This article is written by Gursimran Kaur Bakshi, a student at the National University of Study and Research in Law, Ranchi. This article explains the recent Apple v. Facebook controversy over the recent change in privacy policies. 

Introduction

Ever thought about why Facebook allows you to sign-up for free? Or why does Google allow you to create and use the Gmail service for free? If you believe things on the internet are available for free, then yes, it is, though at the cost of your privacy.

Tech-wars are common these days because everyone seems to be fighting for the new oil of the 21st century, that is data. 

When we talk about data, the need to protect privacy should idealistically come hand-in-hand. However, this is not what happens in reality. All these tech giants allow users all over the world to use their services for free. But, there is a consideration that they ask for, in a rather subtle manner, which is to allow them to advertise through third-party apps via their platform. 

Advertising is the reason why these services are free and shall remain free unless they realise the importance of privacy. But, what if another tech giant no longer wants to compromise the privacy of their customers through third-party advertising? 

The tech giant that we are talking about right now is Apple Inc. Apple has recently introduced a new privacy policy that allows users to opt-out of third-party advertising including those on social media platforms like Facebook and Google.

How did Facebook react to it and what does this groundbreaking change mean to the future of all those companies, especially Facebook, are some of the pertinent questions that are answered in this article. 

To understand why Facebook is angry with Apple these days, we need to first understand how third-party advertising takes place on Facebook.   

What is third-party advertising on Facebook?

If you are a regular Facebook user, you will know that it uses third-party advertising tools that allow companies to publish their targeted ads in the advertising spaces. 

In simple terms, Facebook allows another company, let’s say X, to publish an ad on its news feed and that ad would be visible to the users. By allowing X to advertise, Facebook earns money and X gets the publicity required to reach out to more customers. Ad sales are the primary source of revenue for Facebook. 

How targeted ads are published on Facebook?

Facebook allows you to create and post ads to boost your business under the business help centre of Facebook. It uses a non-discrimination policy for advertisement which means that those ads that deny an opportunity to an individual or group based on race, ethnicity, religion, sex, sexual orientation, disability, etc., are prohibited. One has to accept this condition for posting ads on Facebook.

Facebook also allows you to customize your ads to reach maximum people. It gives you certain options such as whether you want to allow Facebook to automatically create the reach out based on your activities, show ads to people who are likely to send a message on WhatsApp, create a promotion to help more people find and like the page, and use a form to collect information of the potential customers to name a few.

It has a special category where ads on political campaigns, elections and social issues like political and civil rights can also be posted along with a disclaimer that must include the person’s identity who has paid for the ad. However, to post ads in this category, one needs prior authorization such as confirmation of the identity of the person and residence proof.  

Now, Facebook also gives options to customize the outreach of the audience based on which it charges the money. It charges a minimum of approximately Rs. 150 per day for a normal ad concerning, let’s say, the promotion of an academic page with a reach of an estimated 1.1k-3.2k people with 58-167 clicks on the URL link. The number of people it is supposed to reach, along with the number of days you want it to be posted and the number of URL clicks, is directly proportional to the money charged.

Targeted ads and privacy concerns

Ads appearing on Facebook’s newsfeeds collect your data 

There are primarily two ways in which ads appear in your newsfeeds, namely, through the data collected by Facebook based on your online and offline activity. Most online websites have a tie-up with Facebook, which allows them to collect data of the user and use it further in showing you ads based on your activity (targeted ads). 

For instance, you decide to buy a dress from an online store X, which has a tie-up with Facebook. Once you buy that dress and make the payment, it saves your basic details such as your name and your choice of clothing, or even in the case when you put that dress in your cart and do not make the payment. Now, this data is used by Facebook to further narrow down your preferences on the basis of which it will show you customized ads. You will eventually notice ads showing clothes or brands that offer similar clothing at a lesser price etc. 

Users data are also collected through cookies 

Another way of collecting user data online is through cookies. Cookies are small chunks of data collected by the web server while you are browsing the internet. When you visit a random online store, you would receive a notification asking for your permission to collect cookies.  The online platform uses cookies to show you products according to your preferences or use the cookies to send it to other apps to use for third-party advertisement. 

Most of the users want access to the website and they chose to ignore the cookies policy. Hence, it allows the website to track, monitor, and remember certain information such as what website you visited for buying a certain thing online, what movie you watched, or the music you like, etc. 

Google collects user data through various features 

Further, there is another subtle way of collecting information. Android users might relate to this. There is a feature called Google voice which is not just limited to Android users, though it is also available for iPhone users. 

