Enhanced user privacy was the main theme of the recent Worldwide Developers Conference (WWDC 2020), with Apple announcing a bold set of changes to data collection that stand to have a serious impact on the advertising industry. At least on paper. Closer examination raises some questions about how effective some of these measures will actually be in the field. For example, the new “privacy labels” that display the types of data each app has access to will apparently rely on self-reporting by the publisher.
Apple has yet to comment on how the accuracy of this reporting will be verified or what actions could be taken against app developers who do not provide accurate privacy labels, raising many questions among privacy advocates for which there are not yet any clear answers.
How Apple’s new privacy labels work
The new iOS 14 privacy labels will be available at any time for each app that is installed on a device. The labels consist of two windows: “data used to track you” and “data linked to you.” Apple head of user privacy Erik Neuenschwander said it would be “great to have something similar” to the mandatory FDA nutrition labels on packages of food that show the total calories and nutrient breakdown. Safari users will be able to click on a new icon to get a similar data collection profile from any website they visit.
The FDA labels are self-reported and not pre-approved, but they are also policed by a massive government agency that can inspect the product randomly or in response to consumer complaints. A consumer might taste too much salt and initiate a complaint, but the average iOS user will be unlikely to take apart an app’s code or monitor data transfers to determine what a developer is capturing from their device. And Apple has yet to make clear what they will do to proactively verify the accuracy of privacy labels, or how they will respond if a user suspects something is amiss.
It is a safe assumption that developers will at least be held to Apple’s existing privacy policy requirements. This includes a set of guidelines that have to be followed to keep the app on the App Store, including terms covering user data transfer and storage. There are additional privacy requirements that call for data minimization, use transparency and data protection. Apple investigates security and privacy violations when users file reports, but the user first needs to have a reason to suspect that something is wrong.
Some of the other privacy changes that are rolling out with iOS 14 will help users to control data collection, even if the privacy labels aren’t entirely clear on what the app is accessing. Users will be able to deny individual apps access to the device’s unique Identifier for Advertisers (IDFA), which is used to deliver targeted advertising. And apps can now be limited to collecting only approximate location data.
At the very least, it would appear that users will still need to check each app’s privacy policy carefully to ensure that the data collection terms line up with what is being displayed — which defeats the purpose of the privacy labels. The base privacy policies may also require some sort of an overhaul to be more clear to the end user and to also hold publishers to specific reporting terms.
Data collection and developer honesty
The new privacy label system might help users to better understand what is happening with their data, provided that it is implemented properly with meaningful oversight and enforcement terms. Even so, it will still rely to a great degree on developer honesty about data collection practices.
Another big question mark in the data collection system is a set of exceptions that Apple has included regarding blocking of the IDFA. There are understandable exemptions for financial and security purposes, but Apple has also indicated that developers can be excused from requesting permission if personal information is “not sent off the device in a way that can identify the user or device.” That appears to be a vague standard that could really use some further clarification from the company.
Users do have some concrete new privacy protections in this area, however. The new iOS 14 permission system specifies that opting out of tracking means that publishers cannot draw on third-party data to display targeted ads, or share location data or email lists with data brokers. Apps that track users and violate these terms could be delisted from the App Store.
iOS 14 is scheduled for a mid-September launch, so Apple still has some time to address some of the questions regarding its new data collection policies and the content of its privacy labels.