On December 16, 2025 the Italian Competition Authority (“AGCM” or “Authority”) concluded an antitrust investigation against Apple, carried out in coordination with several other authorities finding that it abused of its dominant position by imposing to third-party app developers a more restrictive consent framework to track users’ data compared to that mandated by privacy regulations and applied by Apple to its own services (the “Decision”)[1]. According to the AGCM, by doing so Apple was able to collect more valuable users’ data than third-party developers, thus advantaging its own advertising services and revenues over those of third-party developers.
The context of the investigation and the fine
On May 2, 2023, following a compliant by Meta, AGCM initiated proceedings against Apple Distribution International Ltd. and Apple Italia S.r.l. for an alleged infringement of art. 102 TFEU: the proceedings concerned Apple’s App Tracking Transparency (“ATT“) framework introduced in iOS 14.5, which required third-party app developers to display an additional Apple-controlled consent prompt for tracking users’ data across services for targeted advertising purposes, going beyond the Apple’s standard Consent Management Platform (CMP) prompt mandated by privacy regulations.
In the 200-pages long Decision, the Authority concluded that Apple committed an exploitative abuse under Article 102(a) TFEU, ordering to immediately cease the conduct and refrain from analogous practices, ultimately imposing a total fine in the excess of EUR 98 million[2]. Apple must submit a compliance report within three months.
Notably, the Authority’s investigation and Decision were coordinated with the European Commission and with parallel enforcement proceedings by the French Autorité de la Concurrence (which also imposed a fine of EUR 150,000,000 upon Apple[3]), the Bundeskartellamt,[4] and the competition authorities of Poland[5] and Romania[6]. Moreover, the Authority also cooperated with the Italian data protection authority (the “Garante“) as well as with the privacy watchdogs of the other member States involved.
The relevant markets identified by the Authority
The AGCM identified three relevant markets as interested by the conduct:
(i) the provision to developers of platforms for online distribution of applications to iOS users;
(ii) the production and sale of smart mobile devices (smartphones and tablets) based on smart mobile operating systems, primarily iOS and Android (the smart mobile devices market); and
(iii) online advertising, particularly non-search (or display) online mobile in-app targeted advertising and related ad tech intermediation services, treated as distinct markets with a tendency towards national scope.
With respect to market (i), the Authority identified the provision to developers of digital platforms for the online distribution of applications as distinct product market from the provision of the same platforms to consumers as they are governed by distinct contractual terms and serve different needs, albeit they all form part of the same overall two-sided market. Further, of note, according to the Authority’s investigation the Apple App Store constitutes, as a matter of fact, the sole channel for native iOS app distribution: while Apple has now opened its platforms to third-party app stores due to the Digital Markets Act, most users still resort to the App Store as it comes pre-installed with each iOS device and there is still a small number of third-party stores with only a handful of apps available, while the App Store hosts most of applications. Google Play was not considered a substitute to the App Store, but rather a complement, thus reflecting developers’ multi-homing and users’ single-homing patterns of behaviour. The geographic scope was deemed to encompass at least the EEA, where Apple applies uniform ATT rules.
The Authority also identified Market (ii) as connected to the conduct, considering that Apple holds market power by providing a vertically integrated, closed ecosystem, which locks a large share of end-users long-term into the choice to use iOS operating system and Apple mobile devices.
With respect to market (iii), the Authority analysed the function and dynamics of the entire online/digital advertising industry supply chain and its relevant market segmentation. Following the macro-distinction between search and non-search online advertising markets, the Authority identified as particularly relevant for the investigation the segment for non-search advertising displayed to users inside mobile applications (in-app), and the related tech-intermediation services (ad-tech) that connect the demand of advertisers with the offering of app developers.
The abusive conduct and theory of harm
The Authority contends that Apple introduced the ATT policy for third-party developers without a proper and effective negotiation with them, directly enforcing compliance through app review processes and the threat of removal from the App Store of non-compliant applications. According to the AGCM’s findings, the introduction of such rules effectively resulted – only for third-party developers – in a duplication of consent requests within Apple’s mobile operating system, since the ATT policy screen overlapped with the prompt that developers must already display to users to comply with privacy regulations. By comparison, the consent framework applicable to Apple’s own services and application did not feature such duplication as it offered consumers an integrated consent framework.
