In a world where research has been pointing out consumers’ concerns regarding their data, it is questionable how far companies would go when accessing users’ personal data with the excuse of offering them a greater experience or even pretending to be privacy-oriented to seduce them. Consumers are becoming more aware of, and in turn, more alarmed about their data privacy rights and companies’ exploits against the rights they have over their personal data. Aware of those justified and growing privacy concerns, Apple promotes itself by expressly assuring its users that they control the information they share. This way, Apple stands out in the market and from its competitors through these purported privacy standards.
Nonetheless, it is nothing new that almost every act on an iPhone or an iPad involves a large amount of data processing and storage, so as with most electronic devices. Even worse, much data is ‘unconsciously’ processed. In this article, we will cover how, despite marketing itself as a ‘privacy-friendly’ company, Apple violates its own commitments and policies and, consequently, consumers’ trust, taking commercial and economic advantages while unduly preserving its reputation. This analysis will be done by examining the latest class action filed against Apple.
A questionable transparency framework
Although having a ‘privacy friendly’ reputation and having launched an App Tracking Transparency (ATT) Framework in April 2021, addressed on 15th July 2022 in our article ‘Apple’s App Tracking Transparency Framework: Enhancing Privacy Or Impeding Competition?‘, Apple’s privacy-oriented standards are more of theoretical.
While the ATT Framework supposedly represented a win for privacy by requiring users’ consent before engaging in third-party tracking on Apple’s apps, security researchers at the software company, Mysk, proved Apple’s assurances and promises to be illusory. They have ascertained that Apple tracks users’ activities across its own and another company’s apps without authorisation, even after the user has opted-out of such processing. This revelation led to the class action brought against Apple on 10th November 2022 due to “pervasive and unlawful data tracking” [1].
In that class action, a New York citizen claimed that Apple was violating state laws by illegally recording consumers’ activity on their apps. The claim stated that although Apple gives its consumers the impression that they have control over whether, how and when, Apple collects their personal app data, irrespective of their choice, the company continues to record personal and sensitive information through users’ activities in the apps and device analytics.
An intentional and surreptitious invasion of users’ privacy
Regarding Apple’s promises, the company supposedly offers consumers control over what data Apple collects by allowing them to turn off the tracking of their activities on apps. Furthermore, Apple’s iPhone and iPad analytics settings explicitly guarantee to disable the sharing of Device Analytics if the user turns them off. Therefore, consumers reasonably infer that their privacy will be safeguarded when turning those settings off and, ultimately, that Apple will not misuse their personal data.
However, what happens is that, through its various unauthorised (or uncontrolled) tracking practices, Apple continue to record, track, collect and monetise data, including consumers’ app usage, app browsing communications, and personal information in its apps regardless of what safeguards or “privacy settings” consumers choose.
Although outrageous, such behaviour should not be surprising, especially considering that much of Apple’s financial success results from tracking and collecting consumers’ personal information. The class action lawsuit suggests that, just like other big tech companies such as Meta and Google, Apple profits from consumers not only by processing their data to improve and develop its services and products, consequently boosting its sales, but also by hiddenly acquiring their sensitive and valuable personal information and even selling them to other companies for lucrative advertisements.
By doing so, as stated in the class action, “Apple’s practices infringe upon consumers’ privacy; intentionally deceive consumers; give Apple and its employees power to learn intimate details about individuals’ lives, interests, and app usage; and make Apple a potential target for “one-stop shopping” by any government, private, or criminal actor who wants to undermine individuals’ privacy, security, or freedom “[2].
Violating California privacy laws and beyond
Moreover, not only is Apple’s secret monitoring of private app browsing data a breach of its contract, but also a violation of the law. The right to privacy is recognised, among others, in the state of California as an inalienable right under its Article I section 1 of the California Constitution. Although the class action relies on the California Invasion of Privacy Act (CIPA) and the Penal Code, the more recent California Consumer Privacy Act of 2018 (CCPA) protects users against unnecessary information gathering, use, and dissemination by public and private entities, giving consumers more control over the personal information. Accordingly, users who opted out from having their personal information tracked by Apple clearly had their privacy right violated.
Luckily, as far as the EU and UK are concerned, the General Data Protection Regulation (‘GDPR’), which entered into effect before the CCPA, and the UK GDPR [3], also aim to guarantee the protection of individual’s personal data and apply to businesses processing such data. Even though those legislations have their divergences, considering their similar aspects and, more precisely, the stricter scope of application of the CCPA [4], it is possible to infer that should the same case be taken to a EU/UK data protection authority, considering the lack of legal basis and transparency for processing their data, Apple would also face penalties for its privacy breach.
Although there is not yet any response from Apple, hopefully, the class action sets an example and a warning to all big tech companies. That is because users suffered from the moment Apple misused their trust to explore their data technically and financially, having not only their right to privacy violated, but also mentally suffering from the loss of value in their personally identifiable information and in the power and representation of their consent. Now, in this class action, Apple may be substantially penalised for such behaviour. These potential penalties and fines will send a message to other big tech companies about their practices, and the potential consequences for such practices, as it could be them in the future which finds themselves a defendant in a class action case.
[1] Libman v. Apple, Inc., Docket No. 5:22-cv-07069 (N.D. Cal. Nov 10, 2022), Court Docket
[2] Ibid.
[3] The UK GDPR is the retained EU law version of the EU GDPR, which was established by virtue of section 3 of the European Union (Withdrawal) Act 2018.
[4] Conclusion established through the analysis of GDPR and CCPA main similarities and differences sets on the guidance Comparing privacy laws: GDPR v. CCPA & CPRA. Additionally, an example of broader approach of the EU GDPR is also recognized when considering that much personal data that is protected under GDPR lacks constitutional protection under California Law, which only protects sensitive or confidential data as an informational privacy interest.
