New Apple policy
“You’re being tracked” was a phrase once known only from spy movies. Now it’s an everyday occurrence for practically everyone who uses the Internet. On the surface, it’s a win-win deal – Internet companies earn money on our data (mainly through profiled advertising), and Internet users get free services in return (social media, email inbox, or news services). In practice, this transaction hides one significant flaw – we do not know exactly what data, to whom, and for what purposes we give in exchange for the benefits of the Internet. In April 2021, Apple decided to take a small step to change this… and caused a stir worth billions of dollars.
The modification Apple introduced was referred to as ‘App Tracking Transparency’. In practice, it meant that any app installed on an Apple device (iOs version 14) that wishes to collect data about the device and the user should obtain the user’s permission via the following box:
The newly introduced rule looks innocent, but it has had a striking effect. According to sources, among iPhone users, permission is granted in only 4% of cases. Consequently, Apple’s new privacy rules have caused a drop in revenue generated from personalised advertising of around 10 billion on the part of giants such as Snap, Facebook, Twitter, and YouTube – in just a few months since the new rules were introduced. You can read more about the financial implications in the Financial Times article.
Reaction of the online advertising industry
Experts agree that it will take time and new solutions to return to the old high levels of revenue and effectiveness of personalised ads. For it seems that the trend of giving users more control over their privacy settings will spread to more companies, devices, and services. The question remains open: how will the giants of online advertising react to this trend? Perhaps it will lead to a strategy where users are encouraged (or even bribed) to give appropriate consents, which is not a bad thing if the consents are given in an informed manner and their scope is set proportionally and transparently. In the second scenario, the major players in online advertising will seek to circumvent the new rules and attempt to identify (or categorise) users despite them choosing a high level in their privacy settings. Rumours of attempts to introduce such workarounds to Apple’s policy have already surfaced, as we can read in a 9to5mac.com article. More shockingly, according to recent reports, some administrators of leading mobile apps are simply ignoring Apple’s latest policy and the choices made by users, as we can read in an article by mediianews.com.
The legal foundations of privacy
There is no dispute that a thriving online advertising market is necessary to maintain and further develop free online services. Probably no one nowadays imagines that services such as Facebook, YouTube, Gmail, or Onet will be closed due to deprivation of their advertising revenues or exist only in paid versions. On the other hand, users’ awareness and expectations regarding privacy are constantly increasing. Expectations of internet users have already a strong basis in European law.
The obligation to obtain consent for tracking internet users’ activity stems both from the RODO (in the case where the user can be identified) and the Directive 2002/58/EC on privacy and electronic communications (also in the case of an anonymous user). The problem is that standards on the internet market have long been set by US companies, which sometimes approach European regulations with a wink. This was also the case here. It was widely accepted in the industry that “cookie consent” is itself a browser setting that defaults to a ‘medium’ level of privacy, with the vast majority of internet users unaware of exactly what this means and what the implications are. This state of affairs has persisted for an extended period. The CJEU ruling C-673/17 (Planet49) of 1 October 2019, which clearly indicated that a user giving consent to have their online activity tracked by cookies should be given clear and comprehensive information about its scope and that the consent itself should be free, specific and informed – regardless of whether the user can be identified and the information collected about them qualifies as personal data.
The confrontation between the aforementioned judgment C-673/17 and reality does not look interesting. When using mobile apps and websites, every internet user is confronted every day with cookie boxes and privacy policies that mention consent to collect information about the user and his or her device. These consents practically never contain clear and specific information, and the Internet user is forced to give them in bulk – simultaneously for different purposes and to multiple entities.
Apple’s decision to introduce a new policy is a small step towards giving internet users the right to the basics of privacy. The next necessary step is to improve the quality of the information provided by internet companies about exactly what data is collected, to whom it is transferred, and for what specific purposes it will be used. So far, the generalities contained in cookie policies about data being passed on to ‘business partners’ and data being used ‘for marketing and statistical purposes’ explain nothing in practice and are of no value to internet users. The final stage is to ensure that every user has a real choice as to how much privacy he or she waives and in return for what and to guarantee that the Internet user has the right to control and change the scope of his or her data at any time by means of a convenient and easy-to-use tool.
Until the three steps mentioned above are carried out by the major Internet companies, online privacy will remain largely fiction. It is to be hoped that these companies will, through evolution, become convinced and implement the solutions that Apple’s new policy has initiated. As the current example has shown, the financial risk is very high in this case. Companies dependent on online advertising revenue should therefore think hard about how they can ask Internet users for consent in a new way (this time meeting the requirements of freedom, awareness, and concreteness) while at the same time presenting a benefits package that raises the proportion of consent given from the current 4% to many times that amount. If such steps are not taken, we can expect more and more decisions and judgments imposing ever-higher fines on Internet companies. Alternatively, a change introduced by lawmakers that would clearly indicate which data (and to what extent) the provider of free Internet service is entitled to use to cover its costs of operation, and which data and purposes require additional consent from the user, remains to be considered.
“The apple of discord”, according to Greek mythology, was thrown by the goddess Eris during the wedding of Thetis and Peleus and became the cause of a dispute between Hera, Aphrodite, and Athena for the title of most beautiful. This event became the source of the Trojan War. It seems that the apple has again (this time its American version) become the cause of a global war. This time, however, the disagreement is not over who is the most beautiful, but over a fundamental issue for the virtual world – users’ right to privacy. Unfortunately, it does not seem that the new war will turn out to be shorter or less bloody than its mythological predecessor, as powerful money is at stake. It remains to be hoped, however, that the main players in this conflict will in time find their way to a compromise that restores the basics of online privacy while preserving the free services to which we have become so attached.
Author: Bartosz Mysiak, attorney at law, personal data protection practice at LSW. He specialises in intellectual property law, new technology law, media and advertising law, consumer rights and personal data protection.