangst
I'm actually okay with the Apple Camera app asking me once and the Domino's Pizza app having to ask me twice. Who are the consumers being harmed here?
arrosenberg
It's anti-competitive. Apple owns the platform and is giving preference to it's own apps on that platform. Every non-Apple app that competes with an Apple app is harmed.
BeFlatXIII
I thought the double pop-ups were because the app asks permission to ask permission, rather than Apple requiring apps to prompt twice.
tedunangst
So the solution is Apple will be forced to trust that apps asked properly, and grant whatever permissions the app claims I agreed to? And that's going to encourage me to use more third party apps?
st3fan
This is not what this case is about.
burnte
You might be ok with it, but the regulators want Apple to treat third parties the same way they treat their own apps, and that's a good thing. Either everyone would generate two prompts, or no one, but excluding yourself is just favoritism.
LorenPechtel
Yup, it's much, much better for the rules to be exactly the same than any debate about how much difference is permitted. No difference unless you can demonstrate a compelling reason for it.
rad_gruchalski
If we could expect the same level of compliance from our governments.
briandear
Apple doesn’t have a track record of abusing user privacy, unlike the plethora of third party apps that want to aggressively track you and sell that data.
surgical_fire
It doesn't really matter if you are "fine" with their anti-conpetitive behavior. They should comply to regulations properly.
tedunangst
Why do we have regulations? Who do they benefit?
ecshafer
That is borderline tautological. Apple should comply with the regulations, because they are the regulations. The regulations are there to protect users, a 3rd party application is more likely to harm the user, so less trust is warranted.
golli
And if it weren't a dominos app, but an otherwise identical or better third party app? Which through this now has a disadvantage compared to Apples app. Making it worse (regardless of how small or large that downside is) compared to whatever Apple offers, not because of having the worse product in the category, but because Apple also happens to own the otherwise unrelated operating system.
frumper
Domino's doesn't have to ask twice. They're choosing to.
st3fan
I don't think the Camera app asks for permission to use the Camera.
You could argue that choice is questionable because Apple needs to follow its own rules, but also .. it is the Camera app. I think if you don't want the Camera app to use the Camera you probably should not have opened the app at all.
ATT (App Tracking Transparency) is the dialog that says something like "Facebook would like permission to track you across apps and websites owned by other companies. Your data will be used to ... $AppProvidedExcuseHere." with "Allow Tracking" and "Ask App Not To Track" buttons.
ATT is the First consent.
The SECOND consent this case is about is the in-app consent that needs to happen according to French law. I can't give an example of that because I do not live in France but I assume this is probably some horribly designed page inside a French app that asks you to share your data with the ad surveilance industry.
maccard
> The SECOND consent this case is about is the in-app consent that needs to happen according to French law. I can't give an example of that because I do not live in France but I assume this is probably some horribly designed page inside a French app that asks you to share your data with the ad surveilance industry.
I don't live in france but I'm familiar with the popups. many apps on first install will give you an in-app prompt asking if they can send you push notifications. If you accept, you get the system prompt. if you decline, you don't. I'm not a regulator, but it seems they've misread this one IMO - they only need to provide the conseent at the platform level and can opt out at the platform level if they so wish.
wdr1
Are you also okay with Apple only asking once for Apple Advertising and making other advertising ask twice?
I don't mean ads for Apple products. I mean the ads that Apple sells in News, the App Store, where they track your behavior to personalize the ads you see and to see if you ever buy what the ad is selling.
johnnyanmac
it's not the consumers, it's the competitors. Instead of comparing apples to pizas, compare something like the Notes app compared to a 3rd party notes app. Any web/app dev knows each extra click adds friction and reduces retention, so that extra pop up can be a subtle advantadge to the one who manages the platform.
bredren
>The agency said there is an "asymmetry" in which user consent for Apple's own data collection is obtained with a single pop-up, but other publishers are "required to obtain double consent from users for tracking on third-party sites and applications."
gruez
What's even the "double confirmation" that's required?
