Apple allowing Meta & Snap to skirt privacy restrictions? The industry reacts

Apple’s data privacy-focused AppTrackingTransparency (ATT) framework, which rolled out in April, enables mobile users to bar apps from tracking their activity across the web and collecting user-level information on them.

The company has been outspoken about its mission to further prioritize users’ data privacy amid growing pressure on lawmakers and tech players to crack down on advertiser and developer ‘tracking.’ In May the company even released a flashy ad highlighting the intrusive nature of app tracking. Then in June it launched a new suite of user privacy protections as part of its iOS 15 update, including Private Relay, a built-in VPN for elevated email privacy.

However, the new Financial Times report asserts that “in an unacknowledged shift” Apple is allowing some companies to “follow a much looser interpretation of its controversial privacy policy.” A handful of big tech developers from Meta and Snap claim they are still able to obtain user-level signals from iPhones – so long as that data is anonymized and aggregated so that it cannot be connected to an individual user.

Representatives from these companies pointed to Apple’s directive that developers “may not derive data from a device for the purpose of uniquely identifying it” – a statement that leaves room for approaches by which developers derive data from a given device at a group level. Using this method, targeted advertising is enabled based on groups that share similar traits or patterns of behavior. It seems Meta, Snap and others are arguing that this cohort-focused approach is allowed under Apple’s privacy rules; but for those interpreting the rules more stringently, it would seem this behavior constitutes a violation. Apple has not clarified its position on the matter and did not respond for a request for comment.

The Financial Times said: “The risk is that by allowing user-level data to be used by opaque third parties so long as they promise not to abuse it, Apple is in effect trusting the very same groups that chief executive Tim Cook has lambasted as ‘hucksters just looking to make a quick buck.’”

The news comes barely over a month after a Snap investor sued the social media platform in Los Angeles federal court for allegedly downplaying the impact that Apple’s privacy changes would have on ad revenue.

The Drum surveyed a handful of media, tech and data privacy experts on what the news means. Here’s what they said:

Greg Sterling, vice-president of market insights, Uberall

[The news that Apple is allowing Meta and Snap to collect user-level signals is] somewhat surprising given how much Apple has invested in marketing itself as a consumer-privacy centric company of late. Some people don’t believe this represents any change in policy. But it does seem to be a relaxation of previously stricter rules. There is likely to be a backlash; it’s already happening in the tech press. Apple will lose some credibility with privacy advocates and some segments of the public that are more tech savvy.

My understanding is that Apple is trying to strike a balance between consumers and developers, which isn’t a terrible thing. The problem is that aggregated and ‘anonymized’ data can be un-anonymized with ID resolution and fingerprinting. For publishers and marketers, it’s welcome news, although it doesn’t give them what they ultimately want – total user data. But it’s better than getting completely shut out of the data they need for targeting and tracking.

The unfortunate takeaway is that all technology promises are subject to self-interested revision and reneging, and that many privacy programs are more about marketing than genuine protection. Having said that, Apple is much better on privacy than most of its peers.

Alex Bauer, head of strategy, Branch

User privacy is clearly very important to Apple. It’s a core part of its market position, and it is investing significant resources into technical work to support it. At the same time, Apple can’t afford the collateral damage of accidentally killing the app ecosystem, because that ecosystem is what makes iOS such a vibrant platform.

One possibility is that Apple wants to set a precedent of cracking down on truly egregious examples of ‘tracking’ via policy enforcement, but plans to invest in long-term technical solutions such as iCloud+ Private Relay – which masks IP addresses – to eliminate what it sees as less urgent problems.

Across the board, the lift of paid user acquisition is now harder to quantify on mobile. Most advertisers believe the performance is still there, but it’s much more difficult to get the data they need to justify their existence. Modeling is now one of the hottest topics in digital marketing, because it’s one of the best ways to ensure business continuity as reliable access to raw data becomes more limited, and we’ll continue to see new innovation that improves measurability in future. In the meantime, many brands have shifted investments to places where they can still measure performance right now. Among [our own] customers, we’ve seen growing interest in both Android and owned/organic marketing channels [such as] web-to-app, email-to-app and user-driven referrals where ATT doesn’t apply.

Arielle Garcia, chief privacy officer, UM Worldwide

Given the unilateral and seemingly ambiguous-by-design approach that Apple has taken to AppTrackingTransparency implementation, this is entirely unsurprising, and is a prime example of the potential for privacy brinkmanship to create confusion and friction within the industry, and deeper mistrust with consumers.

The vast majority of the industry speculation leading up to ATT roll-out focused on limited availability of IDFA. Yet a closer look at the Apple Developer page on ‘User Privacy and Data Use’ clearly included use of email – hashed or otherwise – for what it decided to deem ‘tracking’ as subject to the opt-in prompt. This raised questions ... for brands with an Apple App Store presence on how to reconcile user choice between, for example, desktop sign-in versus iOS mobile app, while also fostering speculation on how Apple would approach enforcement.

Apple offered limited clarity on its expectations beyond what was published in its Developer FAQs, leaving app owners to parse their requirements. The ambiguity ... seemed to offer Apple wide latitude in exercising discretion in enforcement. It also created space for other tech giants to tout the importance of server-to-server integration, and had the unfortunate effect of perpetuating fingerprinting.

