Over recent months, the pressure on providers of app tracking technology has been increasing. In February 2022, the Belgian data protection authority found that the IAB’s Transparency & Consent Framework is in violation of EU/UK data protection law. Among other aspects, the authority argued that the IAB is in fact a data controller and not just those organisations that use the IAB framework. This ruling by the authority represents one of the first applications of the EJC’s rulings on joint controllership within the context of web and mobile tracking. The ruling underlines that those who design the technical infrastructure behind the tracking ecosystem bear responsibility for their design decisions under EU/UK data protection law. Is this the beginning of the end of surveillance capitalism?
Around the same time, the Austrian and French data protection authorities as well as the European Data Protection Supervisor found that the use of Google Analytics on websites can be in violation of the ECJ’s prohibition of personal data flows to the US without sufficient safeguards (Schrems II ruling). These rulings suggest that the widespread sending of personal data to the US – which this dissertation proved to be common in app tracking – faces an uncertain future. Without a new, reliable regime for the transatlantic sharing of personal data, the current practice of tracking is unlikely to be sustainable for much longer for app developers. The processing of personal data will need to find ways to overcome the reliance on US-centred infrastructure (and the potential harm posed by US intelligence agencies accessing these servers). Whether the proposed EU-U.S. Data Privacy Framework from 2022 is fit for the task remains to be seen.
The use of app tracking currently mainly relies on the fact that many app developers need ads for monetisation. Conversely, ads are the primary reason for using invasive tracking technologies. However, the invasiveness of tracking as well as various rulings by European data protection authorities and courts cast doubt over the current practice. While ads and the personalisation thereof are often permissible, the use of invasive third-party tracking to support these technologies is often not. As a result, the link between personalised ads and tracking will likely weaken in the near future.
The industry is reacting to these recent developments and is working towards privacy-preserving advertising solutions. Apple and Google are increasingly preventing apps — and thereby third-party trackers — from accessing persistent user identifiers. Prominent recent examples are the introduction of the App Tracking Transparency framework on iOS (blocking access to unique user identifiers without user consent), the planned ban of third-party cookies from the Google Chrome browser (preventing websites from saving unique identifiers in cookies to track users across websites), and Google’s introduction of a user opt-out from sharing personal identifiers with apps on Android. While these measures can increase consumer privacy, they might also put more power over user data into the hands of the digital gatekeepers.
Increased restrictions on user identifiers might shift the tracking ecosystem in the direction of statistical identifiers (e.g. device fingerprinting). A company might then (likely wrongly) argue that these statistical identifiers do not fall under the protections of the GDPR anymore, since data cannot be uniquely attributed to an individual or only with great effort. This argument is already used by the industry to justify the use of pseudonymous identifiers, which, however, fall under the GDPR. For example, Google argues that ‘pseudonymous cookie IDs’, ‘pseudonymous advertising IDs’, ‘IP addresses’, and ‘other pseudonymous end user identifiers’ do not fall under its own definition of ‘Personally Identifiable Information’ (PII). While the threshold for the GDPR not to apply is high, the increased use of statistical identifiers could make it more difficult for individuals to enjoy and exert their data protection rights in practice. At the same time, statistical identifiers may simply not be a good enough replacement for persistent user identifiers (such as advertising identifiers). If tracking systems do not have access to persistent user identifiers anymore, this might not only inhibit data trading, but might also make some smaller tracking companies less viable and run out of business.
One key technology for the mobile advertising industry is install attribution. When app A shows an ad by an advertising company to install app B, then this advertising company would like to know if a user has installed app B after clicking app A’s ad (‘conversion’). Traditionally, advertisers monitored conversions through a persistent user identifier, such as the IDFA. Now that Apple is significantly restricting access to the IDFA (through ATT) the company has implemented a new privacy-preserving ad attribution framework: SKAdNetwork. This new framework operates without persistent user identifiers, and discloses much less information about the user to advertisers; at the same time, Apple now gains more insights into the conversions of other advertisers. Indeed, Apple operates its own attribution framework that is not subject to the new ATT rules and gives advertisers much better insights into conversions.
The case of SKAdNetwork shows that it is possible to build more privacy-preserving advertising technologies. It also shows that there is a risk that the shift towards more privacy will reinforce gatekeeper power and reduce competition around mobile ads. More competition around ads is usually a good thing for consumers because it will reduce the cost of ads and, as a result, the price of products they buy. Currently, we also have competition around tracking (surveillance) of users, since tracking still underpins a lot of online advertising. The result of competition around tracking has traditionally been rather negative for consumers because it creates a race to build better profiles and to collect more data about individuals, thereby conflicting with their data protection and privacy rights, among others.
It might sometimes seem difficult to imagine how the genie could be put back in the bottle in the tracking ecosystem, given that the app ecosystem relies on the income generated from tracking. However, this is what Apple is currently attempting – phasing out mobile tracking over time and shifting towards more privacy-preserving advertising technologies. This makes technical changes to the tracking ecosystem more important than ever and will need further scrutiny in the future.