Italy's antitrust regulator has fined both Apple and Google €10 million each for what it calls are "aggressive" data practices and for not providing consumers with clear information on commercial uses of their personal data during the account creation phase.
The Autorità Garante della Concorrenza e del Mercato (AGCM) said "Google and Apple did not provide clear and immediate information on the acquisition and use of user data for commercial purposes," adding the tech companies chose to emphasize the data collection as only necessary to improve their own services and personalize user experience without offering any indication that the data could be transferred and used for other reasons.
The concerns have to do with how the companies omit relevant information when creating an account and using their services, details which the authority said are critical to making an informed decision as to whether or not to give permission for utilizing their data for commercial intent.
The lack of express user consent, the AGCM argued, not only pre-sets users' acceptance but also enables Apple and Google to subject the generated data to other kinds of processing without providing a mechanism by which consumers can confirm or change their choice on sharing their personal data.
"This acquisition architecture, prepared by Apple, does not make it possible to exercise one's will on the use of one's data for commercial purposes," the regulator noted. "Therefore, the consumer is conditioned in the choice of consumption and undergoes the transfer of personal information, which Apple can dispose of for its own promotional purposes carried out in different ways."
Google to Address Concerns with Privacy Sandbox
The development also comes as the U.K.'s Competition and Markets Authority (CMA) announced on Friday that it has secured further oversight into Google's ongoing development of Privacy Sandbox proposals to move away from third-party cookies in its Chrome web browser in the wake of severe backlash from privacy advocates, advertisers and publishers.
To that end, the CMA said that the search giant has offered to "address concerns about Google removing functionality or information before the full Privacy Sandbox changes, including by delaying enforcement of its Privacy Budget proposal, and offering commitments around the introduction of measures to reduce access to IP addresses."
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
In addition, Google is also expected to "clarify the internal limits on the data" that the company itself can use, which involves placing restrictions to prevent the use of "first-party personal data to track users for targeting and measurement of ads shown on non-Google websites" as well as leverage users' Chrome browsing history and Analytics data for targeting ads on Google or non-Google websites.
The move follows Google's earlier announcement in June to delay the rollout from early 2022 to late 2023, noting that "more time is needed across the ecosystem to get this right" and "evaluate the new technologies, gather feedback and iterate to ensure they meet our goals for both privacy and performance, and give all developers time to follow the best path for privacy."