Italy Fines Apple $115M for App Tracking Transparency

Italy fined Apple €98.6 million ($115 million) on December 22, 2025, for anticompetitive conduct related to its App Tracking Transparency (ATT) policy. The Italian competition authority (AGCM) ruled that ATT forces developers to ask users for tracking permission twice—once through Apple’s prompt and again to comply with EU privacy law (GDPR)—creating an unfair “double consent” burden that harms competitors while benefiting Apple. This is the first major regulatory action against ATT, which Apple has championed as a privacy shield since launching it in April 2021.

The “Double Consent” Trap

Apple’s ATT policy requires developers to show a tracking permission prompt before accessing users’ Identifier for Advertisers (IDFA). However, ATT consent doesn’t meet GDPR legal standards, forcing EU developers to ask permission twice for the same purpose. As a result, users see Apple’s ATT popup first, make a decision, then see a separate GDPR-compliant consent prompt inside the app, and make the same decision again.

According to the AGCM’s official ruling, “the terms of the ATT policy are imposed unilaterally and harm the interests of Apple’s commercial partners, and were found to be disproportionate to the achievement of the company’s stated data protection objectives.” Italy argues Apple could achieve the same privacy goals through a “single step” consent process that satisfies both ATT and GDPR requirements. Instead, the double consent creates compliance burdens (developers must implement two separate systems), user frustration (asked twice for the same thing), and disproportionate harm to small developers who rely on ad revenue.

Apple: “Privacy Is a Fundamental Right”

Apple “strongly disagrees” with Italy’s ruling, stating it “disregards important privacy protections” provided by ATT. The company insists ATT gives users control over tracking, applies equally to all developers (including Apple), and has been “praised by privacy advocates and data protection authorities around the world, including the Garante” (Italy’s own data protection authority).

“Privacy is a fundamental human right,” Apple said in a statement, “and we created App Tracking Transparency to give users a simple way to control whether companies can track their activity across other apps and websites.” The company claims ATT rules “apply equally to all developers, including Apple.” Privacy advocates did praise ATT when it launched in April 2021, calling it a “significant step forward for user privacy protection.” Furthermore, user adoption has increased steadily: from 16% opt-in rates in May 2021 to 34% in 2023, reaching 46-51% by Q1 2024.

Italy’s Verdict: Privacy Can Be Anticompetitive

Italy found Apple holds a “super-dominant position” in its market (iOS/App Store) and abused that dominance by imposing ATT terms unilaterally on developers. The ruling violates Article 102 of the Treaty on the Functioning of the European Union (TFEU), which prohibits abuse of dominant market position through unfair trading conditions. Article 102 requires two elements: (1) dominant position and (2) abusive conduct. Dominance isn’t illegal; abuse of dominance is.

AGCM determined ATT is “disproportionate”—Apple could protect privacy through a single consent mechanism instead of forcing double prompts. The investigation was conducted “in coordination with the European Commission, other national competition authorities, and Italy’s Data Protection Authority.” Moreover, this isn’t Italy going rogue. The EU designated Apple as a “gatekeeper” under the Digital Markets Act in September 2023, fined it €500M for DMA violations in April 2025, and is aggressively enforcing competition law against Big Tech. Italy’s ATT fine fits a pattern: Privacy is acceptable, selective enforcement that harms competitors isn’t.

Related: ServiceNow $7.75B Armis Bet: AI Security Panic or Genius?

Meta Lost $12.8B, Small Devs Caught in Crossfire

ATT decimated ad-supported apps’ revenue, with Meta (Facebook, Instagram) losing an estimated $10-12.8 billion in 2022 alone. The impact stems from high opt-out rates—75% for social apps—and reduced ad targeting accuracy, forcing developers to scramble for alternative monetization strategies. Meta told investors ATT would cost “about $10 billion in lost revenue” in 2022. Consequently, a Lotame study estimated the loss at $12.8 billion.

Opt-in rates vary dramatically by category: Gaming apps see 37% opt-in (highest), e-commerce 34%, social 26%, and education just 7% (lowest). Meta CFO Susan Li said the company is “making progress in mitigating the direct impact” through AI-enhanced ad targeting. However, Meta’s Sheryl Sandberg claimed ATT “created headwinds for others in the industry… and advantaged Apple’s own advertising business.” While Meta has resources to adapt, small developers can’t afford billion-dollar losses or R&D budgets. The double consent burden makes monetization even harder in the EU, where developers face both ATT and GDPR compliance costs.

Privacy Theater or Genuine Protection?

Italy’s fine forces a critical question: Can privacy features be anticompetitive? The answer is yes, when they’re applied unfairly. ATT isn’t inherently wrong—user privacy is important—but the “double consent” problem and selective enforcement suggest Apple may be using privacy as a competitive weapon. Privacy advocates praise ATT; competition regulators condemn it. Both are right.

The irony is striking: Italy’s data protection authority (Garante) supports ATT, while Italy’s competition authority (AGCM) fines Apple for it. The pattern raises questions. Apple claims ATT applies equally to all, but competitors allege advantage. Apple has 90 days to comply (by March 2025). The company will appeal, but other EU countries may follow Italy’s lead. Nevertheless, potential outcomes include a single consent solution that satisfies both privacy and competition law, ATT restructuring, or a prolonged legal battle.

What Happens Next

• Apple has 90 days to comply (by March 2025) or face further penalties. The company will appeal the €98.6M fine.
• Other EU countries may follow Italy’s lead on ATT enforcement, creating EU-wide pressure for changes.
• Potential solutions include single consent mechanism that satisfies both ATT and GDPR requirements, eliminating the double burden.
• Broader precedent for Big Tech: Privacy features face competition law scrutiny when applied unfairly or disproportionately.
• Privacy isn’t a shield for anticompetitive behavior. Apple’s ATT crosses that line when it forces double consent in the EU while claiming to protect users.

The privacy paradox is real: Protecting users is noble, but crushing competitors under the guise of privacy isn’t. Italy’s fine exposes the tension between privacy protection and competition law—and suggests Apple’s ATT leans too far toward market control.