Apple is days away from releasing the public version of iOS14.5, which will bring a seismic shift in the way the operating system functions with respect to privacy. In particular, the operating system introduces two major changes.
The first change is a requirement that all apps must include a privacy nutrition label within the App Store that helps users better understand the app developer's privacy practices prior to download (this feature is actually already live). The second change is a requirement that all apps that use information for tracking purposes must obtain opt-in consent from the user prior to engaging in such tracking.
As a privacy lawyer in the ad tech space, I've been closely watching the dialogue around iOS14 since these changes were unveiled at WWDC last June, and I thought it would be helpful to provide my thoughts on these changes. This post reflects my own opinion, and not those of the firm or anyone else.
Positive: The Changes Will Lead to Increased Notice and Choice for Consumers
Privacy law is generally based on two concepts: notice and choice. For notice, consumers should have the right to know what data an app is collecting about them, and how that data is used, disclosed, and otherwise processed. For choice, consumers should have the right to choose how data about them is used, especially for advertising purposes. I note that boiling privacy law down to two concepts is overly simplistic, and obligations vary significantly based on the type of data processed, the type of processing operation, and the jurisdiction.
Apple's changes to iOS14 help companies address both concepts. The privacy nutrition label provides additional just-in-time notice to consumers around an app's data practices, and the opt-in provides additional choice for consumers around how an app uses their data. The opt-in also addresses another fundamental privacy concept of limiting the amount of data collected to that necessary, as further discussed below.
Positive: The Changes Will Lead to Increased Privacy Protections in the Ad Tech Ecosystem
Apple's opt-in requirement has been an area of contention for the ad tech ecosystem since it was unveiled last year because the requirement fundamentally disrupts how the ecosystem operates. Facebook, in particular, has challenged the rollout through a series of ads. While I don't think Apple gave industry stakeholders enough say in the development and rollout of the changes to iOS14.5, I do believe that Apple's requirements will ultimately push the ecosystem to be more privacy focused, which is an overall positive. To understand this point, we need some background on how ad tech works and on iOS itself.
The ad tech ecosystem allows companies to monetize and understand the effectiveness of their advertising through the collection of device information. More specifically, companies place a tag within their sites and ads, and when a user visits those sites or ads, the tag automatically collects information from the user's device, which is then processed and shared throughout the ad tech ecosystem. Facebook and Google are the two biggest players within the ad tech ecosystem, with their tags appearing on most sites and apps across the internet.
Privacy has been a major issue for the ad tech ecosystem because the types of data collected by companies could be used to identify an individual, and are often regulated by privacy law. When Apple first introduced the App Store, app developers could access a lot of information about an iOS device, including the Unique Device Identifier (UDID) and Media Access Control (MAC) Address, which were associated with the hardware of the device and could not be reset. In 2012, Apple, in an effort to provide greater privacy protections, introduced its Identifier for Advertisers (IDFA), which is a resettable identifier not associated with the hardware of the device. Over time, Apple started rejecting apps from the App Store that collected UDID or MAC Address, resulting in IDFAs becoming the prominent type of device identifier used for advertising purposes.
Up until iOS14.5, apps could automatically collect IDFAs from user devices (sometimes without users having any knowledge about the collection), and users could reset their IDFAs through their device settings menu. For years, privacy advocates have felt that IDFAs are problematic since Apple's opt-outs are buried within the settings menu and data brokers could still create profiles using the IDFAs. With the update to iOS14.5, Apple is changing the default collection of IDFAs from opt-out to opt-in, meaning that when a user first downloads an app, the app will ask the user through Apple's built-in consent mechanism to opt-in to the collection of the IDFA. If the user says no, the app will not be permitted to access to the IDFA.
Companies that have developed systems around IDFAs will need to rethink their data strategies. Apps will generally have less access to IDFAs, which may actually reduce risk for companies under privacy law. Also, companies may be able to use Apple's built-in consent mechanism to help meet their obligations under GDPR and other privacy laws, which require opt-in consent for personalized advertising. However, don't expect personal information to disappear completely from the ecosystem. First party data, which is data that apps collect directly from their users (such as name or email address), will likely become the most valuable type of data for the ad tech ecosystem.
Apple's change will also push the ad tech ecosystem forward for privacy outside of iOS. When Apple moved to IDFAs, Google moved to its own identifier for Android called the Google Advertising ID (AAID). When Apple stopped supporting third-party cookies in its Safari browser, Google announced its intent to remove support for third-party cookies from Chrome and replace support with its own solution called Privacy Sandbox. Today, on March 3, Google announced that it does not intend to build alternate identifiers to track individuals once third-party cookies have been phased out - while this announcement may seem like a big deal, it appears to be Google restating prior positions. Now that Apple has moved from opt-out to opt-in consent for IDFAs, I expect Google to similarly make collection of AAIDs opt-in.
Negative: The Privacy Nutrition Labels Will Create Confusion
While iOS 14.5 brings welcome changes for privacy, there are some major issues that need to be addressed. One such issue relates to its privacy nutrition labels.
