A pressure group set up by Austrian privacy activist and lawyer Max Schrems has launched a new campaign in France, this time complaining that Google's Android advertising tool violates European Union rules by failing to get users' consent.
noyb (none of your business), established by Schrems to take on the Internet giants and others over perceived privacy violations in Europe, said it launched action against the Android Advertising Identifier (AAID) claiming that the "somewhat hidden ID" allows Google and all apps on the phone to track a user and combine information about online and mobile behavior.
"While these trackers clearly require the users' consent (as known from 'cookie banners'), Google neglects this legal requirement," said noyb.
It said the complaint against the AAID was filed to the Data Protection Authority (CNIL) of France.
The group has made similar complaints against Apple's Identifier for Advertisers (IDFA), as part of a larger project aimed at removing hidden tracking identifiers from the mobile environment.
noyb claims that Google's software creates the AAID without the user's knowledge or consent. It then not only installs the AAID without consent, but it also denies users the option of deleting it, the group said.
"As we have proven in our previous complaint filed in Austria, users can merely 'reset' the ID and are forced to generate a new tracking ID to replace the existing one. This neither deletes the data that was collected before, nor stops tracking going forward," noyb said.
noyb points out that there are about 450 million active mobile phones in the European Union. Of these, about 306 million use Android.
Stefano Rossetti, privacy lawyer at noyb.eu, said: "The extent of this case is bewildering. Almost all Android users seem to be affected by this technology. We therefore hope that the French CNIL will take action."
noyb explained that since the complaint is based on the e-Privacy directive, the French authority is able to make a decision without the need for cooperation with other EU Data Protection Authorities, as under GDPR. "Should the authority adhere to the complainant's interpretation, the amount of the sanction could be substantial," it suggests.
Schrems and noyb put the online giants on notice when Europe's new General Data Protection Regulation (GDPR) came into force in May 2018.
To mark the arrival of the new privacy rules, noyb filed four complaints targeting Facebook, Google, Instagram and WhatsApp, drawing data regulators' attention to what it sees as the online giants' attempts to impose "forced consent" on their users.
According to the group, GDPR prohibits such "forced consent" and "any form of bundling a service with the requirement to consent."
- Regulators say Apple tracking code breaks EU law
- Is Facebook facing the end of EU-US data transfers?
- Eurobites: Facebook Faces Privacy Class Action
- Eurobites: Privacy Champion Slams Web Giants Over GDPR Tactics
- Eurobites: Most EU States Still Not Ready for GDPR
- Top 4 GDPR Misconceptions
— Anne Morris, contributing editor, special to Light Reading