To quote this paper: S. CHAILLAN, “Abuse of Dominant Position and Apple: The Sanction Imposed by the French Competition Authority for Abusing Its Dominant Position in the Distribution of Mobile Applications on iOS Devices”, Competition Forum, 2025, n° 0072  https://competition-forum.com. 

The protection of user consent is a central issue in a world where data collection takes place continuously. Therefore, safeguarding this consent can be guided by the implementation of mechanisms such as Apple’s App Tracking Transparency system.

However, while the protection of privacy pursues a legitimate objective, it cannot, for that reason alone, justify disregarding conduct that constitutes an abuse of a dominant position^[1].

The answer is negative and was emphasized by the French Competition Authority in its case against Apple. Indeed, after establishing Apple’s dominant position in the market for the distribution of mobile applications on iOS devices, it was held that the ATT (App Tracking Transparency system) was neither necessary nor proportionate to the legitimate objectives put forward by the aforementioned operator. The ATT framework implemented by Apple was neither necessary nor proportionate, regardless of the legitimate objective of privacy protection. Indeed, the Authority considered it unnecessary given the existence of less restrictive alternatives, notably those proposed by the CNIL in its opinion of 17 December 2020.

Furthermore, the lack of proportionality is evident in the requirement for dual consent from third-party developers, which creates a treatment asymmetry to their detriment.

However, before understanding why Apple was sanctioned, it is useful to explain what the ATT system represents.

More specifically, the ATT prompt is designed to obtain the consumer’s consent for advertising tracking through the opening of a “second window.”

Its introduction would likely lead to consent fatigue and artificially complicate the acceptance of third-party tracking.

Consequently, the decision of the French Competition Authority serves as a reminder to Apple, which holds a dominant position in this sector and, in view of the special responsibility incumbent upon it, must ensure the fairness of the conditions it imposes on developers. The collection of this double consent was, in this case, not justified. Indeed, this did not concern the collection of valid consent under the GDPR^[2]. In this regard, the tool that allows the publisher to obtain user consent through the Consent Management Platform (CMP) window has become more complex with the introduction of the ATT, which creates an overlap of mechanisms^[3].

Precisely, this decision highlights Apple’s dominant position and the abuse committed by the operator (I), and raises questions regarding the obtaining of user consent in light of personal data protection (II).

I. The Qualification of Abuse of a Dominant Position by Apple

The abuse of a dominant position may be established against an operator for various reasons, and increased vigilance is required when dealing with technology giants such as Apple. In this case, it is appropriate to outline the procedure that gave rise to this dispute (A), in order to examine the justifications for the imposition of the sanction (B).

A. The Origin of the Procedure Initiated Against Apple

The practices implemented by Apple in the mobile application advertising sector on iOS devices were sanctioned following a procedure initially initiated by four professional associations^[4], which referred the matter to the Competition Authority..

Indeed, the complainants highlighted Apple’s dominant position in the relevant market for iOS app distribution and its abuse of market power through the requirement that developers obtain user authorization via the App Tracking Transparency system.

In parallel with the referral on the merits, these associations requested the imposition of interim measures under Article L.464-1 of the French Commercial Code. However, the Authority decided not to grant these measures, favoring a full investigation instead^[5].

Consequently, there was a phase of investigation and notification of the grievances attributed to Apple, which were made public on July 25, 2023^[6]. Specifically, Apple was accused by the Authority not only of abusing its dominant position but particularly of implementing discriminatory, non-objective, and non-transparent conditions regarding the use of user data for advertising purposes^[7].

After several years of investigation, the Competition Authority found that Apple had abused its dominant position, with the relevant market being the European market for the distribution of mobile applications on iOS devices. The abuse resulted from the implementation of the ATT system during the period from April 26, 2021, to July 25, 2023^[8]. A fine of 150 million euros was jointly imposed on Apple^[9].

Apple was also subject to an order to publish the financial sanction under Article L.464-2 of the French Commercial Code within two months from the date of notification^[10]. It thus constitutes a non-monetary obligation imposed on Apple.

The study of the procedure directed against Apple allows for an analysis of its justifications.

B. The Justifications for the Imposition of the Sanction

To better understand the decision rendered by the Authority in establishing Apple’s dominant position, it should be noted that the relevant market identified is that of mobile application distribution on iOS devices, which operates through a two-sided structure involving both application developers and end users. This closed iOS ecosystem creates structural barriers that disadvantage app developers, while its vertically integrated architecture fosters economic dependence in favor of Apple.

