Apple's Privacy Crusade, Act 2

The privacy answer we've been waiting for?

In the days leading up to the summer of 2020, Tim Cook had had enough. The year before, he had been on a media whirlwind, speaking about privacy issues to media figures, at congressional hearings, to regulatory agencies, at industry events, etc. One main claim was that privacy features should not be add-ons to products, there should be an underlying understanding between products and customers on data rights between parties that is well understood by both. Clearly hinting at the media and advertising industries and related fingerprinting operations, he wanted to do something about them “gobbling up everything they can learn about you and trying to monetize it.” And at that 2020 summer release event, Apple announced App Tracking Transparency (ATT), which prompted all of the ‘do you allow this app to track…’ pop ups you see across any mobile app today. This simple question of whether you were comfortable sharing more data for increased performance was put in your hands up front, and people’s responses to that question cost the industry billions and created an immediate slowdown in the entire sector's earnings.

The fallout from the change, in combination with regulations like GDPR and California’s CCPA helped shift the entire digital ecosystem away from scraping third party-sourced data and pushed organizations towards building more first-party systems, as this substack has outlined.

And yet – the privacy ‘question’ is still not resolved. Recently, Facebook’s perfectly legal privacy settings used in Europe was thrown out by a top EU court for technical issues around the language of GDPR. They are forcing more consent-driven actions similar to what ATT created, so now in Europe users will have to accept at least three separate pop-up questions that address issues around processing user data, combining user data with other sources, and cross-using data between systems. Is more paperwork for every step in the data process a realistic future? In a world with billions of data sources and billions more models and systems using data, what are the other options besides piling up more consent forms?

Apple has come back four years after its ATT announcement with a new concept they are calling ‘Privacy Manifests.’ Privacy manifest is a list of data fields that the app collects (via SDKs) that publishers must declare in-app on development. There’s also a ridealong ‘Reasons API’ which is also what it sounds like, a requirement that developers publish the reason that they are using user data, so as to avoid fingerprinting and other deep-tracking activities against Apple's ToS (and GDPR/CCPA laws).

Apple makes the analogy to nutrition labeling. In the image below, in Apple’s new construction of user privacy you have a part of any piece of digital hardware or software carry a ‘nutrition label’ of how your information is being used. You can play Candy Crush all you want, but beyond the negative effects of wearing your dopamine receptors thinner than rice paper you can also see how exactly your data is shared across King gaming’s other dozen+ apps with nearly 300M active users:

This is an elegant solution. Privacy and security debates have been stuck in finger pointing for too long. Advertising became about personalizing content to an incredible degree, which created a boon for deep-tracking technologies. Engineers pointed the finger at business requirements driving demands and funding to any new ad tech company that had the whiff of a good idea in the space. Business pointed the finger at consumers who were increasingly demanding catered, personalized services like never before. Consumers pointed the finger at Congress, saying that there should be at least some regulatory authority over the boon in new technology while harnessing its value. Congress pointed the finger at big tech, levying anti-competitive fines and starting lengthy investigations about how exactly digital media systems worked. Big tech pointed the finger at the regulatory state, where there was no guidance on how they should construct their data standards.

And that was where we stood until Apple realized that in one move, it could cripple the user data-led backbone of its tech rivals, establish a new paradigm for first-party prominence in advertising, and use that new paradigm to create a $5B business almost overnight, rising to estimates of $20B by 2026. The rollout of ATT was (and is still) an incredible case study in market shaping.

Apple is back from the high heavens with a new decree - privacy is not about mindlessly clicking a million pop up consent forms to use any website. This is America, and if you want to eat KFC that’s your god-given right. Candy Crush is still #3 in the App store, people love it. And if they are okay with their data being used by King to create new games, improve advertising, improve in-game design, improve in-game incentives to spend real cash, etc., then so be it. Rather than having to sit and negotiate with every digital service, you get the nutrition label for the product.

It remains to be seen how much sugar & fat users are willing to accept in their digital diets. The ‘Required Reasons’ API is a helpful addition, like recent pushes in the food labeling space to require explanations for the use of certain ingredients. Apple uses that to explicitly force developers to have reasons other than ‘IDing individuals’ so there is still enforcement of overall user privacy standards across the board with this new method, but now a lot of that discussion can happen between the industry without dragging users into the middle of it for every little change. The ‘privacy report’ that developers must submit to Apple as a part of their app package being accepted into the iOS ecosystem is presumably available to users as well who can see changes at any time.

The focus of the public sector on these questions has been mostly congressional & FTC concerns around market consolidation rather than answering these standards-led questions directly. Europe has shown far more desire to provide universal standards, but keeps reinventing the wheel every few months, throwing out their own laws in court as unconstitutional and demanding industry changes again or face billions more in fines. 

Perhaps industry-led solutions like Apples will force the sort of standardization that the industry desperately needs. In a very Apple-like way, the end result is clear, simple, and respects both the user and developer needs. It may be the answer to the user data privacy questions we’ve been waiting for.