After making a name for himself going after Facebook’s and Google’s data practices, Austrian lawyer Max Schrems — and his advocacy group Noyb — is setting his sights on a new tech giant. According to two separate complaints his group filed with regulatory bodies based in Germany and Spain, the advertising tech that comes baked into Apple’s iPhones allows countless third parties to slurp data from these devices largely unimpeded.
Specifically, both complaints hone in on what’s known as Apple’s identifier for advertisers, or IDFA. We’ve covered adIDs before, but in short: they’re a string of numbers that gets assigned to every phone allowing mobile app developers — and the companies advertising inside of those mobile apps — to track users interact with a given app. As other analysts have pointed out in the past, you can kind if think of the IDFA as the mobile equivalent of what cookies do in your desktop browser. But most sites at least pretend to ask for consent before dropping a bunch of cookies onto your screen — your phone just gets assigned an IDFA from the get-go.
As the complaints note, a string of numbers — even one that’s tied to your specific phone — is technically an “anonymous identifier” that falls outside of the publicly identifiable information realm. This means Apple technically doesn’t need to ask for consent before plunking this onto people’s phones, even under GDPR statutes. Instead, Noyb’s complaints hinge on one of the EU’s older privacy statutes: the ePrivacy Directive, which was originally passed way back in 2002.
This so-called “cookie law,” the suit explains, technically applies in this case, even if the IDFA isn’t called a cookie by name. It’s a piece of tech that’s “unequivocally” stored on a person’s device, where it then hoovers data about that device, and delivers it into the hands of third parties.
In an announcement about the new filings, Stefano Rossetti, one of the lawyers working with Noyb explained that focusing on “old” cookie laws will also speed up the current round of investigations. Noyb has been a pretty vocal critic of the glacial pace of some EU regulators. Three of the major complaints against Facebook, Instagram, and Whatsapp that the group filed are still being reviewed despite being filed in mid-2018 — not long after GDPR first went into effect.
It’s interesting for Schrems’s group to take aim at the IDFA specifically, especially now. Despite being a niche bit of tracking tech in the past, Apple made waves when it announced that with the iOS14 update iPhone users would have to give their explicit consent to an app developer looking to siphon off some of that IDFA data, the same way that iOS13 introduced new permissions when it comes to accessing a user’s precise location.
But the idea of losing access to this stream of user data didn’t set well with a ton of advertisers currently working in Apple’s app ecosystem, most notably Facebook. At the time, the fellow tech giant pointed out the the move wouldn’t only make developers’ revenues plummet, but it would also further entrench the power of a company which is already accused of some pretty monopolistic practices (pot, kettle, etc.) In light of these complaints, Apple shifted this new OS update to a vaguely defined date “early next year.”
We’ve reached out to Apple for comment and will update if we hear back.