Consent to track: Apple’s new move to change global practice

Over recent years, there has been an increasing trend towards consumer awareness and concern around the use and transparency of in-App tracking technologies.  Under the Privacy Act 2020, organisations must make individuals aware of the fact that information is being collected and the purpose for which the information is being collected, but practically, this is often buried in the fine print.  The recent release of Apple’s iOS 14.5 update changes the consent landscape with implications for many organisations that currently utilise tracking features.

What does Apple’s update do?

Previously, iOS Apps have used an Identifier for Advertising (IDFA) to enable tracking across different websites and Apps.  An IDFA is a unique identifier for mobile devices, assigned by those devices, that advertisers use to target and measure the effectiveness of advertising.  Apps usually collect the IDFA to connect information collected through the App to other information, to better target personalised advertisements to individuals.

With the iOS 14.5 update released on 3 May 2021, Apple has introduced a new feature called App Tracking Transparency (ATT).  Any App that attempts to track a user’s location, information or data across Apps or websites owned by other companies will be required to display a pop-up.  That pop-up must ask the user directly if they consent to the App collecting data.

Developers must also include an explanation of why the App wants to track the user.  If the device does not receive permission from the user, the IDFA is set to a string of zeroes, preventing the App from collecting any data about that individual.  Apple has stated that this feature “allows users to make more informed choices about the Apps they use and the permissions they grant to those Apps”.

What’s the downside?

Although the update appears to be a win for transparency, modelling has estimated that Facebook and Google (the big players in the personalised ad space) could face an average 7% loss in revenue from Apple’s new changes.  Moreover, there may be other serious consequences to non-compliance, as Apple has threatened to remove Apps that do not comply with the policy.

Industry reactions have been varied

Facebook has argued that personalised ads are necessary for consumers to discover small businesses.  It has also argued that limiting their use “would take away a vital growth engine for businesses”.

Google has recently indicated that it will explore “alternatives” to the ATT feature.  However, it has noted that it will no longer use information covered by the ATT for the Google Apps that use that information for advertising purposes, and will no longer show the ATT prompt.  This course of action has been recommended by Apple.

Is this really a revolutionary change?

Importantly, the update does not mean that data can no longer be collected from App users.  It simply means that users must be expressly informed that the App will track them, and their data will be used to generate personalised advertisements – and they must actively click to consent to this.  To us, this is a natural extension of good privacy practice when it comes to transparency of data use and should be a positive tool for promoting transparency, customer experience and satisfaction.  This also aligns with the Privacy Commissioner’s call to action back in 2019 around customer consent.

Despite this rule, we expect consumers of trusted and reputable organisations will likely continue to allow tracking for these purposes, in exchange for the value in received services and the desire for a personalised experience.

What do App owners need to do?

Considering the new Apple rules, App developers or publishers should:

  • Not attempt to use workarounds or dodge compliance with alternative trackers.  Apple has said that it is prepared to remove any App that appears to be tracking users without express consent.  There is also the potential for reputational damage if users observe ATT prompts on other Apps but are not prompted to do so on yours;
  • Update Apps to prompt all users to accept or decline tracking the next time they open the App.  Burying a consent statement within the terms and conditions or privacy policy of the App will no longer be sufficient to demonstrate consent;
  • Consider whether tracking is necessary for their App or business model to function as intended.  It is likely that many consumers will opt-out of tracking entirely, and this may impact the utility of investment in personalised Applications; and
  • Ensure that the purpose section of the prompt clearly explains why the data is being collected and what the data will be used for.  This will ensure compliance with the Apple rules as well as the Privacy Act – in the process it will mitigate the likelihood of any claims that the prompt is misleading consumers about the true nature and purpose of the data collection.

Our view

While the Apple update has certainly raised some eyebrows in the tech sector and gained considerable media attention, we consider there are good reasons for supporting this move, both from a corporate responsibility and consumer protection perspective.  With an increasing trend towards transparency of privacy practices and data minimisation, this new obligation from Apple provides companies with an opportunity to review and update their privacy practices in this area, and show consumers that they offer real control and rights over their data.  If you need any assistance with updating privacy statements or amending App terms of service considering these new rules, please contact one of our experts.

Who can help