How Apple’s new App Tracking Transparency policy works

This week, Apple published a new white paper that describes the ways apps typically track users and handle their data, outlines the company’s privacy philosophy, and offers several details and clarifications about the upcoming App Tracking Transparency change, which will (among other things) require app developers to get a user’s permission to engage in the common practice of creating an identifier (called IDFA) to track that user and their activities between multiple apps.

The paper states that the change will go fully into effect with the release of an update to iOS and other Apple operating systems in “early spring” (Apple has previously said this would happen in iOS 14.5, which is now in a late stage of beta testing) but the company has reportedly already started enforcing some aspects of the new policy with new app submissions, suggesting that the full transition is very imminent. One recent survey found that only about 38.5 percent of users plan to opt in to tracking.

Most of the paper is dedicated to explaining exactly how apps track users to begin with, by using a hypothetical example of a father and daughter traveling to the playground with their personal mobile technology and apps in tow. There are no new revelations in this section for people who are already familiar with how these systems work, but the information is accurate, and most people don’t actually know all that much about how their data is tracked and used, so it might be useful to some.

Apple also uses a section in the paper to describe its app privacy labels, which are kind of like food nutrition labels, but instead of describing the nutrients in a meal, they describe the ways an app tracks you or accesses your data. It’s worth nothing, though, that these app privacy labels are largely self-reported, and independent observers have found many examples of apps that have inaccurate or incomplete information in these labels.

Trust and antitrust

While the paper is partly aimed at users who want to know more about iOS’s privacy features and how personal data is handled by mobile apps generally, it also repeatedly tries to make the case that the upcoming App Tracking Transparency change will not negatively impact most advertising-supported businesses in a severe way. “The introduction of past features, such as Safari Intelligent Tracking Prevention, have shown that advertising can continue to be successful while enhancing users’ privacy protections,” the authors argue.

Some companies, like Facebook, have explored the idea of making an antitrust case against Apple, arguing that Apple is making third-party apps follow rules that the smartphone maker’s apps don’t have to follow. But this paper argues that Apple’s own apps don’t present an opt-in prompt for tracking because they don’t track across third-party apps for advertising purposes to begin with.

Most of the meaty clarifications are in the paper’s FAQ (frequently asked questions) section. For example, Apple writes that “app developers cannot require you to permit tracking in order to use the app’s full capabilities”—meaning users won’t get reduced functionality in apps if they opt out of the tracking. This gets at one critical caveat about Apple’s upcoming change: the policy prevents tracking across multiple third-party apps if a user opts out, but both Apple and any other one company can still track users across multiple apps if all the apps in question are operated by the same company. The same thing that gives Apple a pass could also apply, to say, Google tracking you across Gmail, Google News, Docs, and so on. But as soon as Google wants to use a technique that can also see what you’re doing in Apple or Facebook’s apps, for example, that’s when the opt-in is required.

Apple offers a separate toggle labeled “Personalized Ads”—totally distinct from the IDFA-related opt-in prompt—that allows users to decide whether they want to be tracked within Apple’s first-party apps.

And related to the recent flurry of App Store submission rejections, Apple clarifies that a developer “is also required to respect your choice beyond the advertising identifier.” This means that once a user has opted out of IDFA tracking, the developer must also not track the user through any other method that generates a similar result, like device fingerprinting. Device fingerprinting was apparently what caused the wave of rejections we reported on last week. “If we learn that a developer is tracking users who ask not to be tracked, we will require that they update their practices to respect your choice, or their app may be rejected from the App Store,” the paper says.

The FAQ also addresses the criticisms of the efficacy of the App Store’s privacy labels, albeit not very effectively. It confirms that the data is self-reported and says “if we learn that a developer may have provided inaccurate information, we will work with them to ensure the accuracy of the information.”

Listing image by Samuel Axon