Looking Back on a Year of Apple’s Privacy Labels and Tracking

After Apple rolled out its privacy-label requirements in the App Store, along with App Tracking Transparency in iOS, in late 2020, we reviewed 250 apps and found that most of them were tracking and sharing a lot of information about anyone using them. A year later, some apps have a little better, and some of the worst offenders have seen a drop in the number of downloads, but the changes haven’t been revolutionary. Anyone interested in protecting their privacy online still needs to keep an eye on what their apps are up to.

What you can do about tracking right now

Some Apple devices, including iPhones and iPads, use something called an identifier for advertisers, or IDFA, which allows app makers to track your activity across apps for advertising purposes. Starting with iOS 14.5, Apple made tracking the IDFA opt-in, which means you have to purposefully enable it—each app must ask you to allow tracking when you first use it. This was a big shift, as most similar types of tracking are always opt-out, so they’re enabled by default and you have to go in and manually turn the tracking off.

Apple’s definition of tracking is narrow, referring only to data about you that is shared among multiple companies for purposes. Here’s how it works: If you allow an app to track you, the app then gets access to your device’s IDFA number (think of it as being like a Social Security number attached to your phone), and it can track the other apps you download , the ads you might see, or the shopping you do. That information all gets packaged together and sold to advertisers, which then display ads in the app based on all of your behavior. Or it can potentially tell a business if you saw an ad and eventually purchased a product, which lets the business know that a particular campaign was successful. In contrast, if you don’t opt ​​in to giving an app your IDFA number, the app cannot personalize ads based on that number.

Instead of rejecting tracking on an app-by-app basis, you can reject all tracking in advance. A stat from Flurry Analytics suggests that only around 4% of people have preemptively disabled the tracking opt-in feature on the operating-system level. If you don’t want companies to track you or you’re just sick of seeing the prompts every time you install a new app, you should disable tracking entirely by heading to Settings > Privacy > Tracking and disabling Allow Apps to Request to Track.

Using an app that acts as a firewall, like Lockdown Privacy or Disconnect’s Privacy Pro, can block apps’ access to most other trackers but can occasionally break websites and make them unreadable (if this happens, you can temporarily disable the app and reload a broken page). Both apps’ free versions can do the trick in this regard, but they also push you to subscribe to their expensive paid plans, which we don’t think most people need to do. Android owners can get a similar feature in DuckDuckGo’s App Tracking Protection.

If you want to root out what your apps are doing, you can do so as long as you’re running at least iOS 15.2, in which Apple introduced the App Privacy Report. But these reports are likely indecipherable to anyone who isn’t trained in ad tech and who doesn’t know the differences between companies such as Crashlytics, DoubleClick, and Firebase. And trying to understand a company’s privacy policy is unlikely to be more helpful.

Even after taking all of the above precautions, you may still see surprisingly personalized ads. In September 2021, The Washington Post featured a study by Lockdown Privacy that showed how apps may circumvent Apple’s tracking rules by creating “fingerprints” of a device using specific data related to your phone, similar to how the technique works on desktop browsers. Fingerprinting is prohibited under Apple’s rules, but there hasn’t been much in the way of policing for apps that behave badly, at least not publicly.

The impact of opting in

Three screenshots of different apps requesting the user to enable tracking.

The new privacy labels seem to have had a small impact on individual behaviors and how apps are handling the disclosure (and requesting) of data collection. According to Adjust, another ad-tech company, only about 25% of people opted out of Apple’s previous system, Limit Ad Tracking—which meant roughly three-quarters could be tracked. Early after Apple’s launch of opt-in tracking in iOS 14.5, advertising doomsayers were quick to assume that most people wouldn’t elect to be tracked. After roughly five months, around 21% of people using iPhones worldwide had opted in to the tracking system, according to a Flurry Analytics report.

More recently, in December 2021, ad-analytics company AppsFlyer broke down opt-in rates by app category, and most categories hovered around the 40% opt-in range in the United States. The cause of the increase is unclear but may be due to an increased adoption rate of iOS 14.5 in general; There’s also a chance that apps have figured out better ways to convince iOS users to opt in to tracking.

