At the Worldwide Developers Conference on June 23, Apple announced an assortment of new privacy features – some quite significant for developers – that will be included as part of iOS 14. Some of the new privacy features include added protections against user tracking on apps and websites, as well as transparency measures to prevent apps from using cameras or microphones without a user’s knowledge. How location data is collected will also be impacted: iOS already enables users to block specific apps from collecting data about their location, but now users will be able to share approximate location data.
One very significant change is that app developers will now be required to disclose the types of data that their app collects, and importantly, call out specific information that could be used to track users across platforms. Inspired by nutrition labels that are typically affixed to food products, these new disclosure mandates from Apple will require developers to complete a specific form (showcased at the Worldwide Developers Conference). When users search for an app, the summary of collected data will appear alongside other information about the app.
This “privacy label” concept is certainly innovative, although – unsurprisingly – also a clear signal that the ubiquitous privacy policy is really not doing its job of accurately informing users of all data processing activities in an app or on a website. Nothing new here, and so I say unsurprisingly because many privacy notices are indeed bloated, convoluted, and time-consuming to read while still not clear enough on tracking. To be fair, however, the fact that many companies must comply with different laws around the world has done nothing to make privacy policies shorter and more to the point, despite these very same laws mandating plain language and accessibility. And on the other end of the spectrum, here in the United States, the patchwork of state and federal and sectoral rules (unlike the “uniformity” of GDPR for instance) has not been very conducive overall to companies prioritizing privacy, except with respect to certain sectors such as healthcare or certain state laws such as CCPA, which only applies to certain businesses. In many ways, with these new requirements, Apple is forcing all developers who want to use the platform to take stock of their data collection and tracking, clearly disclose their practices and comply with new user controls, where legislation has failed to impose clear, global standards.
Note also that for iOS 14, developers will be required to obtain users’ permission through Apple’s “AppTrackingTransparency” Framework in order to track them or access their device’s advertising identifier. Apple provides examples of what it considers tracking, including the display of targeted advertisements in the app based on user data collected from apps and websites owned by other companies, sharing device location data or email lists with a data broker, sharing advertising IDs or other IDs with a third-party advertising network that uses that information to retarget those users in other developers’ apps or to find similar users, placing a third-party SDK that combines user data from other apps to target advertising or measure advertising efficiency, or using an analytics SDK that re-purposes the data it collects from the app to enable targeted advertising in other developers’ apps. No doubt, these requirements will have some major implications for the many players in the adtech ecosystem, as I and others discussed with Ronan Shields in a recent article he wrote for Adweek.
So what does this all mean for developers? Apple’s latest privacy move spells the beginning of a “pay-to-play” privacy era of sorts: being transparent about data collection and use can no longer be a de minimis consideration to simply avoiding fines or lawsuits, but actually a precondition for developers to utilizing the very platform without which their products may not exist. This may be a challenge for many companies, even if it really shouldn’t be. Tracking, in particular, is an area where companies often fail to comprehend the extent to which their own platforms – and more importantly their partners – actually track users. In fact, developers often don’t fully understand how much tracking they are allowing when using third parties (e.g., advertising or analytics SDKs). Apple’s changes will now require developers who have not made privacy a priority or dismissed it as a risk-based compliance strategy to really think about all of this. For developers who have not included a privacy policy in their app as Apple has always required, it’s also time to re-evaluate how data is collected and used.
Many in the privacy world had predicted that privacy regulation would come in the form of self-regulation by private companies in the absence of global laws and proper enforcement, and despite many hits and misses, this is one instance where the private sector may perhaps do what legislation has not done: require companies to be more transparent while offering their users choices.
For more information on iOS upcoming disclosure requirements: https://developer.apple.com/app-store/user-privacy-and-data-use/.