Analysis of Apple’s iOS 14.5 Consent Prompt for Tracking

This year in April, Apple released iOS 14.5 making major privacy updates within the operating system. The new operating system now requires all apps that collect data from end-users for the purposes of tracking across apps and websites to use the AppTracking Transparency Framework and ask users via Apple’s built-in consent prompt to opt-in to tracking. This means all Apple users will now be presented with a prompt with two equally prominent options of “Allow Tracking” and “Ask Apps Not to Track” while using apps that collect their data and share it with third parties for advertising purposes.

When a user selects “Ask Apps Not to Track”, Apple will block that particular app developer from accessing the user’s IDFA (identifiers for advertisers). App developers are expected to honor the user's choice and prevent any tracking. Users are also able to change their preferences on an app-by-app basis by going to the settings of the particular app.

In today’s privacy-conscious world, this new mandatory consent prompt is being seen as a welcome initiative. The fact that mobile users would not be tracked by default unless they affirmatively select “Allow Tracking” appears to be consistent with privacy-by-default as well as privacy-by-design principles. While privacy-by-default requires apps to ensure that by default, the user has been provided the strictest privacy measure available, privacy-by-design refers to having in-built abilities that ensure data privacy. The new consent prompt is also consistent with the GDPR and the European Data Protection Board’s Updated Guidelines on Consent that prohibit the use of pre-selected checkboxes while obtaining consent from a data subject.

Asking Permission to Track:

In its User Privacy and Data Use Policy, Apple defines tracking as, “the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers. Examples of tracking include, but are not limited to:

• Displaying targeted advertisements based on user data collected from apps and websites owned by other companies.
• Sharing device location data or email lists with a data broker.
• Sharing a list of emails, advertising IDs, or other IDs with a third-party advertising network that uses that information to retarget those users in other developers’ apps or to find similar users.
• Placing a third-party SDK in your app that combines user data from your app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes.”

Is Apple’s built-in consent prompt good enough?

From a legal perspective, the responsibility to obtain the end user’s consent seems to primarily lie with the app developer as it is the data controller - the entity that determines the purposes and means of the processing of personal data. The operating systems and device manufacturers may also be considered data controllers (and where relevant joint data controllers) for any personal data which is processed for their own purposes.

Apps must ensure that they obtain separate and specific consent for separate and specific data processing operations as well as consent obtained for one purpose must not be used for any other purpose. One opt-in prompt may cover different processing operations as long as these operations serve the same purpose. However, there must be separate opt-in prompts to allow users to give separate consent for separate data processing purposes. For example, specific consent must be obtained for accessing geolocation data and separate for accessing browsing history, as both can have different processing purposes.

Apple’s built-in consent prompt certainly helps apps in fulfilling some part of their privacy obligations; however, it does not seem to ensure granularity as indicated from Apple’s broad interpretation of “tracking”. It appears that in one consent prompt, several consent prompts are tied together since by selecting “Allow Tracking”, users are not only consenting to be receiving targeted advertisements on apps but also to be sharing their location data with data brokers and sharing IDs for retargeting purposes. It is not clear if such consent meets the global data protection legal requirements that require separate consent for separate data processing purposes.

What other privacy considerations apps must be mindful of?

Rather than merely relying on Apple’s built-in consent prompt, apps also need to be mindful of their specific consent-related privacy obligations.

Firstly, apps need to ensure data minimization and purpose limitation. So, even if a mobile user allows apps to collect their data and track them via choosing “Allow Tracking”, this does not provide apps an uncontrolled power to collect as much data as they want to - they should be collecting only the limited amount of data that is required for the purposes for which it is processed. Moreover, data collected for one purpose may not be used for any other purpose.

Secondly, apps are required to provide their users easy-to-understand and accessible information about the data they collect and the purposes for which they are collecting while obtaining consent from users. At a minimum, users should be made aware of the purpose of each of the processing operations for which consent is sought, what type or category of data will be collected and used, and their rights connected with their personal data such as their right to withdraw consent at any time. One simple prompt with two options on “Allow Tracking” and “Ask Apps Not to Track” does not provide users enough clarity as to whether a particular app will be collecting their location data, email lists, phone contact lists, or any other identification data. Therefore, app developers must make such information available on their privacy notices which should be easily accessible to users.

How can consent opt-in rates be increased?

With big corporations such as Apple and Google taking privacy-friendly initiatives and global data protection requirements becoming stricter with time, the ad-tech industry has started reinvestigating its marketing strategies. Various statistics show that more and more Apple end-users end up choosing not to track, eventually leading to extremely low data collection rates.

App developers are encouraged to be more transparent with their users as far as their data collecting and processing activities are concerned. Increased transparency will not only assist apps fulfill their legal requirements but also achieve consumer awareness and trust. This is because in today’s privacy-aware yet digital world, users may still want to keep receiving personalised advertisements - they just need more information on how businesses collect and manage their data. Transparency may be achieved by using a combination of layered privacy notices, contextual pop-up notices, privacy dashboards, and visualization tools such as icons - all of that will ultimately help users make an informed choice.

What’s next?

Businesses are increasingly investing their time and efforts in coming up with privacy-compliant alternatives to the use of third-party cookies and other tracking means for advertising purposes. A few proposed options include, although not limited to Google Privacy Sandbox, first-party data stack, identity solutions, and contextual advertising. At this point in time though, it is difficult to comment with certainty as to which or a combination of these alternative options is the best approach that protects end users’ privacy, fulfills legal consent requirements, and helps businesses in their marketing activities. In the meantime, mobile apps and other data controllers are advised to ensure consent granularity, data minimization, and purpose limitation as well as provide adequate information to users while obtaining consent from them.

How Securiti can help?

Securiti’s Universal Consent Management Solution enables marketers to adequately advertise and market their products in a compliant manner by capturing consent and automating revocation. Securiti’s Cookie Consent Banner Solution enables companies to build cookie consent banners in accordance with the applicable legal requirements when collecting personal data for non-essential purposes on digital properties.

Ask for a DEMO today to understand how Securiti can help you comply with the applicable legal requirements of global data privacy laws and regulations with ease.