Renowned privacy activist and lawyer Max Schrems has accused Google of tracking Android users without their consent.
Schrems has filed a complaint with the French data protection regulator that accuses the tech giant of infringing the privacy rights of the more than 300 million European citizens who use Android phones by generating unique advertising codes for each user.
These Android Advertising Identifiers (AAIDs), according to Schrems’ organisation Noyb (None Of Your Business), allows both Google and third-party developers and advertisers to track users’ browsing behaviour to more effectively target them with ads.
Android creates AAIDs without the user’s knowledge or their consent, the complaint claims, meaning that Google contravenes the 2002 ePrivacy Directive, also known as the cookie law, according to Schrems. This regulation is separate from GDPR and in the process of revision.
“Imagine having coloured powder on your feet and hands that marks your every step and action: everything you touch within the mobile ecosystem,” said privacy lawyer at Noyb, Stefano Rossetti.
“And you can’t remove it – you can only change it to a different colour. This is what the Android Advertising ID is all about – a tracker that marks your every action within and beyond the mobile ecosystem.
“The extent of this case is bewildering. Almost all Android users seem to be affected by this technology. We, therefore, hope that the French CNIL will take action.”
According to the complaint, Android creates the AAID without consent and it serves as a license plate that uniquely identifies the phone. Google, as well as third parties, can then access the code to track user behaviour, elaborate consumption preferences and fine-tune targeted advertising.
Google not only installs the AAID without consent, Noyb claims, but also denies users the option of deleting it. As the organisation demonstrated in a previous complaint, users can only ‘reset’ the code and are forced to generate a new tracking AAID to replace the original.
IT Pro 20/20: Meet the companies leaving the office for good
The 15th issue of IT Pro 20/20 looks at the nature of operating a business in 2021
Filing the complaint under the ePrivacy Directive versus GDPR also means the French regulator, CNIL, will make a decision on its own, rather than needing to liaise with its European counterparts as would be required under GDPR.
This latest complaint follows a similar charge levied against Apple for a tool included with iOS 14 that tracks iPhone user behaviour without their consent. The group claimed that Apple’s IDFA stores behavioural data that operates in exactly the same way as the Android tracker the Noyb has launched its most recent complaint about.
Schrems has a track record of success when making such complaints, having previously been responsible for the complaint which invalidated the primary EU-US data-sharing mechanism, known as the Privacy Shield.
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisation
Security best practices for PostgreSQL
Securing data with PostgreSQL
Transform your MSP business into a money-making machine
Benefits and challenges of a recurring revenue model
The care and feeding of cloud
How to support cloud infrastructure post-migration