1. the ATT permission prompt from iOS
2. a prompt from the app itself
?
crazygringo
I'm genuinely confused. Where's the double part?
When I install an app I get a single popup asking whether I want to share with advertisers or not.
I don't have to do anything twice.
Is it different in Europe or something? Is there a second popup there, and if so, what?
AlanYx
This is for system-level permissions. In third-party apps, the app asks whether you want to enable X permission and then you get an OS-level confirmation request. It's not just in Europe.
Likely they'll fall back in Europe to double-prompting as well in system apps.
chillacy
Afaik the apps don't have to ask you, they could just request the OS-level permissions. They don't do that because if you reject the request at the OS level, they can't request it again, you have to go to the Settings app to enable it and it's harder to do. So apps prefer to just nag you again and again until you say you're ready.
85392_school
Do we only care now that the permissions being requested are related to tracking?
crazygringo
I've never gotten that, I don't think? I only get the OS-level request. For ad tracking we're talking about? But even for stuff like Bluetooth or location.
I mean, I've had apps show a popup beforehand explaining what they want me to answer. But that's not required, nor does it seem common.
tarentel
I'm assuming there are additional GDPR compliance asks in Europe when using apps. If that's the case I don't see how that is Apple's fault. I wish this article was a bit better but after reading a few of them I still don't get what the actual complaint is.
ezfe
Right, but that second click isn't coming from Apple and they can't control it. The article specifically says that many apps feel like they need additional consent which means they have to request it through two channels.
If Apple doesn't feel like they need additional consent and/or doesn't use ATT-blocked systems then they don't need that.
This is stupid.
bilbo0s
Right.
I'm not sure this is fixable?
Or maybe there is widespread misunderstanding of the requirements in this scenario? But I also thought the rule was tough enough to require verifying that extra consent? Maybe it's not?
Truly confused here.
duskwuff
> I'm not sure this is fixable?
Not from Apple's end.
Apple mandates that all requests for permissions go through a single, OS-provided dialog. If a user accepts, the permission is granted; if the user rejects, the permission is not granted, and the app can't ask again. Simple enough.
App developers try to maximize their chances of getting that permission granted by adding another warm-up dialog before actually doing the official permissions request. Since those other dialogs aren't part of Apple's permissions request chain, they can be rejected by the user without consequence, and the app can present them as often as it wants.
There is nothing which requires third-party developers to use these additional dialogs. It's a design pattern (and an annoying one at that) which many developers have gravitated towards. Not all developers use it; in particular, Apple doesn't use it for their first-party apps. And apparently FCA is faulting Apple for not following that pattern themselves.
leereeves
> The article specifically says that many apps feel like they need additional consent
Are they right about that? Does Apple provide the app with confirmation that the user consented, and if they do, is it legal to rely on that confirmation?
gruez
You can definitely check on whether the user answered yes to the prompt, because if they declined you'll get a null (ie. all 0s) uuid. Whether app developers can rely on that as confirmation for tracking on their side is a purely legal question, and I wish the French government would try to resolve it on their side rather than going straight to fining Apple.
stagalooo
> Third-party publishers "cannot rely on the ATT framework to comply with their legal obligations," so they "must continue to use their own consent collection solution," the French agency said.
This absolutely sounds like a problem caused by the law and not apple. Apps can’t rely on the prompt for legal authorization (presumably because it is filtered through apples apis?) and must therefore ask themselves.
The only two solutions I see to this is either Apple can’t prompt which means they can’t protect the user or the law can change to accept the prompt as authorization to track.
maccard
> The article specifically says that many apps feel like they need additional consent which means they have to request it through two channels.