Consequently, due to the undertaking in a dominant position held by Apple, the company is not subject to sufficient competitive constraints and engages in conduct that results in a lock-in effect for both users and developers.

In its decision concerning the request for interim measures, the Competition Authority emphasized that Apple’s privacy protection policy responded to growing consumer demand. However, does this observation exclude an assessment of the potential anticompetitive effects under competition law? No, and it is precisely for this reason that the Authority conducted a thorough examination.

Indeed, in order to establish an abuse of a dominant position through the implementation of the ATT system, the Authority characterized Apple’s dominant position in the relevant market for iOS app distribution in the European market for the distribution of mobile applications on iOS devices, resulting from the closed and vertically integrated nature of the system. In this regard, Apple exclusively controls access to the App Store, which is the sole distribution channel for these applications.

The implementation of the ATT system results in requiring third-party application developers to obtain the explicit consent of users before accessing the Identifier for Advertisers (IDFA), which enables the advertising tracking of users. However, the introduction of this system has created a burdensome mechanism for third-party developers, who must obtain consent in two successive steps before any use of a downloaded application.

This leads to unfair transactional conditions, as data collection conducted by Apple itself is subject to only a single consent.

In fact, the sanction imposed on Apple results in particular from the unfair trading conditions implemented by this operator. Indeed, Article 102 a) of the TFEU states that an abuse of a dominant position may consist of “directly or indirectly imposing unfair purchase or selling prices or other unfair trading conditions” (Article L420-2 of the French Commercial Code transposes this principle). Apple’s dominant position in the secondary market for iOS application distribution is linked to its control of that market within a closed ecosystem, particularly through access to the App Store.

The trading conditions imposed on app developers who wish to remain on the platform subject them to the acceptance and integration of the rules arising from the ATT framework, notably through consent banners. Therefore, the establishment of all these rules effectively determines the developer’s ability to continue operating within the iOS ecosystem developed by Apple.

Furthermore, the Authority was able to highlight the closed nature of the ecosystem developed by Apple.

Indeed, iOS can only be used on smartphones marketed by Apple, which reinforces the company’s dominant position in this relevant market. The locking of the ecosystem, initiated by Apple, could also be observed up until the entry into force of the Digital Markets Act (DMA).

Before this regulation came into effect, developers were required to offer their applications exclusively through the App Store, with no possibility of developing or distributing them via another app marketplace. The DMA now limits this practice in order to promote competition and provide greater freedom for developers.

In the present case, the DMA sheds light retrospectively on access constraints; however, the qualification of abuse remains autonomous under Article 102(a) for the period concerned^[11].

However, the authority considers that these are neither objective nor transparent conditions, since the operator itself did not apply the rules derived from this framework. Consequently, this creates an asymmetry of treatment from which Apple cannot exempt itself, as it benefits from a more favorable channel for obtaining user consent.

Furthermore, the Authority considers it discriminatory to impose more burdensome conditions on developers to obtain end-user consent, while Apple itself is not subject to the same requirements^[12].

Indeed, this amounts to a practice of asymmetry of treatment leading to unfair conditions in favor of Apple, and these stricter consent requirements are likely to create a competitive disadvantage within the iOS advertising ecosystem, which is a direct result of Apple’s conduct. Owing to its dominant position, Apple unilaterally imposed discriminatory conditions to the detriment of third-party developers. Moreover, this conduct continued for a period of 26 months, which, for a company of such economic power, is far from insignificant.

Thus, the final consequence highlighted by the Authority must be understood in light of the discriminatory effect resulting from the introduction of the ATT framework, to the detriment of developers.

The sanction imposed by the Authority is therefore easily understood in view of Apple’s conduct, which was not merely occasional but occurred over an extended period of time.

II. The Collection of Consent in Relation to the Protection of User’ Data

The conduct attributed to Apple lies primarily in the absence of necessary and proportionate justifications for the implementation of the ATT system, which nonetheless raises questions regarding the objective of protecting users’ privacy (A). However, the pursuit of this protection must not result in the imposition of unjustified conditions on third-party developers in light of the consent granted by the user (B).

A. The protection of users’ privacy in light of the ATT system

The protection of users’ privacy through the introduction of Apple’s ATT system appears, at first glance, to fall within a legitimate objective of data protection in a world where digital technology holds a predominant place^[13].

