Overview
Can an overzealous implementation of data privacy rules by a dominant firm trigger antitrust investigations with hefty sanctions? Under EU law, this seems to be the case. On December 23, 2025, the Italian Competition Authority (AGCM) imposed a fine of nearly €100 million on Apple for an abuse of the company's dominant position in the market for the supply to third party developers of platforms for the online distribution of apps to users of the iOS operating system. The decision is based on Article 102 Treaty on the Functioning of the European Union (TFEU) and sanctions the restrictive nature of the App Tracking Transparency (ATT) policy, imposed by Apple since April 2021, to third-party developers of apps distributed through the App Store. This case is another example of the increasing overlap between data protection and privacy, on the one hand, and competition, on the other, in recent years.
Pursuant to the ATT policy, third-party developers operating on Apple's app store are required to display an Apple-designed consent prompt asking users for permission to track their activity. Developers must obtain explicit prior authorization to access the Identifier for Advertisers (IDFA), which is necessary to collect and link user data for personalized advertising. If a user denies consent, the app is prohibited from accessing or using the IDFA for advertising purposes. According to Apple, the ATT Policy is necessary to ensure greater privacy protection for its users.
The AGCM acknowledged Apple's legitimate right to adopt measures aimed at strengthening user privacy within the iOS environment, even beyond what is strictly required by applicable privacy and data protection laws. However, following its investigation, the authority concluded that Apple's ATT policy is disproportionate to the privacy objectives pursued and imposes restrictions that unduly limit competition.
In particular, the AGCM found that the ATT policy's design allegedly prevents developers from customizing the consent prompt to make its content and purpose clear to users. As a result, the prompt used within iOS is not sufficient to satisfy the requirements of privacy and data protection laws for obtaining valid user consent. Developers are therefore compelled to issue a second consent request, via their own consent management tools, covering the same purpose, namely the collection and linking of user data for targeted advertising.
According to the AGCM, this duplication of consent requests, imposed unilaterally by Apple, creates excessive burdens for third-party developers and operators in the mobile in-app advertising sector, and is detrimental to the commercial interests of Apple's partners. The AGCM emphasized that the privacy-protection objective could have been achieved through alternative methods that were less restrictive of competition, such as a design that supports tailoring and granularity. This would have prevented the unilateral imposition of additional burdens on third-party developers, thereby avoiding the above-mentioned double consent requests for advertising purposes.
The AGCM found that Apple holds a dominant position in the market for the supply to developers of platforms for the online distribution of apps to users of the iOS operating system. By virtue of its dominant position, Apple was able to unilaterally impose the ATT policy on third-party app developers, without those being consulted beforehand. This increased burden of the consent-acquisition process led, for third-party developers, to a reduction of consent rates for advertising profiling. Given that user data is a key input for personalized online advertising, the restrictions imposed by the ATT policy on the collection, linking and use of such data are capable of harming developers whose business model relies on the sale of advertising space, as well as advertisers and advertising intermediation platforms. This impact is even more pronounced for smaller operators, which have access to more limited data and therefore encounter greater difficulties in profiling users for advertising purposes following the introduction of the ATT rules.
The investigation also found that the conduct did indeed produce effects, in terms of reduced revenues for developers and advertising platforms and increased costs for advertisers.
Moreover, the ATT rules appear capable of generating financial benefits for Apple itself, directly in the form of higher commissions collected from developers through the App Store and, indirectly, in terms of the growth of its own advertising service. As a matter of fact, revenues from App Store services increased, in terms of higher commissions collected from developers through the platform; likewise, Apple's advertising division, which is not subject to the same stringent rules, ultimately benefited from increased revenues and higher volumes of intermediated ads.
Therefore, considering that Apple holds a dominant position in the market for the supply to developers of platforms for the online distribution of apps to users of the iOS operating system, the AGCM established that Apple's conduct amounts to an exploitative abuse, in breach of Article 102 TFEU, starting in April 2021 and still ongoing at the time of the decision.
In conclusion, while the AGCM endorsed Apple's privacy-conscious approach, its decision to impose a substantial fine for a design issue that could potentially be addressed with relative ease stands in contrast to the strict stance generally taken by EU data protection authorities on data protection and privacy, particularly in relation to user consent. This outcome highlights the need for greater coordination between EU data protection authorities and competition regulators to ensure a more coherent and balanced enforcement framework.
If you would like to discuss the impact of this decision on your business, please reach out to the authors of this blog post or to another member of Steptoe's competition and data privacy teams in Europe.
