When it comes to privacy, Apple has always pitched itself as Big Tech’s golden boy.
Now, some of that shine is coming off.
An internal document from France’s data regulator seen by POLITICO revealed Tuesday that the iPhone maker’s targeted advertising practices may fall afoul of the European Union’s privacy laws.
The French watchdog’s analysis — which stops short of finding wrongdoing — came as part of an investigation by the country’s competition authority into Apple’s new anti-tracking tool. Those changes, soon to be released, will give people more say over how their data is collected and used by third-party apps, raising hackles among Facebook and smaller app developers that the company is not playing fair.
But while both French regulators gave a thumbs-up to that feature, called Apple’s App Tracking Transparency, the privacy watchdog gave the iPhone maker’s own ad business a more damning assessment.
“Apple’s advertising processing requires consent when it involves reading or writing data on the user’s device,” the Commission nationale de l’informatique et des libertés, or CNIL, wrote in its internal document. “Apple’s practices suggest a lack of consent collection.”
The nonbinding assessment — which is cautiously worded since it is designed to inform another case, rather than provide grounds for a standalone investigation — throws doubt on Apple’s privacy credentials.
Apple CEO Tim Cook has time and again denounced the “data industrial complex” in thinly-veiled swipes at the data-hungry ad models of Google and Facebook — while seeking to position his own company as a paragon of privacy virtue in comparison.
Cook’s needling underscores just how hostile relations have become between some of Silicon Valley’s biggest companies as they seek to position themselves publicly on hot-button issues like privacy, sustainability and human rights.
“At a moment of rampant disinformation and conspiracy theories juiced by algorithms, we can no longer turn a blind eye to a theory of technology that says all engagement is good engagement — the longer the better — and all with the goal of collecting as much data as possible,” Cook told an online audience in January while championing the company’s own data protection standards.
The introduction of the anti-tracking feature, which is due to be rolled out in Apple’s iOS 14 later this year, was just the latest salvo in the company’s bid to claim the moral high ground on privacy. Now it could backfire.
While the CNIL was only asked to inform a case involving the feature rather than investigate the company’s own practices, further down the line the regulator’s assessment could have consequences. It could yet feed into a privacy complaint filed in March by startup lobby France Digitale.
That complaint accuses Apple of violating privacy rules by “systematically collecting users’ consent by default on iOS 14 in order to engage in targeted advertising on its native apps.”
It’s not the only one targeting the U.S. company’s ad practices.
A nonprofit fronted by Austrian privacy activist Max Schrems has also filed claims in Germany and Spain accusing the company’s tracking code of violating privacy. The company denies any wrongdoing.
The Cupertino-based tech giant has more privacy investigations by the Irish Data Protection Commission than Google, including one regarding its behavioral ads business. Dublin is both companies’ main EU regulator since they are legally established in the Irish capital.
For some onlookers, Apple’s wide-armed embrace of privacy hides an inner ecosystem that thrives on the exploitation of personal information in much the same way as Silicon Valley’s other powers. While it does not offer up people’s data to outsiders like Facebook and Google do, the iPhone maker has an increasingly sprawling digital services and advertising business that still relies on harvesting people’s digital information.
“Even though Apple now is making these moves to become more strict on privacy, they’re still heavily profiting from creating an ecosystem that is just overall really privacy-invasive,” said Joris van Hoboken, of the Vrije Universiteit Brussels, who studies Big Tech.
He pointed to Apple’s software development kits that allow gaming developers to do in-depth profiling of users — efforts that the company itself profits from. “They have this incentive to create the conditions for super data intensive and privacy intrusive business models by apps, and then they profit from that directly,” van Hoboken said.
Asked for comment on the French regulator’s findings, an Apple spokesperson pointed back to an earlier statement that said: “Privacy is built into the ads we sell on our platform. We hold ourselves to a higher standard by allowing users to opt out of Apple’s limited first-party data use for personalized advertising, a feature that makes us unique.”
Not everyone is so sure.
Johnny Ryan, a privacy campaigner who has often tangled with Google over its data practices, said that Apple’s privacy protections were better than most of its peers. But any company, including the iPhone maker, should not be allowed to use people’s data inside its own digital empire in ways that others in the wider world are barred from doing.
“What we’re seeing is an internal data free-for-all,” said Ryan, a senior fellow at the Irish Council for Civil Liberties. “Data practices inside these companies are alive and well.”
Laura Kayali contributed reporting.