What happened
Italy’s Competition Authority (AGCM) has fined Apple €98.6 million (about $115‑$116 million) for allegedly abusing its dominant position in the mobile app market through its App Tracking Transparency (ATT) framework. The regulator found that Apple’s implementation of ATT requires third‑party developers to obtain user consent twice for the same advertising data tracking (once via Apple’s ATT prompt and again via their own consent system to comply with GDPR), creating an “excessively burdensome” double‑consent process that restricts competition. Apple says it strongly disagrees with the finding and will appeal.
Who is affected
- Apple Inc. and its units (including Apple Distribution International and Apple Italia) are directly fined.
- Third‑party app developers on the iOS App Store face compliance and competitive challenges due to the double‑consent requirement.
- Advertisers and advertising platforms dependent on personalized ad data are indirectly impacted by reduced access to user consent signals.
Why CISOs should care
This ruling underscores how privacy features can become regulatory liabilities when they intersect with competition law. ATT, designed as a privacy control, was evaluated not only on its privacy merits but also on competitive effects, particularly when implementation imposes disproportionate burdens on partners. CISOs should recognize that privacy and data governance strategies are now subject to multi‑jurisdictional scrutiny that blends data protection, antitrust, and market fairness, a landscape that directly influences security‑compliance programs and risk frameworks.
3 Practical Actions for CISOs
- Review Consent Flows Across Regions: Examine your organization’s user consent mechanisms to ensure they meet privacy regulations and avoid unnecessary friction or duplication that regulators could flag as anticompetitive.
- Align Privacy Controls With Competitive Compliance: Collaborate with legal and product teams to assess how privacy features may be interpreted under competition law. Consider proactive adjustments that balance strong privacy standards with regulatory expectations in key markets such as the EU.
- Monitor Regulatory Trends in Privacy + Antitrust: Establish ongoing tracking of privacy enforcement actions in Europe and beyond. The Italian ruling follows similar fines in France and ongoing reviews in other EU states, underscoring that privacy policy implementation now matters beyond data protection compliance.