Meanwhile, Apple had different mechanisms for its own data use and permissioning for ‘ad personalization’ – versus for ‘tracking.’ It directed iOS users to settings that allow them to ‘turn off personalized ads on your device to limit Apple from using information to serve ads that may be more relevant to you.’ Apple has been sure to clarify that its ‘privacy features apply to all developers – including Apple,’ but [says] ‘users won’t see AppTrackingTransparency prompts from Apple because we don’t track users.’ Apple has since changed its default to require users to opt-in to ad personalization.

Nevertheless, Apple didn’t need to ‘track users,’ instead funneling users to ‘Sign-in with Apple’ via its requirement for developers to provide this option, and writing its own rules for ‘Apple Advertising’ separate from ‘Tracking’ settings.

The recent iOS 15 features to support email obfuscation and offer private relay for IP-masking indicate that Apple is taking a more systemic approach to addressing the scrutiny of its lax enforcement – offering the benefit of advancing its ‘privacy-protective’ posture, and mitigating the burden of consistently enforcing its ATT policies.

The takeaway is that privacy and personalization do not need to be mutually exclusive, but a symbiotic outcome requires multi-stakeholder collaboration on providing meaningful transparency and choice to consumers, and standards that drive accountability and responsibility for all stakeholders in the online ad ecosystem.

Elena Morin, marketing director, Sourcepoint

[This is] not very surprising – Apple was ambitious in what it set out to do, but it lacked technical measures to detect adherence.

For consumers, this will probably be overlooked. Apple’s privacy message has been so strong and it has been vocal when others haven’t. For the privacy and tech ecosystem at large, it only demonstrates the complexity of governance, and how crucial partner transparency is. The ecosystem is on a journey to change behavior and become more privacy-conscious, but the conflict between device- or app-level preferences will continue. App developers want to retain control over the consumer relationship; Apple interceded on their behalf and that caused a lot of consternation.

Even though Apple’s enforcement was lax, it doesn’t mean the issue is going away. It’s a wake-up call to change its practices and ensure the consumer relationship is strong and the value exchange clear.

Eric Lamy, lead product manager, customer data platform and digital enablement, Endeavor

The introduction of Apple’s ATT paradigm was never intended to entirely cut off access to user data, consented or otherwise, from its app developers, big or small. This was always a growth strategy for its own advertising business first, and a marketing differentiator for consumers second. Year-to-date revenue and growth projections for Apple’s ad business show how well this has gone for it, and with respect to consumer perception of privacy friendliness, the shine isn’t wearing off of Apple anytime soon.

The shift to aggregated customer data sharing from user-level has had a negative impact on the ad businesses of rivals by design, but those same rivals are also best-positioned to benefit from access to the large datasets still available, so they ultimately won’t push back with any enthusiasm at the risk of upsetting their access to customers through the Apple ecosystem.

If there is a big takeaway, it’s this: privacy theater will remain a competitive tool primarily advantageous to existing tech powerhouses until and unless regulatory action and antitrust concerns significantly burden the adtech status quo.

Don Marti, vice-president of ecosystem innovation, CafeMedia

There are clearly a lot of challenges with transparency of ad targeting practices on closed mobile and social platforms. On closed platforms, it is difficult for users or advertisers to detect illegal uses of personal information, along with fraud and other problematic practices. It is encouraging to see constructive proposals that would someday require large platform companies to improve their reporting on ad placement [such as this recent one published by the Knight First Amendment Institute at Columbia University].

Closed platforms limit what users can do to protect themselves. For example, Apple has access to all the iOS apps that are uploaded to its App Store, and should be able to detect and limit problematic data collection such as fingerprinting. App Store reviewers can see, for example, if an iOS app is trying to measure how many seconds have passed since your iPhone was turned on. A web browser can take actions to block fingerprinting or limit its accuracy – the best ways to do this are an ongoing topic of discussion at W3C – but for a native iOS app, there is only one gatekeeper – Apple. If you visit a website with fingerprinting you don’t like, you can switch browsers or add an extension to protect yourself. Only Apple can do it for you in the iOS environment.

The good news is that, on the web, we do already have some solid industry standards for advertisers who are concerned about brand safety, fraud prevention, privacy compliance and other issues. The leading independent web companies are already making business relationships transparent to users (and to privacy and brand safety advocates who act on behalf of users) through Interactive Advertising Bureau standards including ads.txt, sellers.json and the Transparency and Consent Framework.

Advertisers can use available tools to get quality, compliant ad placements on the web today. Maybe someday the closed social and app platforms will catch up.

Matt Fossen, North America communications lead, Proton

[On] an iPhone, if you go to Settings > Privacy > Tracking > Learn More, there’s a brief line three paragraphs in that says ‘App developers are responsible for ensuring they comply with your choice’ – with respect to being tracked across third-party apps for targeted advertising purposes. That [supports my belief that] true data privacy can’t operate on the honor system. Without meaningful, open-source techniques in place to protect user data, many privacy claims are just that: claims.

There will absolutely be millions of consumers that feel disappointed by the [Financial Times] report. A lot of people, especially in the United States, crave real data privacy. At the moment, the only place to get it is with a strong but small crop of privacy-first tech companies. There’s this recurring scene with big tech where people are told they aren’t being surveilled, and yet very often they find out that there was some qualifier or caveat to the promise.

For more, sign up for The Drum’s daily US newsletter here.