A new class action privacy lawsuit accuses Apple of ignoring device privacy settings when it comes to its own apps, sending analytics data back to Cupertino even if the user has told it not to. It builds on a prior suit filed in California in November 2022, but the new suit goes further with accusations of violations of state wiretapping, consumer fraud and privacy laws.
When setting up a new Apple device, users are given the choice of whether or not to provide analytics data. The lead plaintiff in the original privacy lawsuit claims to have tested what Apple apps “phone home” with and found that it seemingly makes no difference what the user chooses, with the same type and volume of real-time data sent while using the App Store and other first-party apps like News and Stocks.
Apple privacy lawsuit claims “systematic” violations of state wiretapping and fraud laws
The November 2022 lawsuit claims that Apple is not only helping itself to the analytics data that the user believes that they have opted out of, it is also providing enough information (regardless of privacy settings) that devices could potentially be fingerprinted. Apple’s own App Tracking Transparency (ATT) framework requires that this level of device detail be limited to avoid the possibility of fingerprinting as an ad tracking workaround when users choose not to share their unique device ID.
The privacy lawsuit specifically names the App Store, Apple Music, Apple TV, Books and Stocks as those that were observed sending real-time analytics data even when privacy settings were enabled. The App Store was found to be phoning home with information on searches made for apps, the ads the user had seen while browsing, how those apps were encountered, and time spent examining each app download page.
The newer privacy lawsuit, filed in Pennsylvania this month, invokes state wiretapping, privacy, and consumer fraud laws on the basis of Apple’s continued collection of analytics data even after the user has opted out (and without disclosing to the user that this continues to occur). This privacy lawsuit also makes special mention of Apple advertising campaigns, which claim that users need not worry about anything that “happens on their iPhone” making it to outside observers and assuring them that they are buying into a privacy-first ecosystem.
If patterns established in prior big tech class action suits hold, the two privacy lawsuits will likely be consolidated at some point. Apple has yet to comment on either case, and has not made any more general public statements about how these privacy settings work.
Apple first-party analytics data called into question yet again
While Apple’s ATT framework has been popular with its users and generally seen as a strong move in favor of personal privacy, one of its weak points has always been the exceptions the company grants to its own apps. Apple has slowly made changes that bring its first-party apps more in line with the rules put upon third-party developers, such as asking for permission to track during installations and updates in some cases, but issues remain that have prompted prior legal charges and even antitrust scrutiny by government regulators.
Apple’s potential trouble from these privacy lawsuits hinges on a few factors. One is how courts will view its setting that claims to “disable the sharing of Device Analytics altogether.” The “altogether” could certainly be argued to create an expectation that everything on the device, including Apple’s own apps, is covered by this analytics data policy. Another is the question of how sensitive the data Apple is receiving is. Inferences about sensitive personal information, such as health status or sexual orientation, could be made from what apps and ads a user interacts with, not to mention what media they select in apps such as Books.
Apple may feel it is technically off the hook, at least in a legal sense, as it does not appear to be using the unique device ID (the focus of the ATT framework consent mechanism) to package up this personal data. Instead, it uses something called the “Directory Services Identifier” (DSID), which is tied to unique iCloud accounts. The DSID thus connects the collected analytics data to a user name, email address, phone number, and the personal data stored in their iCloud account.
Apple’s ad revenue could also become a relevant element of the privacy lawsuits, particularly given that it has gone up since the ATT framework was deployed while others (such as Meta) are seeing their market share fall. This has been the central argument of its detractors (chiefly Meta) and is also a point of interest to regulators examining the antitrust aspect. France’s lead data privacy regulator recently fined Apple over a related targeted advertising issue.