This month, Apple is preparing to finally launch its radical iOS 14.5 update. Despite Facebook’s aggressive advertising campaign against it, the update will fundamentally change the way in which Apple customers interact with their personal data, providing the user with granular control over any applications use of their IDFA (Identifier for Advertisers). Their squabble reflects not only the differing approaches of Big Tech to the developing landscape of personal data regulation, but outlines the potential future of the data market itself.
The 'Privacy' vs 'User Experience' Debate
The protracted and vocal conflict between Facebook and Apple is centred upon Apple’s decision to allow the user granular control over their IDFA. The IDFA acts an identifier for Apple mobile devices, including iPhones, iPads, and iPods. Each device has a unique IDFA allowing advertisers to track that users’ online behaviour. Previously, Apple users would have had to actively withdraw consent to prevent third party access to their IDFA. In the new update the default setting is to automatically refuse Facebook (or any other third party) the ability to access a user’s IDFA.
The conflict has turned bitter in recent months, with Facebook founder and CEO Mark Zuckerberg decrying Apple’s decision as a ‘regression where … small business are severely disadvantaged and competition is diminished’. Facebook’s public stance on the matter is one in which it purports to be defending small businesses interests, asserting that its use of personal data and IDFAs has been done for the benefit of both parties.
However, multiple Facebook insiders disagree.
In interviews given to various media outlets, these insiders claim that Facebook’s primary concern is actually the loss of its ability to track ‘view-through conversions’; where an advertiser is told when a user views their advert and does not interact with it initially, but later makes a related purchase. Apple began IDFA tracking in 2012 as a compromise, and its iOS 14.5 update therefore represents one of the largest changes to the advertising industry since its initial implementation.
Mass opt-outs are expected to be the norm, and the industry anticipates that the bulk of the Apple advertising market will effectively dry up overnight.
'We can provide both...'
Whilst Apple view this update as the latest in a series of measures to outline and improve its data collection responsibilities, a spokeswoman from Facebook has claimed that Apple’s new prompt is ‘designed to present a false trade-off between personalised ads and privacy, when in fact we can provide both’.
History would suggest otherwise.
Facebook has found itself on the receiving end of serious criticism for its handling of personal data in recent years, suffering severe reputational damage as a consequence of scandals such as those involving Cambridge Analytica in 2018, and more recently the revelation that the data of 533 million accounts was stolen in a massive data breach in 2019. Despite Facebook’s claims that this data was leaked years ago and has since been secured, analysts have asserted that the information included in the dataset (such as phone numbers, Facebook IDs, locations, and email addresses) can help data brokers to correlate related information into profiles that could trick two-factor authentication. Facebook’s failure to alert its users to the breach constitutes a violation of various privacy-related reporting requirements, including the GDPR. Ireland’s Data Protection Commission (DPC) has already begun its investigation into this failure, and claims to have received ‘no proactive communication from Facebook’.
Another Facebook entity, WhatsApp, was forced to delay its planned update to its privacy policy in January 2021 following an in-app notification that informed users that some data would be shared with Facebook. CEO Will Cathcart has repeatedly attempted to assuage concerns over WhatsApp’s data protection, but last-month the company was taken to Delhi High Court by the Indian Government who allege that the update does not comply with its own data privacy laws. With the news that WhatsApp’s competitor, Signal, had crossed over 100 million users in February 2021, Facebook and its entities now find themselves in an increasingly tough position.
Regulation, Regulation, Regulation
Although Apple’s update can be seen as a positive development for the data subject in regards to transparency, purpose limitation, and data minimisation, they too have come under significant scrutiny by data protection regulatory bodies recently. In March 2021, France Digitale (one of France’s largest technology lobbying organisations) filed a complaint against Apple with the country’s data privacy watchdog CNIL. The complaint alleges that Apple’s privacy changes breached EU regulations, as the users of pre-installed iOS applications are automatically subjected to first-party targeted advertising without being asked for consent.
The complaint has been passed to the Irish DPC, but there remains the possibility that the CNIL could rule that Apple has violated the EU’s ePrivacy Directive rather than the EU GDPR. This would not be the first occasion that the CNIL has had to deal with Big Tech non-compliance. In December 2020, the CNIL decided to levy fines of €135 million on Google and Amazon’s European bodies for violating regulations in regards to cookies.
What therefore emerges is a trend of increased scrutiny of Big Tech companies and practices by a growing body of regulatory authorities and legislation, and who are now having to question the consequences rather than purely the limitations of their data processing activities.
What’s next?
Facebook knows that it’s been fighting a losing battle. Despite the ad campaigns, senior leadership’s vocal displeasure, and various filed complaints, iOS 14.5 will be released.
As Apple undertakes its rollout of the update, the public’s knowledge of data processing responsibilities and their own rights as data subjects is likely to only increase. Whilst Facebook and others may be playing ‘catch-up’, Apple’s radical changes should be seen as an attempt to pre-empt this and avoid being caught out and fined. More open and consistent scrutiny of these practices will also likely stem from this discourse as regulatory bodies develop the necessary legislation and precedents.
How the public and Big Tech will react to this new stage of data subject power will likely set a new precedent for the data privacy landscape itself.