Surely the same argument can be applied to the cookie law - many sites feel like they need consent therefore it's unfair over people who think they only need one prompt.
thebruce87m
> Benoit Coeure, the head of France's competition authority, "told reporters the regulator had not spelled out how Apple should change its app, but that it was up to the company to make sure it now complied with the ruling,"
Sounds like a good shakedown to me. Wait until they tweak it then fine them again for getting it “wrong”. I wonder if they even got the chance to change anything before they were fined the first time. And all because the regulator wants users to be advertised to more?
eptcyka
Funny how this is exactly the process that one has to go through for getting an app through a review for an app store - you're told you've done something wrong, and it is up to you to fix it. The reviewer will never point out the specific issue they have with your submission.
apt-apt-apt-apt
Worse yet, if you fail to identify and fix it after several attempts, your entire account and all your apps get permanently banned with no feasible recourse.
iamkonstantin
Regulation around competition is quite clear. It’s unfortunate that Apple is the kind of company that only reacts after getting sued or fined instead of doing the right thing in the first place.
refulgentis
> "told reporters the regulator had not spelled out how Apple should change its app, but that it was up to the company to make sure it now complied with the ruling,"...shakedown
I wonder if this sheds light: if they said exactly what to do, there's a strong argument that they went too far when business regulators became UI designers.
> Wait until they tweak it then fine them again for getting it “wrong”
I don't worry too much about it, I used to work at Google, companies and regulatory authorities are in constant contact. Generally, I haven't yet seen a company claim to have addressed a situation then gotten fined again.
> And all because the regulator wants users to be advertised to more?
I can't find that bit in the article and I haven't heard it before: could you share some more?
enasterosophes
> I can't find that bit in the article and I haven't heard it before: could you share some more?
The second paragraph has what you want. From the article:
> The App Tracking Transparency (ATT) framework used by Apple on iPhones and iPads since 2021 makes the use of third-party applications too complex and hurts small companies that rely on advertising revenue ... The system harms "smaller publishers in particular since, unlike the main vertically integrated platforms, they depend to a large extent on third-party data collection to finance their business," the agency said.
Is there another way to interpret this than that the agency wants to protect advertizing and data collection practices by small businesses?
isleyaardvark
"by small businesses", and large businesses, and businesses like ad agencies that specialize in data collection and tracking.
thebruce87m
> I can't find that bit in the article and I haven't heard it before: could you share some more?
> The Autorité also found that the rules governing the interaction between the different pop-up windows displayed undermined the neutrality of the framework, causing definite economic harm to application publishers and advertising service providers.
https://www.autoritedelaconcurrence.fr/en/press-release/targ...
“Economic harm to … advertising service providers” says it implicitly.
refulgentis
I'm sorry, I'm sure I'm still missing something: my simpleton understanding is taking action to ensure neutrality, implies they want consumers to see more ads?
gruez
No good deed goes unpunished. Don't protect users' privacy, and you get flak from regulators for "not doing enough". Protect users' privacy, and you get flak from regulators because it's "too complex and hurts small companies that rely on advertising revenue". You see similar levels of cynicism directed at Google. When firefox banned third party cookies, it was almost universally welcomed, but when Chrome does it the cynics come out and say how it's actually some sort dastardly ploy to cement their position in the ad market because third party adtech firms are disproportionately harmed.
ipaddr
One benefits directly while the other doesn't. Plus many people complained.
gruez
>One benefits directly while the other doesn't.
That's the exact of cynicism I'm talking about. It doesn't matter whether banning third party was good for users or not, only whether Google (or Mozilla) stood to benefit. This is absolutely toxic because it means objectively good changes get shouted down.
> Plus many people complained.
For what, Firefox?
johnnyanmac
>It doesn't matter whether banning third party was good for users or not, only whether Google (or Mozilla) stood to benefit.
Well, yes. These are billion dollar companies. Always follow the money. The incentives change everything.
>This is absolutely toxic because it means objectively good changes get shouted down.
Probably because "objectively good" changes often follow before even more harmful decisions. Many have long lost their benefit of the double for these Big Tech trillionaifes. And the reputation is deserved.
ATMLOTTOBEER
Chrome never actually did away with third party cookies
briandear
The advertising industry was who filed the complaint, it wasn’t a bunch of normal users. If the ad industry wasn’t so shitty, I might give them the benefit of the doubt.
