CNIL (France) - SAN-2022-026
CNIL fines VOODOO €3M for tracking users without consent and misleading disclosures.
Summary
The French Data Protection Authority (CNIL) fined mobile game developer VOODOO €3,000,000 for violating the ePrivacy Directive and French data protection law. VOODOO collected tracking data (IDFV cookies) for personalized advertising without obtaining valid user consent, and presented misleading information about its tracking practices despite claiming to respect user privacy choices.
Full text
Help CNIL (France) - SAN-2022-026: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 10:03, 1 February 2023 view sourceKv (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators942 editsTag: Visual edit← Older edit Latest revision as of 14:25, 16 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators189 editsTag: Visual edit Line 33: Line 33: |GDPR_Article_Link_2=|GDPR_Article_Link_2= |EU_Law_Name_1=Article 5(3) Directive 2002/58/EC|EU_Law_Name_1=Article 5(3) ePrivacy Directive 2002/58/EC |EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32002L0058&from=EN|EU_Law_Link_1=https://eur-lex.europa.eu/eli/dir/2002/58/oj |EU_Law_Name_2=|EU_Law_Name_2= |EU_Law_Link_2=|EU_Law_Link_2= Latest revision as of 14:25, 16 July 2026 CNIL - SAN-2022-026 Authority: CNIL (France) Jurisdiction: France Relevant Law: Article 5(3) ePrivacy Directive 2002/58/ECArticle 82 Loi Informatiques et Libertés Type: Investigation Outcome: Violation Found Started: Decided: 29.12.2022 Published: 17.01.2023 Fine: 3,000,000 EUR Parties: VOODOO (the controller) National Case Number/Name: SAN-2022-026 European Case Law Identifier: n/a Appeal: n/a Original Language(s): French Original Source: Légifrance (in FR) Initial Contributor: n/a The French DPA fined VOODOO, a mobile game developer, €3,000,000 for violating Article 82 of the French data protection act. VOODOO did not collect the consent of users for personalised advertising and provided misleading information regarding tracking behaviour of users. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts VOODOO ('provider') was a mobile game developer. The investigation service of the French DPA (the investigation service) carried out several checks on voodoo.io and on several of the provider's mobile applications on iOS, in particular to check cookies and trackers deposited on user devices. The investigation service followed the path of a user who downloaded one of the provider's apps and opened the application for the first time. The user would be presented with a window, designed by APPLE, called "App Tracking Transparency" (hereinafter "the first window"). The purpose of this first window was to obtain consent from the user to let the provider track the user's activities on the provider's applications. The user had two options in the first window, either to accept tracking by the provider or to decline it. Whatever option the data subject would choose, a second window, designed by the provider, would show up after the first window. In this second window, the user only had to certify that they were over the age of sixteen. Also, the user had to accept the provider’s personal data protection policy. When the user clicked on "Ask the app not to track my activities" in the first window, the second window would contain a text indicating that the user's iPhone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". The controller also stated in this second window that "Data protection is a key issue for Voodoo and we respect your choice." The DPA noted that in this scenario, the IDFA, APPLE's own advertising identifier, was not read but replaced by a string of zeros. Therefore, the provider would not be able to read this identifier. However, the DPA found that in this scenario, another cookie called 'the IDFV' was read by the provider for advertising purposes. The IDFV ("Identifier For Vendors") was a cookie provided by Apple to the publisher of an app in the Apple App store. This cookie allowed the publisher to track the use of its application(s) on a user device. A separate IDFV was assigned to each user but was identical for all applications distributed by the same publisher. The provider also collected other information specific to the user's device (such as system language, device model, etc.) The controller stated in the second window that it collected this information and used the IDFV to provide non-personalised advertisements based on browsing habits. Holding According to Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive, any subscriber or user of an electronic communications service must be informed in a clear and complete manner. This is only different when these users have been informed in advance of certain details regarding the cookies: such as the purpose of any action of the provider intended to access information already stored on user devices, or to write information to a device; or details regarding the means available to users to object to these reading/writing operations. Moreover, the consent provided for in the aforementioned Article 82 must be understood within the meaning of Article 4(11) GDPR. The provider did not dispute that it read the IDFV-identifier on user devices when a user would deny tracking in the first window. The provider also confirmed that the reading of data subjects' IDFV was conducted for advertising purposes. The DPA held that the provider's use of the IDFV did not fall under the one of exceptions defined in Article 82 of the French Data Protection Act. Therefore, the provider would have to obtain the user's prior consent. The DPA stated that the provider reduced the effectiveness of the choice expressed by the user to decline tracking in the first window. The reason for this was the fact that the user had declined tracking by the provider in that window, but was now still tracked by the provider who simply used a different cookie to do so. The DPA also determined that when the user declined tracking in the first window, the second window presented to the user contained a text indicating that the user's iPhone settings prevented “tracking for the purpose of personalising ads and advertisements based on your device's advertising ID". Based on this information, The DPA considered that users would never expect their data to be used for personalised advertising purposes, since they had just rejected tracking in the first window. The French DPA further specified that the information provided by the controller in this second window did not correspond with the reality of the situation. It held that collecting information on data subjects’ browsing habits in order to offer them advertisements necessarily entailed that these advertisements could not be qualified as 'non-personalised', even though the data associated with the identifier only allowed for limited personalisation (limited to the context of the application used). The DPA thus considered that the information provided by the provider was likely to mislead data subjects regarding the consequences of refusing tracking in the first window. The French DPA held that by using the IDFV for advertising purposes without the user's consent, the provider breached its obligations under Article 82 of the French Data Protection Act. The French DPA imposed a €3,000,000 fine on the provider. It justified this amount by the number of people concerned, by the financial benefits obtained as a result of the breach and by the turnover achieved by the provider in 2020 and 2021. In addition to the administrative fine, the French DPA also ordered the provider to obtain the users consent for the use of the IDFV for advertising purposes from now on and within three months of the notification of the decision. Comment This is another decision by the CNIL in which it fined a provider for the use of cookies. Since December 2022, the CNIL has fined multiple companies for similar cookie violations. Below, you will find GDPRHub summaries for each of these decisions: Apple: CNIL (France) - Délibération SAN-2022-025 Tiktok: CNIL (France) - Délibération SAN-2022-027 du 29 décembre 202