Of note, AGCM also requested the advice of the Garante (the Italian privacy watchdog), which issued an opinion according to the Italian protection legislation and determined that the duplication of consent prompts was “not necessary” under applicable privacy rules. It clarified that consent could be obtained through a single, granular mechanism and the need for the ATT prompt for third parties derived from Apple’s internal industrial and technical set-up and choices, not from legal obligation under the applicable privacy rules.
The Authority classified the conduct as exploitative abuse under Article 102(a) TFEU: it found that the dominant undertaking imposed unfair, non-objective, non-transparent, and disproportionate conditions on the modalities for obtaining user consent to tracking for targeted advertising purposes. Weighing the overall facts against the Authority’s reasoning, one may argue that the decisive factor in finding an abuse was that ATT restrictions only applied to third-party developers but not to Apple’s own advertising service (i.e. Apple Ads) within the App Store. Although the AGCM argued that evidence of effects was unnecessary for this type of conduct (as inherently capable of harming customers and competitors), according to its investigation this For instance, consent denial under the ATT framework entailed blocking access to certain identifiers for advertisers, which demoted the advertising value of the collected data.
As a result, the Authority concluded that the ATT framework materially reduced third-party developers’ capacity to monetise through personalised advertising to the advantage of the dominant undertaking’s own services and revenues, thus ultimately reducing incentives to innovation and choice for consumers.
Practical Implications of the Decision
This Decision targets possible competitive harm arising from ATT’s discriminatory and exploitative consent architecture. Indeed, the investigation clearly aims at curbing consent interface practices that may advantage gatekeepers in hoarding and accumulating big data from users for advertising and marketing purposes to the detriment of third-party developers (and ad-tech intermediaries trading their data), driving advertisers’ demand and financing back to gatekeepers’ services. According to the Authority’s findings, the sanctioned conduct is capable of significantly lowering consent rates compared to the standard consent prompts (and Android equivalents), as well as of altering monetisation metrics (CPM and ARPU) and advertisers costs (CPA) to the detriment of third-party developers’ revenues and expansion, when compared to the conditions that Apple’s own services continued to benefit from.
Of note, to this end AGCM construed the conduct as an exploitative abuse rather than as exclusionary: the latter would have required evidence of foreclosure effects against competitors in the same or connected markets, while the former requires imposition of “unfair” (i.e., disproportionate) conditions to customers by the dominant company to its own advantage, irrespective of whether the customers are also competitors of the dominant company in any relevant market defined according to rigorous antitrust criteria.
By doing this, the Decision seemingly extended the scope of exploitative abuse doctrine to conditions imposed by gatekeepers to third-party businesses in closed ecosystems, applying a proportionality scrutiny to purported privacy-protective measures. It established that data protection measures may come to constitute an exploitative abuse when the conditions imposed – albeit more protective for consumers – are either discriminatory or disproportionate to the disadvantage of third-party developers than those applying to the gatekeeper’s own services, thus being capable of hampering ad-supported business models.
A previous finding of abuse by the Bundeskartellamt (confirmed by the CJEU[9]) with respect to consent practices of a digital platform to track or collect personal data only affected final users of digital platform services since the harm consisted in making denial of consent more difficult. By contrast, the conduct concerned in the Decision makes denial of consent more likely for consumers whilst it harms third-party developers’ interest.
Conclusively, the Decision signals intensified regulatory coordination and substantive convergence of national competition authorities across major EU jurisdictions in pursuing competition objectives against privacy-related conduct of digital platforms, with implications for ongoing multi-level compliance efforts with the Digital Markets Act, data protection rules and consumer protection laws. Indeed, this investigation of the AGCM is another notable instance of how different pieces of legislations and the related public objectives – the protection of consumers, personal data and competition/DMA or other sector regulation – may interplay over a same conduct regarding personal data in the digital sphere.
Ultimately, this decision also marks the AGCM’s ability to retain jurisdiction and the role of main regulator in the digital field in Italy (with significant cross-border influence) despite the overlap of competences with the European Commission, other Member States’ competition authorities and privacy watchdogs[10].
[1] The Decision is available here.
[2] EUR 98,635,416.67.
[3] This decision is available here.
[4] See the press release here.
[5] See the press release here.
[6] See the press release here.
[7] CPM is an advertising metric representing the cost per one thousand ad impressions: CPM is calculated by dividing the campaign cost by impressions, then multiplying by 1,000.
[8] ARPU measures the average revenue generated per user over a specific period: ARPU is calculated by dividing the total revenue by the number of active users.
[9] Case C-252/21.
[10] For another recent decision of the AGCM marking this trend see our previous article published here.