Nullabillity
The difference is that Firefox didn't do it as an excuse to sneak in a new tracking system instead.
dinkblam
[flagged]
epolanski
You're completely unaware of the financial shenanigans that US tech does in Europe.
I'll just leave you with the fact that Apple across two decades paid pennies in taxes in Italy (claiming few millions in revenues) because they would have bullshit like Apple Ireland selling Apple Italy iPhones for 1000€s and selling them for 1000€s plus vat.
Meanwhile Apple Ireland was buying those iPhones for the pennies it costs to make them (few hundred $ at best) and thanks to Irish corporate taxes being close to non existent (0.5%) Apple has paid virtually nothing for decades.
If you believe that us European voters love our countries to be subsidized by rich American countries you're out of your mind, but what we dislike is being taken advantage over and over.
shuckles
The Double Irish arrangement is 45 years old and used by basically every multinational in Europe.
ginko
You seriously underestimate the size of EU countries' budgets if you think $150M would even register.
null
ohgr
Indeed. If they really gave a shit they'd be getting Apple to open up their APIs so we can get data out of Reminders and Notes etc without having to resort to necromancy and hacking...
Apple need one of these https://learn.microsoft.com/en-us/openspecs/
izacus
They literally did that too via DMA. Why are you bullshitting? :)
briandear
As an Apple user, I don’t want third party apps to be able to have access to that data. Apple has earned my trust, but most third party apps have not.
I buy Apple specifically because I want the level of privacy that their platform provides. If third party devs don’t like it, they can ship for Android.
drivebyhooting
Do other apps require double consent or is it actually a dark pattern they’ve adopted:
* explain and prompt the user for consent
* if they acquiesce pop the real modal
* otherwise bide your time and try again later
The reason for this is because once you receive a rejection in the official modal you are not allowed to ask again.
TheJoeMan
Or snapchat repeatedly asking for my contacts access knowing it’s denied.
sitkack
Or WhatsApp not allowing you name contacts unless you gave it access to your entire address book so FB can have your entire FOAF graph.
vaindil
I'm traveling to Europe right now and had to install WhatsApp, and this absolutely infuriated me. You cannot start new chats with anyone (on Android at least) unless you grant it the contacts permission. I'm sure other things are limited too, like you say.
Workarounds include having the other person message you first, or manually typing wa.me/+number into your browser.
Slightly more info: https://android.stackexchange.com/questions/229390
wkat4242
Yes this practice should really be banned.
It's constantly whinging it's been denied camera access too. I really hate that app but some people I talk to use it.
gruez
>Do other apps require double consent or is it actually a dark pattern they’ve adopted:
It's specifically recommended by apple.
https://developer.apple.com/design/human-interface-guideline...
nemothekid
Apple's recommendation (as posted) actually doesn't look like double consent to me - in fact, their recommendation calls out that it should be treated like a consent form (You shouldn't be able to exit the explanation page, only continue).
App Publishers have instead used the explanation page as a "soft" consent form, so they can bug you later without being disabled at the system level.
drivebyhooting
In adtech and social media it is a calculated strategy to maximize user compliance.
ilnavigante
Speaking of dark patterns: if you try to initialize your Mac without logging in to your iCloud account, the installation process doesn't ask you to encrypt your drive, so everything is in clear by default...
FridgeSeal
Some apps have a “pre permissions” pop up telling users about what permissions they’re about to ask for, before then initiating the iOS permissions pop up.
The Apple apps go straight to the permissions pop up.
How is it Apples fault they do this?
klabb3
I think with Apple you agreed to let them do human experiments in the EULA when you’re unboxing your device. With yet-another-tower-defense games the agreement needs to be done on a per-app or at least per-publisher basis.
The native iOS permission dialog is only a consent about what the app can do locally, and doesn’t list the 1034 close partners that they will share your DNA with.