A lot of users use the feature of voice search rather than the traditional method of typing out something on Google. If this feature is ‘on’ in your phone, Google voice often collects information on your day-to-day conversations such as on your liking and disliking. This information collected is further used by Facebook to create ad preferences. 

There are various options in a Google account through which data can be collected, such as auto-fills which allows you to remember your password, a GPS feature that tracks your location through Google maps, Google browsing history, and Youtube search history, to name a few.

Although, your Google account does give you an option to opt-out of personalized ads by instructing apps you are using on your phone to not use your data to build profiles or show you personalized ads. But that does not mean you will stop seeing ads. 

You will still see ads but they may not be based on your interests. It will be based on the basic information that Google considers as public such as your name, gender, birth date, etc., and all of this is available at the ‘data and personalization option’ on your Google account. 

When you buy something offline, the same process is repeated, that is, your basic details are saved and given to Facebook when you make an online transaction. If you pay in cash, most of the offline stores still get your basic details like mobile number, your name, or your email id. Although, for new Google users, their personal data will be auto-deleted by Google after 18 months. But for the rest, their data is set to remain with Google forever.

As an internet user, these are things that you might have noticed but seem to ignore it thinking it’s not important. These are some of the ways in which your data is collected and used for advertisement by these tech giants to earn revenue.

Opting out of third-party ads on Facebook is not possible 

You cannot opt out of third-party ads. The users cannot simply opt out of the ads because Facebook needs capital to operate and it earns the same through advertisement. The ads will be visible to you based on your activity on Facebook such as a page you like or comment on it. The advertising works through the Self-Regulatory Principles for Online Behavioural Advertising (‘DDA Principles’) that regulates, controls, and maintains transparency in online advertising through a set of uniform principles. 

Personalised ads can be controlled

However, the others ads, which are third-party personalized ads, can be influenced. You have the option to control your ads on Facebook. Within that option, you can simply hide a particular ad, if you do not want to see it in your newsfeed. But that is manual and needs to be done for the hundreds of ads appearing on your newsfeed. Another option available to you is ad preference, within which you click on settings and you can control the ads you want to see by clicking on ‘data about your activity from partners.’ 

For instance, your Facebook and Instagram (owned by Facebook) account are connected and you are browsing certain clothing pages on Instagram. That browsing activity is collected by Facebook and it will show you personalized ads of that clothing in your newsfeed. Now, if you click on the option of ‘data about your activity from partners’ on Facebook, it will give you an option to opt-out of the personalized ads based on your activity on Instagram. However, everything else remains the same. You will still be shown ads that might not be based on your activity. 

However, unlike Facebook and Google, Apple does not heavily rely on third-party advertising. It is because Apple earns its revenue from selling its products and in-built apps. 

Apple’s new privacy policy that will put your data back in your control

Recently, Apple has announced certain changes in its privacy policies for the users of iOS 14 and onwards. Now, the iOS system will include a feature called AppTracking Transparency (‘ATT’). The iOS 14 and onward users will have an option to allow or disallow third-party apps to track their information. 

The app tracking Transparency framework will notify users in two ways:

• It will notify a user that a particular app is collecting a certain amount of information such as their movement, history, etc. (Data linked to you). 
• The second notification will specify what all data is used out of the one collected to track you (Data used to track you).

Apple used to collect data of their users through Apple’s Identifier for Advertisers (IDFA). Through this, apps publishers and mobile marketers would get access to user data to show custom ads. But with the new privacy policy, they will not have access to IDFA data. The IDFA is a random device identifier number assigned by Apple to users’ devices which tracks their data and helps the advertisers to deliver customised advertising without revealing personal information. Now, it would require explicit consent from the users. 

Moreover, recently, as an extension of their privacy policy, Apple’s app reviewer is now rejecting apps and their updates crafted with third-party SDK’s integrating device fingerprinting data collection techniques on the basis that it may work as an alternative to IDFA.

Now, as an iOS user, you would be required to grant permission to the third-party apps to collect your basic information to show you personalized ads or to build your profile based on the data collected. This does not mean that the apps cannot track the data at all. Tracking can still be done but in a way that does not explicitly identify the basic information of a user or the device or if it’s used for security purposes. 

