By: Sam Roth

Amidst a shifting landscape of emerging data regulations and an increased focus on consumer protection, Apple is attempting to stay ahead of the curb. On November 30, 2020, Apple announced that they were implementing mandatory privacy labels for each application to list on its product page in the App Store. These privacy labels, dubbed “privacy nutrition labels” by the tech industry, include small logos and a brief description of the data used to track and link user activity on Apple products.

By providing their users with easier access to the type of data collected by each app, Apple aims to empower its users with the tools necessary to decide their own level of comfort with the apps they choose to download. However, concerns regarding Apple’s underlying intentions and ability to moderate this newly implemented labeling system drew the attention of legislative representatives and privacy experts alike. The risks associated with entrusting data privacy oversight to a large company like Apple may sit uncomfortably with consumers, but without a data privacy regulation in place to require industry transparency, Apple’s privacy labels may foreshadow a market-driven future for digital privacy and safety.

With the roll-out of these labels, Apple is requiring app developers to display the type of data they collect from their users on their App Store product pages, but are only compelled to do so if the developers decide to update their app past December 8, 2020. Specifically, app developers must display information that notes when their app collects “data used to track a user,” “data linked to a user,” and “data not linked to the user.”

“Data used to track the user” refers to information that follows a user’s activity across other apps, websites, or offline properties which is primarily used for ads or shared with data brokers. “Data linked to the user” refers to information that is tied to a user’s identity, such as a personal account, personal device, or details of one’s purchase history and contact information. “Data not linked to the user” refers to information that is not directly tied to a user or their account, and similarly, is information that is not saved to a user’s account. For example, data collected from a mapping app to provide turn-by-turn directions can be collected by an app but is not directly linked to a user’s account.

Apple has signaled its high value on consumer privacy protection, claiming to design Apple products to protect user privacy and give their users control over their information. Subsequently, it is no surprise that they intend to enhance their users’ control over their information by providing privacy nutrition labels. Yet, prominent voices in the tech industry speculate less wholistic intentions behind Apple’s privacy labels, citing Apple’s unique position as a tech provider that comparatively, collects far less data than its competitors.

Ashkan Soltani, a fellow at Georgetown Law’s Center on Privacy & Technology, discussed Apple’s potential benefit from utilizing data privacy labels by mentioning, “Apple is not in the data-selling business . . . And so [the use of privacy labels] does, in fact, help Apple . . . .” Soltani references Apple’s largest competitor, Google, and goes on to say, “Most advertising happens through Google’s platforms, even on Apple apps. . . . Whether Google embraces this in their own app store I think remains to be seen. I would say, while the Android team has been somewhat security- and privacy-minded, as a company, advertising and tracking is core to Google’s business model, and I’m not sure that they will shift away from that anytime soon.” The leverage Apple has over its competitors is to use data privacy as an incentive for increased Apple product usage. Apple is proud of this distinction as well, evident in their immediate inclusion of privacy labels for their own apps, with each clearly displaying minimal amounts of data being collected.

However, multiple concerns have already been raised over the risk of potential user manipulation and Apple’s poor performance monitoring active labels since its launch. In actuality, Apple’s privacy labels are still new, and even Apple admits that this is an experimental process that will only continue to strengthen. Lorrie Cranor, director of Carnegie Mellon’s CyLab Usable Privacy and Security Laboratory finds Apple’s approach promising, but is still unsure about how much testing went into it by stating, “As [the privacy labels] rolls out with real apps and real users it will be interesting to see what works and what doesn’t—whether developers understand how to accurately complete the information, whether they actually tell the truth, and whether consumers understand what this means are all open questions.” Further, Apple has a significant list of data types that apps are not compelled to report, raising more concerns for potential loopholes and workarounds for app developers to exploit.

Still, privacy researchers have pointed out that lying is not the only hurdle to risk-free privacy labeling, citing the difficulty in monitoring active privacy labels efficiently. Privacy researchers have been quick to note that as a self-assessment model with no in-built verification to enforce transparency, the long-term impact of Apple’s privacy labelling system remains up for debate. Yet, various new outlets and security sites claim that Apple’s privacy labels are already highly misleading and at times, blatantly false. A recent report found that one third of evaluated apps with “data not collected” labels, were actually found to have been collecting data. Although Apple’s privacy labels are designed to evolve and strengthen over time, some legislators are hesitant to allow Apple to continue operating unless the system is improved.

In February of 2021, leaders of the US House of Representatives Committee on Energy & Commerce sent a letter to Apple CEO Tim Cook, probing answers for the company’s plans to audit app labels, enforce the correction of inaccurate information, and express their concern for the harmful effects of failing to moderate the privacy labels. In one notable section of the letter, authors Rep. Frank Pallone, D-N.J. and Rep. Jan Schakowsky, D-Ill., wrote “A privacy label is no protection if it is false”, warning Apple of the care that must be taken when handling the trust and protection of their user’s privacy.

No legal action has been taken against Apple for the discovery of the inaccurate labels, but Apple still carries a considerable responsibility to not mislead, and potentially harm their user’s right to privacy. However, privacy experts speculate that the potential inconsistencies between privacy nutrition labels and in-app privacy policies could lead to claims against developers for misrepresenting their apps’ privacy practices. In a nutshell, Apple’s privacy labels are opening a plethora of new doors for legal liability, questioning whether liability rests on the developer to adequately provide information, on the consumer’s ability to fend for themselves, or on Apple’s capability of moderating the validity of each label.

If successfully implemented, and trusted by consumers, privacy labelling may become a staple in modern technology; a shift that could eventually be required by law or regulated by a governmental agency. However, in their current form, Apple’s privacy labels may aptly serve as an example for regulators and legislators to build off as they try to tackle how best to address a federal privacy bill. Countries like Finland, Singapore, and the United Kingdom have started pushing security-focused labels for Internet-of-Things products, affirming Apple’s wise decision to incorporate its usage in their dominant App Store early on.

The labels should also send a message to lawmakers questioning if the tech industry can be trusted to efficiently and fairly orchestrate market-driven solutions for common privacy concerns. Yet, the decision to download a given app ultimately falls on the consumer. Until Apple moderates the labels more efficiently, simplifies the grading system for consumers, and enforces a rigid auditing scheme for apps to be subjected to, users should remain wary of placing too much trust in these labels.

Student Bio: Samuel Roth is a second-year law student at Suffolk University Law School. He is a staffer on the Journal of High Technology Law and member of the Business Law Association. Samuel received a Bachelor of Arts Degree in History from the University of Rochester.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.