Makes me think.. one potential risk here is that vendors will band together under a common ”publisher” where apps can piggyback on consent from previous apps, just like the big guys do but without being part of the same feudal kingdom. Wouldn’t surprise me if this already happens.
airstrike
can we start also fining companies for not easily offering "no and never ask again"? the "maybe later" trend needs to die ASAP
woah
If the EU isn't fining someone for tracking users too much, they're fining them for not tracking users enough.
danieldk
That's not what is going on here, right? The complaint is that the consent process is much harder for third-party apps than Apple apps and Apple cannot give itself advantages because Apple is a gatekeeper w.r.t iOS.
A simple yes-no for third-party applications makes it easier for the user to reject tracking and doesn't make the process more cluttered than for Apple apps.
pertymcpert
Where did you get that part from?
> Third-party publishers "cannot rely on the ATT framework to comply with their legal obligations," so they "must continue to use their own consent collection solution," the French agency said. "The result is that multiple consent pop-ups are displayed, making the use of third-party applications in the iOS environment excessively complex."
It's not harder at all. France are just mad that their small advertisers have to ask for permission again which is their own choice.
johnnyanmac
The part where you said
>Third-party publishers "cannot rely on the ATT framework to comply with their legal obligation
Yeah, as apple loves to do, rules for thee but not for me.
>France are just mad that their small advertisers have to ask for permission again
Because Apple's isn't good enough, but in apple fashion you must use it (but they dont). Yeah, anti-competitive.
diggan
List of 2560 GDPR enforcements: https://www.enforcementtracker.com/
Granted, not all are fines for tracking users, but all sorts of violations. Reasoning is included in the table.
izacus
Having US corporations fund our infrastructure, culture and subsidy programs is amazing!
jonplackett
Can we just frikkin ban tracking completely and just see how that goes?
I do not really care if some businesses can no longer make money in the way they like to. I’m sure they’ll figure it out if they have to. Businesses existed for a loooooong time without tracking their customers. I’m sure they can do it again.
alabastervlog
If governments would just ban the bad shiat app vendors do that Apple tries to curb, that’d be great, as it’d remove the main reason I have little practical choice but to use Apple devices.
wkat4242
Yeah I so wish the EU would simply do this.
edelbitter
>pop-ups that let users reject tracking
No pop-up is needed to reject what is already banned union-wide. Therefore, a banner that is trying to collect my explicit+specific+informed+voluntary consent to partially lift that ban is not a "pop-up that lets users reject". Its a "pop-up that lets users surrender" some of their rights & freedoms.
barelysapient
I think Apple will need to make a new phone line. Call it the ePhone.
In a few years we can compare who got it right.
bjornsing
Refreshing to see a huge fine for too many pop-ups. It’s usually the other way around, which can be frustrating for those of us who don’t like pop-ups.
lvl155
At this point, I am convinced EU fines American tech companies for fun.
epolanski
And you're wrong.
That being said in that specific case this is odd because in general:
- EU (albeit not France) gives plenty of time to OS developers to adapt and often talks to them directly when they are as big as Apple
- The timing makes it look like with a different less disruptive administration it would've went differently
In any case US companies abusing any possible loophole for paying pennies for decades in Europe don't get any sympathy by me.
johnnyanmac
It still surprises me how far the US has declined in pretty much all qualities of life. But Hacker News still has this sect of a community that despite EU regulations. Ones they crave from American governments.
Like, do we want protections from corporations or to continue to let them stomp on using hopes they become the corporation one day?
null
caseyy
I would ordinarily say something along the lines of “don’t blatantly break laws and you won’t be fined”, but this is a minor implementation detail. There are so many bigger fish to fry in consumer rights space that it just looks petty. And it’s questionable whether a law is even broken.
Actually Apple were fined because they don't apply the same standard to their own pop-ups that allow users to reject tracking. On Apple popups you seem to need one click, while on 3rd party popups you need to confirm twice.
So the fine seems to be for treating 3rd parties differently from their own stuff.
They could make their own popups require double confirmation instead...