Indeed, this protection meets a growing demand from consumers, according to the authority.

However, the latter has also emphasized that the pursuit of such an objective does not exempt the operator from its responsibility under Article 102 of the TFEU and Article L. 420-2 of the French Commercial Code, in view of the implementation of an anti-competitive practice likely to cause harm. In this case, it is legitimate to question why Apple imposed this system on third-party developers but did not apply it to itself.

Indeed, if the pursuit of privacy protection is so essential to the digital policy conducted by Apple, it is equally legitimate that the company should apply this system to itself.

Through these arguments, there does not seem to emerge a conflict between privacy protection and competition law in determining which should prevail over the other. Rather, it is a matter of reconciling compliance with competition law and the implementation of a privacy protection policy. This is why the ADLC’s decision repeatedly states that the conduct of a company in a dominant position may, of course, pursue objectives of privacy protection, but it must not result in unilateral, discriminatory, or non-objective behavior carried out in a non-transparent manner, with the aim of granting itself competitive advantages over third-party developers.

B. Legitimate objectives insufficient in view of the implementation of unjustified conditions

The legitimacy of the ATT system can be understood in principle, as it allows for the solicitation of users’ consent.

Furthermore, if it is the end user who has control over whether or not to disclose their data, can the behavior truly be attributed to Apple? Indeed, the question arises insofar as the operator does not present an explicit statement encouraging the user to refuse the communication of their data.

Yet again, the answer deserves to be nuanced. The user who wishes to access an application quickly is more inclined to accept rather easily, without asking a multitude of questions. And it is at this point that Apple’s commercial policy on privacy protection finds its logic and can be understood. However, Apple cannot exempt its behavior in light of this argument. In fact, a double solicitation of consent from the user will lead them to pay greater attention to the information requested; they will be more inclined to refuse the communication of their data.

Consequently, this results in a decrease in the granting of consent. More specifically, the associations behind the referral to the Authority have indicated that since the implementation of the ATT system, the consent rate has dropped below 50%, compared to 60–80% before its introduction^[14]. These figures are not negligible and demonstrate the lack of justification in Apple’s conduct. To further support this decline in the granting of consent, the Authority’s decision may be cited, which explicitly states : « the user consent rate for the ATT was between 35% and 47% during 2022. This range is lower than the consent rates observed for CMPs and corresponds to figures reported by external sources indicating that the ATT acceptance rate is below 50% »^[15].

Through the presentation of this percentage range, the negative effects suffered by third-party publishers can only be acknowledged, as evidenced by the substantial decline in consent rates. In light of these figures, the reasoning pursued by the Competition Authority, which led to Apple’s sanction, is easily understood and based on unequivocal data.

In this respect, it is more a matter of complexity in obtaining consent than the establishment of a mechanism genuinely aimed at protecting privacy. Moreover, the CNIL had issued opinions in 2020 and 2022 that were intended to allow Apple to make a “marginal correction” to the ATT system in favor of compliance with competition rules. Once again, the operator’s failure to comply only reinforces the justification for the sanction imposed upon it^[16].

Thus, while the collection of user consent must be carried out in a clear and simplified manner, this does not diminish the obligation to respect competition law, as evidenced by the present case.

Diligence is expected from major operators, particularly when they hold a dominant position one which, while not prejudicial in itself, must not evolve into an abuse detrimental to other actors in the digital sphere.

Thus, this decision is particularly interesting in that it highlights the fact that the protection of privacy must remain an objective to which major operators, in particular, must pay close attention.

However, in this case, Apple’s conduct cannot be regarded as being solely motivated by that objective. Indeed, while Apple may claim to be protecting consumer well-being, as an economic actor, this cannot be its only goal without also seeking to obtain some form of advantage. Moreover, why should such a system apply only to third-party developers? Even though changes were introduced starting with iOS 15, Apple failed to implement the recommended modifications.

Such behavior by an undertaking in a dominant position cannot be tolerated, which explains why the sanction imposed on it is justified.

Sabrina CHAILLAN

^[1] Decision 25-D-02 of March 31, 2025 relating to practices implemented in the mobile application advertising sector on iOS devices (hereinafter 25-D-02) p.4 : « However, the Authority found that the design and implementation of the ATT consent request were neither necessary nor proportionate to achieve the privacy protection objectives pursued by Apple ».

