How Apple's new App Store privacy requirements may affect users and app developers

Apple now requires apps to reveal how user data may be collected, but some companies aren't happy about the policy.

iphone11-sharatibken-cnet.jpg

Image: Shara Tibken/CNET

The next time you try to download an app from the App Store onto your iPhone or iPad, you may notice a new App Privacy section that seeks to clue you in on certain details. Specifically, the section tells you how the data from the app might be used to track you as well as how that data will be collected and linked to your identity. This sound like a great benefit to the user, though certain app developers are already balking at the new requirement.

SEE: IT pro's guide to GDPR compliance (free PDF) (TechRepublic) 

With the release of iOS/iPadOS 14.3 this past Monday, any new or updated app must include a privacy label, otherwise it won't be allowed on the App Store. This requirement applies not just to third-party apps but to Apple's own programs, such as Apple Music, Apple TV, and Apple Wallet, though built-in apps aren't included.

The goal is to address privacy concerns and questions among users, especially as app developers haven't always explained clearly and precisely what data they collect and how they use it.

To see one of the new privacy labels, make sure you're running iOS/iPadOS 14.3 or higher. Open the App Store, tap on any app, and swipe down the description page. Unless the app hasn't been updated recently, the App Privacy section will display any of a few different categories:

  1. Data Used to Track You. Shows which type of data may be used to follow you across different apps and websites
  2. Data Linked to You. Shows you the type of data that may be collected and linked to you
  3. Data Not Linked to You: Shows you which type of data may be collected but not linked to your identity.

And there's more. Click the See Details link next to App Privacy, and you'll find out what specific data the app collects and links about its users for targeted ads, product personalization, and app functionality. In some cases, these details are quite lengthy. Check out the privacy label details for Facebook, for example, and the information reveals exactly how much data the social network gathers about its users.

app-store-app-privacy.jpg

Apple's new App Store privacy labels.

"This requirement to disclose third-party data collection, and whether it's used for tracking will make it easier for users to understand how apps use personal data," Chris Hazelton, director of security solutions at security provider Lookout, told TechRepublic.

"This format will clearly disclose the data used to track users across their other apps and websites," Hazelton said. "Like nutrition labels in real life, the goal is to create a common, easily understandable format for users to see how their personal data is collected and used by developers and their partners. It will make it easier for users to question whether free services from developers are worth the cost in terms of privacy and security of their own data."

Even among app and website developers who are forthright about their privacy policies, the information they provide can often be difficult to decipher. Think of the average Terms of Service and other agreements posted by developers. Often they're thousands of words long and loaded with enough legalese and jargon to make your head spin. In contrast, Apple's privacy labels try to boil down the basics into a more readable and user-friendly format.

"The average application user is not savvy enough to understand technical feedback from applications," said Setu Kulkarni, vice president of strategy at WhiteHat Security. "The details of the data that the app is capturing has to be communicated in a manner that the average user is able to comprehend and make decisions on how they want to use the app."

Calling the new privacy labels a good move, Kulkarni said that it will force the convergence of privacy and user experience. If done right, users should start trusting some apps over others.

"An app that tells me that 'we track your current location only when you are using the app, but do not store your tracking information' will fare better at garnering trust than an app that tells me 'tracks GPS coordinates," Kulkarni added.

Beyond the new privacy labels, app developers will also be required to ask for permission to track. Through a feature called App Tracking Transparency (ATT), developers will have to state that an app would like permission to track the user across apps and websites. The person can then opt to allow the tracking or tell the app not to track.

Though Apple users may be happy to see the new labels and the new transparency policy, the reaction from developers has so far been mixed.

On the positive side, John Cook, director of product management for Mozilla, said that users deserve greater transparency with the hope that the privacy labels give other app developers a reason to review what data they collect and ask what they really need.

"Mass data collection and invasive advertising don't have to be the norm online," Cook said. "So the privacy labels are a great first step and we encourage people to ask Apple to stand firm and implement their anti-tracking plans."

A spokesperson for Microsoft also gave the privacy labels a thumb's up.

"We know that privacy is important to our customers and it is important for us to provide the protections they need and expect," the Microsoft spokesperson said. "The Apple App Privacy details summary on the App Store helps to open the door to this critical conversation. We believe it is also important that people understand how their data is used, the obligations providers have to protect that data, and the controls individuals have to monitor, disable, and delete their data."

However, other app developers see certain pitfalls in the privacy labels and transparency policy. A spokesperson for WhatsApp told TechRepublic that providing users with this information is a good start but felt that people should be able to compare the labels from apps they download with apps that come pre-installed. The spokesperson also said that the labels should convey how apps try to protect user data.

"Our teams have submitted our privacy labels to Apple, but Apple's template does not shed light on the lengths apps may go to protect sensitive information," the WhatsApp spokesperson said. "While WhatsApp cannot see people's messages or precise location, we're stuck using the same broad labels with apps that do. We think labels should be consistent across first and third-party apps as well as reflect the strong measures apps may take to protect people's private information."

Josh Cohen, senior VP of product for Foursquare, also shared a mixed opinion about the new labels. Cohen called the new privacy labels a positive step toward a future in which consumers are better protected and have more control over how data is collected and use. He even said that this process could help the industry regain consumer trust, something that's been deteriorating for many years.

But Cohen added that such a process from Apple alone could lead to a fragmented experience for users depending on what platform they use. It could also impact not just the ad industry but apps, websites, and gaming platforms that rely on ads as well as consumers themselves.

"The risk presented by Apple's new privacy labels is that more power could be centered in the hands of a few large players, enabling them to determine what consumer information is provided and under what circumstances," Cohen said. "If the ad tech industry and ecosystem doesn't take certain steps in tandem with the implementation of new privacy labels, there's the risk of a ripple effect that could negatively impact both consumers and the industry."

The National Association for the Self-Employed, an advocacy group for small business, decried the transparency policy, expressing concerns that it may create unfair business practices that will negatively impact the business community.

But the biggest complaint so far has come from Facebook, which pointed to several pitfalls that it sees in Apple's new privacy process.

"We've built transparency into our products and controls that help people manage their privacy," a Facebook spokesperson said. "But the format of Apple's new labels is too broad and ignores how data is used in context."

To convey its distaste for the new privacy labels, Facebook took out full-page ads in several prominent newspapers and published a blog post about the situation on Wednesday. Contending that it's "speaking up for small businesses," Facebook criticized Apple for creating a policy that's about profit and not privacy, hurting businesses and publishers that are already suffering during a pandemic, and not playing by their own rules.

"We disagree with Apple's approach and solution, yet we have no choice but to show Apple's prompt," Facebook said in its blog post. "If we don't, they will block Facebook from the App Store, which would only further harm the people and businesses that rely on our services. We believe Apple is behaving anti-competitively by using their control of the App Store to benefit their bottom line at the expense of app developers and small businesses."

And what has been Apple's reaction to the complaints from Facebook and others?

In a recent speech that seemed to anticipate the criticism about the App Tracking Transparency, Craig Federighi, Apple's senior VP of software engineering, said that it was already clear that some companies would do everything to stop the feature—and others like it—to maintain access to people's data.

Speaking at the European Data Protection and Privacy Conference on Dec. 8, Federighi chided those he said have already started to make outlandish claims, such as saying that ATT would somehow lead to greater privacy invasions.

"To say that we're skeptical of those claims would be an understatement," Federighi said. "But that won't stop these companies from making false arguments to get what they want. We need the world to see those arguments for what they are: a brazen attempt to maintain the privacy-invasive status quo."

Also see

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.