Efforts to persuade people to opt in range from tame to aggressive. The NY Post app, for example, attempts to explain that personalized ads “support [the company’s] ability to offer this app for free,” but despite how that sounds, you’ll still see ads if you don’t opt ​​in to tracking. Meanwhile, Roku tries to appeal to people who hate seeing the same ad over and over, promoting the idea that you’ll (maybe) see less of the same ad.

One prompt we found cringeworthy during our examination was from Bloom, a self-help app, which claimed that opting in to tracking would “help bring Bloom to more people in need.” Similarly, Walmart’s prompt says that “Walmart can help you save money and live better through ads.”

We still don’t have a total picture of the market impact of Apple’s privacy measures, but Facebook claims it will lose $10 billion in revenue in 2022 (though the company still estimates $27 billion to $29 billion in revenue for the first quarter of 2022) . Meanwhile, Twitter has attempted to shrug off the impacts. Other companies that use internal advertising programs rather than sharing information with third parties—such as Applovin, ironSource, and Unity—all seem to have benefited from the change. One company that is most likely benefiting is Apple. According to market analyst Omdia, Apple’s Search Ads program, which prioritizes placement in the App Store, grew by $3.7 billion in 2021, an increase of 238% over the previous year.

Smaller ad buyers, such as e-commerce businesses, have seen some big changes on their end. One group of companies interviewed by The Wall Street Journal (subscription required) noted that they needed to spend more money on ads to get the same number of sales as they had made prior to Apple’s changes, and that they had less insight into how effective their ads were. That was especially the case in Facebook ad spending, where 62% of the companies the WSJ interviewed said they had decreased spending last year because they had lacked data as to the effectiveness of their advertising. Although contextual ads—for example, an ad for bike helmets appearing in a cycling app—are still an option, those types of ads tend to be less expensive and make developers less money.

The impact of privacy labels

A screenshot of a warning from the Evernote app explaining what user-provided data is linked to you in the app.

When we looked at 250 apps last year, 163 of them, by listing information in the “Data Used to Track You” section of their privacy label, indicated that they are engaged in tracking. As of February 10, 2022, 39 of those 163 apps have removed that part of their privacy label entirely, three apps have added a “Data Used to Track You” portion to their label, and eight apps have been removed from the App Store permanently . Out of 242 apps, our current tally includes 124 that track you. That’s just over 50%.

Some notable games and apps that listed information in the “Data Used to Track You” box in April of last year, but now claim not to track, include Roblox, MinecraftEvernote, and Zillow.

We reached out to a number of these companies for statements, but none got back to us with an official comment. It’s possible that the app developers in question decided to no longer sell or share data for advertising, or that the privacy label was simply incorrect in the first months following the launch of iOS 14.5. The privacy labels are dependent on the honor system, so without commenting from the companies we can’t say whether anything has changed at all.

From a usability point of view, nothing has changed with the labels themselves in the past year. The privacy labels are packed with information, but unlike a nutrition label on items at a grocery store, where you can put two products side by side to compare them, you still have no way to compare apps on screen or to search based on specific preferences .

But we are starting to see data about the impact of Apple’s privacy labels. One recent study compared to downloads of apps available on both iOS and Android (where there is no privacy label) and found that in some cases the iOS apps had a 12% to 15% drop in weekly downloads compared with the Android version after the launch of the privacy labels. The study concludes that this type of transparency does seem to affect whether someone downloads an app, which suggests that education about data practices has tangible effects on user behavior.

Room to improve

The early claims that Apple would kill the mobile-ad market and give every iOS user total control of their privacy were misguided—Apple would need to do far more to make that large of a difference—but the changes also seem to have had a clear effect on several mobile-app ad-tech companies, most notably Facebook. For companies looking to advertise, Apple could beef up its internal ad network to provide more useful, privacy-forward details for apps so that they can better measure marketing effectiveness without gathering too much identifying data. On the flip side, we’d also like to see further restrictions on the background device data—such as restart times, brightness settings, or remaining battery—that an app can collect, which would help prevent potential fingerprinting. And for any iOS user who wants to focus on their privacy while choosing an app, we’d also like to see improvements to the App Store’s search function to filter by the information on the privacy labels. But without a strong federal privacy law, iOS privacy is heavily reliant on the rules that Apple sets and is willing to enforce.

This article was edited by Arthur Gies and Mark Smirniotis.

Leave a Comment