Why Italy Just Fined Apple, Of All Companies, Over Privacy

Italy just fined both Apple and Google 10 million Euros for violating consumer rights and unfair commercial practices.

One of the key problems, according to Italy’s competition authority, is that Apple is forcing iPhone owners to use a non-optional Apple ID that is tied to ad targeting without disclosure.

While Google is of course primarily a massive ad network and has been subject to numerous fines globally over privacy and advertising, it comes as something of a shock for Apple to find itself in this situation. Apple is generally regarded as the most privacy-sensitive player in big tech, and with the possible exception of Microsoft, that’s probably correct.

So why did Apple just get fined 10 million Euros by Italy?

The answer lies in a critical decision Apple made a few years ago with regard to its little-known ad network, Apple Search Ads. A decision that makes Apple’s ad network globally unique compared to all other ad networks, in fact.

While most people don’t know about Apple Search Ads unless they’re in the mobile advertising space, ASA is the only way to advertise your app on Apple’s App Store. Apple Search Ads has seen tremendous growth since Apple’s introduction of App Tracking Transparency in iOS 14.5, which forced app publishers to ask people for permission to track them if the publishers wanted to access an identification number, IDFA, for their phones.

The IDFA was the primary way marketers measured and optimized campaigns, but it has significant privacy problems. Since iOS 14.5, marketers have been forced to turn to a new Apple technology, SKAdNetwork, to get privacy-safe marketing measurement data. It provides less data than the old IDFA-based system and it’s less granular, so marketers can’t use it to track people: a global privacy win for anyone using an iPhone or an iPad.

Apple’s ad network serves ads for apps on the App Store based on your behavior: what you search for, what you install, what you buy via in-app purchases. It also uses data from other Apple apps such as News and Stocks for ad targeting, plus contextual information such as device type, general location, and time of day.

What Italy is essentially saying here is that:

  1. Apple requires users to have an Apple ID
  2. Apple tells people that this is for security, support, reporting, backing up, archiving, and so on
  3. However, Apple also uses Apple IDs for ad targeting in the App Store by Apple Search Ads

And that, Italy’s competition authority says, is misleading and harmful. Apple is using people’s data for commercial practices without disclosing it at the point of account creation, and it’s non-optional because you can’t operate an Apple device without an Apple ID.

The reality here is somewhat tricky and nuanced.

Italy is right that an Apple ID is essential, and that Apple does not immediately disclose that ad targeting may happen at some point in the future. However, Apple does not target individual people, and is likely rationalizing the existing account creation process because any eventual Apple Search Ads targeting that may happen is not granular and not personalized. Instead, Apple Search Ads uses differential privacy, creating segments of at least 5,000 people who have similar characteristics. That way marketers can target someone like you rather than precisely you: they get to serve their ads to someone who is likely to be interested; you get to maintain the privacy, at least, of being in a crowd and not being personally identifiable.

Whether that argument holds up, we’ll see.

Apple will appeal, most likely.

Where Apple left itself vulnerable to this attack, however, was in deciding that Apple Search Ads would have different rights and different capabilities than other networks. Apple Search Ads is the only ad network on the planet that does not have to use SKAdNetwork, Apple’s recently-released privacy-safe marketing measurement framework.

As such, it gets preferential access to user data.

Pre-iOS 14.5, when marketers could access iPhone IDFAs, ad networks could accumulate data tied to unique IDFAs about what apps the people who owned those devices were interested in.

The result: massive device graphs that had significant privacy implications.

Post-iOS 14.5, that data about what people do and like is opaque to networks and marketers, unless they try to use device fingerprinting, another tracking technology that Apple has banned by fiat but remains possible, in a minority of cases, by technique.

In addition to extra knowledge about user behavior, Apple Search Ads uses its own internal attribution technology because when building App Tracking Transparency, Apple defined tracking for the purposes of measurement as tracking across different companies’ apps and websites. Since in the case of ASA Apple owns both Apple Search Ads and the App Store … there’s no passing of data from one companies’ digital properties to another.

Hence, no “tracking” and no privacy violations.

Whether that holds up in the court of popular opinion, time will tell. But it certainly has left the privacy-first big tech company — which just recently made headlines in a good way for informing activists when nations are trying to spy on them — open to criticism.

I have asked Apple for a comment on this fine, and will update this story if the company responds.

Leave a Reply

Your email address will not be published. Required fields are marked *