Apple’s Privacy Updates: Take Steps to Prepare Your Business for New Privacy Requirements in 2021
by Justine Gottshall and Antonia Dumas
If you missed it, Apple shared the news of upcoming privacy and security updates (at its developer conference WWDC20 in June) that will affect mobile applications (on the Apple Store) and its Safari web browser. Following the conference, Apple provided some details for app privacy questions on its developer blog. Apple stated that “we believe that privacy is a fundamental human right,” showing it is taking a similar approach to data privacy as Europe. However, many of these changes are likely to be a challenge for US-based businesses, particularly where Apple’s new policies go beyond what US law requires. Note, too, that Apple is not the only company changing its privacy requirements in the near future (so will Google by 2022). So, businesses should take steps now to prepare for the changes that are coming, starting with Apple in 2021.
What Are The Privacy Changes?
Apple requires all applications in its store to adhere to its privacy best practices. However, there are two major changes to prepare for next year:
(1) Standardized Disclosure of Privacy Practices (“Nutrition Label”)
“… App Store product pages will feature a new privacy information section to help users understand an app's privacy practices.” (See details for app privacy questions on its developer blog)
This means, Apple will impose specific requirements for the disclosure of privacy practices for all applications on the Apple Store (on the product page). This new way to disclose privacy practices (possibly using a “Nutrition Label” format) will require that certain specific privacy details are provided to users (e.g., data collection, data use, data linked to the user, tracking, and privacy links). The key for businesses will be how to interpret Apple’s questions and provide the disclosures as set up by Apple without resulting in (a) incomplete disclosures (i.e., not providing enough privacy and/or security information), or (b) misleading disclosures (i.e., making any misrepresentations with no nuance or explanations).
(2) Change from Opt-Out to Opt-In Consent for Device Tracking
“In addition, on iOS 14, iPadOS 14, and tvOS 14, apps will be required to receive user permission to track users across apps or websites owned by other companies, or to access the device's advertising identifier.” (See details for app privacy questions on its developer blog).
In most cases to date, applications (and advertisers across applications) have been able to track users automatically using the device identifier assigned by Apple (ID for advertisers or IDFA) and users have had to adjust their permissions to opt-out. However, this will change drastically as Apple will require explicit consent (i.e., opt-in consent) to access the IDFA. Note, Google has decided to make some privacy changes as well (and there are rumors that it may make changes to its own mobile ad id), but currently it is anticipated that these changes will be made in phases to allow time for the development of new alternative technologies.
This change will also have an impact on evaluating application metrics and advertising. IDFA (like other device identifiers) is used to track users in order to measure data and present a clear view of a user and their behavior within an application and across applications for long periods of time (if not indefinitely). The tracking of IDs have only been interrupted with a device ID reset or when a user manually changed settings to turn off the IDs, which was not very frequent. For Apple, users had to use the toggle “Limit Ad Tracking” (LAT) option in privacy settings to reduce or eliminate tracking of IDFA. Once LAT is activated, Apple stops sharing the unique IDFAs and iOS sends a string of zeros instead. This means that, if IDFA tracking is turned off (i.e., the user does not opt-in), then it will remove the ability to identify a user at the device-level and capture user information.
What Has Been the Reaction?
Many US businesses are concerned because the change to opt-in consent for device tracking will almost certainly have a significant impact on online advertising and the ability to effectively use targeted ads to market to consumers. Apple has delayed these updates following a series of complaints by large social networks, global marketing professionals, and app developers on blogs, group chats, and in the media. (See Facebook’s reaction on its developer blog, an interview with Instagram’s CEO, a response letter from a group of advertising associations, and a letter requesting a meeting with Apple). These groups have expressed deep concern for the potential consequences of Apple’s changes both from a privacy compliance and business perspective.
These groups have expressed the following concerns and consequences of Apple’s switch to opt-in for IDFA:
Standardized format creates compliance issues
Following Apple’s format may be incompatible with compliance requirements under privacy law and will not relieve the need to provide additional disclosures.
Explicit opt-in will be negative for users
Users are unlikely to fully understand disclosures and opt-in (i.e., negative impact on user experience).