^[2] 25-D-02 of March 31, 2025• 129 : « The GDPR requires data controllers to obtain the user’s freely given, specific, informed, and unambiguous consent before processing any of their personal data. Moreover, the user must be able to withdraw this consent at any time, with the same level of ease ».

^[3] 25-D-02 of March 31, 2025 • 201 : « First of all, the customization options of the ATT are in fact limited. This circumstance complicates the experience for users of third-party applications by forcing publishers to combine this system with their CMP, and sometimes with additional prompts ».

^[4] Interactive Advertising Bureau France (IAB France) ; Mobile Marketing Association France (MMA France) ; Union des entreprises de conseil et achat media (UDECAM) ; Syndicat des Régies Internet (SRI)

^[5] Decision No. 21-D-07 of March 17, 2021 concerning a request for interim measures submitted by the associations Interactive Advertising Bureau France, Mobile Marketing Association France, Union of Media Consulting and Buying Companies, and Internet Advertising Sales Houses Union, in the sector of advertising on mobile applications on iOS.

^[6] M.Lepinoy : “Mobile App Advertising on iOS: The General Rapporteur Indicates Having Notified a Grievance to the Apple Group,” 2023, p. 3

^[7] 25-D-02 of March 31, 2025 • 373 : « Regarding the legal qualification of these practices, the statement of objections establishes that the implementation of the ATT is, on the one hand, neither necessary nor proportionate to achieving the objective of protecting users’ privacy, and, on the other hand, unjustified and discriminatory in light of its non-application to Apple’s own advertising services ».

^[8] 25-D-02 of March 31, 2025 • 627 : « It has been established that the practices were implemented between 26 April 2021 and 25 July 2023 by Apple Distribution International Limited (ADI) and Apple Inc., as the authors thereof ».

^[9]-25-D-02 of March 31, 2025 Article 3: « A financial penalty in the amount of €150,000,000 is imposed, jointly and severally, on Apple Distribution International Limited, Apple Operations International Limited, and Apple Inc., for the practice referred to in Article 1 ».

^[10] 25-D-02 of March 31, 2025 •679 : « In view of the established facts and the sanctioned practice, it is appropriate, on the basis of Article L. 464-2 of the French Commercial Code, to order the publication of the summary set out on pages 3 to 5 of this decision within two months from the date of its notification ».

^[11] 25-D-02 of March 31, 2025 •381 : « Apple’s ecosystem is based on a closed system: on the one hand, third-party device manufacturers cannot obtain a license from Apple to use the iOS operating system on their own smartphones; and on the other hand, until the obligations of the Digital Markets Act (“DMA”) entered into force, app developers were not allowed to distribute their applications through any app store other than the App Store on mobile devices running iOS ».

^[12] 25-D-02 of March 31, 2025 •373 : « The Statement of Objections establishes that the implementation of ATT, on the one hand, is neither necessary nor proportionate to achieve the objective of protecting users’ privacy, and on the other hand, is unjustified and discriminatory given that it does not apply to Apple’s own advertising services ».

^[13] S. Cholet : « Apple fined €150 million for abuse of dominant position affecting the online advertising market » 2025, p.5

^[14] A.Ronzano : « BIG TECH: THE COMPETITION AUTHORITY FINES A MAJOR TECHNOLOGY COMPANY €150 MILLION FOR ABUSE OF A DOMINANT POSITION IN THE EUROPEAN MARKET FOR THE DISTRIBUTION OF MOBILE APPLICATIONS ON IOS DEVICES (APPLE) », Concurrences N° 7-2025, p.3

^[15] 25-D-02 of March 31, 2025 •551 : «  By way of comparison, according to the information provided to the investigation services by publishers, the user consent rate for the ATT was between 35% and 47% during 2022. This range is lower than the consent rates observed for CMPs and corresponds to figures reported by external sources indicating that the ATT acceptance rate is below 50% ».

^[16] Deliberation No. 2022-060 of 19 May 2022, CNIL, 1.2: “A marginal improvement to the configuration options of the ATT prompt, which does not undermine the readability specific to this window so that it may be used to obtain valid consent (notably through the inclusion of a clickable hyperlink)—would make it possible to preserve the level of user protection offered by the ATT prompt, as emphasized in paragraphs 23 to 27 of Deliberation No. 2020-137 of 17 December 2020.”