As a general requirement under privacy law, companies must maintain clear and conspicuously posted privacy policies that disclose their data practices. Apple's privacy nutrition label is not a replacement for a company's privacy policy; rather it supplements the privacy policy. Companies must still maintain a separate privacy policy, which includes certain disclosures required by law. Because consumers will now be able to quickly glance at a privacy nutrition label, I expect some consumers may believe that the nutrition label sets out the most important aspects of a company's data practices. As a result, consumers may overlook details in a privacy policy relevant to them.
What I find confusing about Apple's privacy nutrition label requirement is that the disclosure structure is fundamentally different than that found in most privacy policies. Privacy policies are generally structured to address: (1) what information the app collects; (2) how the app uses the information; and (3) and how the app shares the information. This structure reflects the general requirements of privacy law. Apple's privacy nutrition labels, however, are structured to address (1) "Data Used to Track You"; (2) "Data Linked to You"; (3) and "Data Not Linked to You." "Tracking" is always listed above "linking" as the first item in a privacy nutrition label.
I'm not clear on why Apple structured the privacy nutrition label this way (I have my suspicions), but it is problematic for various reasons. Most importantly, the structure is confusing for consumers. Per Apple's terms, "tracking" occurs when a company (i) links identifiable data collected within their app to data collected online or offline from properties not owned by the company for purposes of targeted advertising or advertising measurement; or (ii) shares identifiable data collected within their app with a data broker. "Linking" is not clearly defined, but Apple states that data which is "personal information" or "personal data" under the law is considered linked.
I, as a privacy lawyer, had to review the above definitions multiple times in order to understand what they mean, and I don't think a reasonable consumer (or most companies for that matter) would understand the difference between "tracking" and "linking" without significant time and research. Moreover, the distinction between tracking and linking creates a false sense of security for consumers that a company which does not list tracking in its privacy nutrition label does not engage in personalized advertising. But that's not necessarily accurate. For example, where a company has access to huge amounts of first party data and never shares that data with third parties because it has set up its own internal ad tech platforms, that company could use the consumer's data to deliver personalized advertising on its own services without need to disclose in its privacy nutrition label that it engages in tracking. That doesn't seem right, and privacy nutrition labels should revolve around the purpose of the data collection, not whether the company shares the data with third parties. CCPA (and now CPRA) have a similar issue, where rights around personalized advertising are based on whether a company discloses data to a third party, as opposed to whether a company processes the data (even internally) for purposes of personalized advertising.
The privacy nutrition label structure is also burdensome and confusing for companies. Companies have spent significant time and expense crafting privacy policies to address GDPR, CCPA, and other privacy laws, and they now must address a new set of obligations set out by Apple. As a result, companies may unintentionally make representations in their privacy nutrition labels that do not align with those found in their privacy policies. This creates risk of a company engaging in practices that could be deemed unfair or deceptive under the law.
Negative: The Changes May Unfairly Increase Apple's Competitive Advantage
Some of the theoretical issues discussed above relating to the distinction between "tracking" and "linking" become quite tangible when applied to Apple.
If you review the privacy nutrition label for the Apple News app or the privacy nutrition label for the Apple TV app, you will note that Apple only lists "Data Linked to You" and "Data Not Linked to You." That is because Apple never engages in tracking as Apple defines that term. However, Apple does engage in personalized advertising within its own apps using its own first party data, and such personalized advertising is still opt-out as of this writing.
The distinction between "tracking" and "linking" also creates issues with opt-in consent. Opt-in consent is required where a company engages in tracking, but is not required where a company engages in linking. In 2018, Apple introduced the SKAdNetwork, which is an API that helps companies measure the success of their ad campaigns while maintaining user privacy. The SKAdNetwork does not pass any personal information to companies, including IDFAs. As of this writing, there are very limited options for companies to obtain data around the success of their ad campaigns through iOS without collecting IDFAs or using the SKAdNetwork. This means that with the release of iOS14.5, companies must decide whether to continue using third party tags that collect IDFAs, such as those offered by Facebook, and provide disclosure and obtain opt-in consent for the tracking, or move to the SKAdNetwork where no such disclosures or consent are required. I expect many companies will turn to Apple's solution to avoid the disclosure and consent obligations, which will strengthen Apple's position in the ad tech ecosystem.
These changes by Apple reflect a more general shift toward closed ecosystems where a few companies control large amounts of aggregated data. While less data sharing may result in less opportunity for bad players to misuse data, it also brings up questions of transparency and accountability. Who holds Apple accountable for its practices, especially when Apple sets the rules for its own platform? Google has faced similar criticism for its proposed Privacy Sandbox solution. We've seen industry initiatives, such as the formation of the Partnership for Responsible Addressable Media (PRAM), aimed to tackle some of these complex issues, and I expect a lot to change over the next year.
In sum, Apple got a lot right, but there is a lot of work to be done. Our group will continue to think about the practical implications of these changes, and cover issues as they come up.
This post first appeared in Frankfurt Kurnit's Focus on the Data blog (www.focusonthedata.com). It provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