Explicit opt-in will decrease IDFA use
Opt-In for IDFA is likely to result in increased refusal of users, decrease in IDFA use and have a negative economic impact on businesses.
Similar concerns are likely to arise with regards to the new privacy disclosures for apps, as they could create potential compliance issues (if incompatible with existing privacy policies) and they could have a negative impact on user experience (if they are required to go to two separate locations to fully understand privacy practices and their rights).
Overall, businesses need to look at their applications to determine what the Apple updates mean for their business and what steps they may need to take to prepare.
Takeaways - What does this mean for your business?
For those businesses that have or are in the process of developing mobile applications, the following are a few of the things you should be thinking about to prepare for Apple’s upcoming privacy changes in 2021:
Considering any impact or changes warranted once the opt-in default for IDFA is activated
Impact on Applications and Tracking/Attribution:
If a user does not opt-in to IDFA, then your application will lose key benefits of user-level tracking, including attribution (e.g., view, click, install), analyzing user trends (to group users and understand user behavior), and other in-app benefits (e.g., personalization, audience segmentation and overall performance).
In particular, attribution methods to obtain a detailed user profile to assist with mobile advertising will be more difficult, if not impossible. For example, ID matching provides aggregated information including whether nor not a user viewed or clicked on ad, if they actually installed the app, and their behavior while using the app. This method could lose its accuracy and reliability if IDFA is off because it will no longer obtain this information at a user-level.
Impact on Advertising:
You may have to change how you evaluate the effectiveness of your marketing spend and project future spending for marketing budgets. This is likely to make it harder for businesses to justify marketing budgets or simply calculate effective spending because of incomplete analytics to determine where spending correlates with successful conversions or sales (e.g., successful downloads, subscriptions, product purchases, etc.).
Changes to Contracts:
In order to protect your application from potentially being removed from the Apple Store, you should review your contracts and ensure that limitations related to the collection and use of device identifiers are addressed as may be needed.
Looking for Alternatives to IDFA:
You may decide to look for an alternative to IDFA, like Apple’s ID for Vendors (IDVA) or SKAdNetwork (an API that measures success of ad campaigns without IDFA). However, note that the use of alternatives may have other impacts, both legal and business, and should be fully assessed with your privacy and digital marketing teams.
Considering impacts on data collection and data privacy practices
Understanding your data collection practices – and how that may differ for your apps
Once you have made a determination of what changes you may have to make on the marketing strategies you will use and the corresponding data you want to begin or continue to capture through your application, you will want to make sure you understand and can articulate your data collection and sharing practices. This will help you provide clear and accurate information in the Apple privacy disclosures regarding the data processing activities conducted within your application and any data sharing with third-parties.
The information you provide to Apple will depend on the privacy and security practices you utilize for your application, how you protect the data obtained through the application, and the purpose(s) behind data collection and use (including whether information is shared or obtained by third-parties).
Preparing for Apple’s Standardized Disclosures
You will need to create standardized privacy disclosures for the Apple Store to meet format and content requirements (including providing information regarding data collection, data use, data linked to the user, tracking, and privacy links). However, you should not rely on these privacy disclosures to meet disclosure requirements under applicable law and you should consider your responses carefully to make sure they are accurate and do not conflict with your existing privacy statements.
Separately, you will still need to ensure that the privacy policies for your application are compliant with applicable data privacy laws which may require different and/or additional information (e.g., specific disclosure requirements under the CCPA and GDPR). For example, you may be required to include information regarding a user’s right to have all their data deleted from your application, the right to restrict the sharing of their data with third parties, or a method of withdrawing consent for IDFA.
Reviewing and updating your consent language and disclosures
Since you will now be required to get opt-in consent for IDFA from your users (even though applicable law may not require), you should review and update your consent language for the pop-up (depending on Apple’s format, which may change) and any related consent forms.
Keep in mind, in some cases you may be required to meet specific regulatory requirements for obtaining consent for data collection and usage through your mobile applications. For example, although there are not opt-in requirements currently under the CCPA, there are specific requirements for consent under the GDPR and you may need to meet those requirements should the GDPR apply to your application.