Those apps that wish to track the users’ data must include a purpose string. The purpose string allows the user to explicitly grant permission to the app to link data connected to the user. Such prompts are available on various other android apps too. The prompt is also supposed to explain why the data of a particular user is to be linked and collected. If the user allows the app to track and collect the data but has turned off the same in the settings, the app needs to prompt again that the setting preferences require to be changed. 

Facebook reaction to Apple’s privacy changes 

In usual cases, Facebook has a unique way of fighting tech wars; it simply buys its potential competition and creates a monopoly in the market. It has been doing so in the case of Instagram and WhatsApp with the acquisition of the latter known as the most expensive one. Facebook acquired WhatsApp for $19 Billion. 

Interestingly, WhatsApp received another offer from Google but an unusual one. Google requested to notify it when WhatsApp would enter into an acquisition deal with any company. 

Previously, Facebook has been sued by the Federal Trade Commission and more than 40 states through the Antitrust Lawsuit for buying up its potential competitions. The anti-trust framework in the US is regulated through the Sherman Antitrust Act, 1890, along with the Federal Trade Commission Act, 1914 and the Clayton Act, 1914.  

But it is not the case that Apple has not been involved in any kind of monopolistic deals. Apple and Google entered into a deal where the latter requested the former to make Google its default search engine. Apple does not have its own search engine. In 2020, the Justice Department had filed an antitrust lawsuit against Google for this. As for now, Goggle still pays Apple £1.2 billion ($ 1.5 billion) in the UK alone for the default position. 

From what it has followed in all these times, Facebook’s current reaction to Apple’s privacy policy is significantly different. Facebook has reacted against Apple’s privacy policy by publishing critical ads, launching a website to share the stories of small businesses which will face the repercussions, and trending the hashtag #SpeakUpforSmall all over Twitter. 

It is also believed that the real reason behind Facebook’s dramatic reaction is the potential loss to their views-through conversion capability. The views-through conversion allows Facebook to track those ads which the users do not react to immediately but they may later end up purchasing something related to that ad because of that influence. Facebook also decided to test a new prompt asking users to allow tracking ahead of the ATT. 

While Apple has the right to protect the privacy of its customers, there are legitimate concerns over the right to use free internet. It is the only reason why people have normalized the compromised standard of their privacy to continue the services for free. 

Moreover, there is also a consideration to see, which is whether Apple is trying to decide the rules for the market? And since these tactics may work to negate the competition, should not it concern antitrust law? 

Previously, for similar reasons Russia’s Federal Antimonopoly Service has fined Apple $12 million in an antitrust suit. This means that all tech players here are playing the same game but with different strategies. 

Both Apple and Facebook are on the same page, at least in case of being vocal about the differences they have between each other. 

Growing privacy concerns and future of third-party advertising 

Apple’s privacy policy will surely set higher standards of privacy that users must be expecting from the tech giants. In the last few years, the concerns around the right to privacy have become apparent such as in the government regulations of the European Union’s General Data Protection Regulation (GDPR EU 2016/679), the California Consumer Privacy Act, 2018 (CCPA), and the United Kingdom’s Data Protection Act, 2018 to name a few. The UK’s law was enacted based on GDPR. 

The GDPR is a set of regulations that govern the right to protect personal data including the right to be left alone and the right to erasure/the right to be forgotten(Article 17). The Right to protect personal data is a fundamental right under Article 8(1) of the European Charter. Whereas, the right to be forgotten was added after the European Court of Justice’s judgment of Google Spain v. Agencia Española de Protección de Datos (2014). The judgment observed that the right to privacy is greater than the economic interest of the commercial firms. 

There are two important definitions to be understood, first, that of the person whose personal data is concerned and third-party who wishes to get access to this data.  The GDPR defines personal data as all that information relating to an identified or identifiable natural person. An identifiable natural person is understood in reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4.1 of GDPR). Whereas, a third party means a natural or legal person including a public authority, and agency. But does not include data subject, controller, processor, and persons who under the direct authority of the controller or processor, are authorised to process personal data.

The GDPR is summarised as:

• Personal data can only be processed based on consent and for legitimate interests.
• Certain categories of personal data based on ethnic or racial origin, political opinions, religious beliefs, data concerning the health or sexual orientation of a person are prohibited.  
• The data subject (user) who has given consent for the processing of personal data has the right to withdraw that consent anytime.
• Where data processing is done without consent, the same must be proportionate,  necessary, and in the public interest.

The CCPA is another legislation that governs the right to access the personal data of the users. The users must always be informed when their personal data including sensitive personal information is collected and processed, how long will it be retained, and what is the purpose of collecting it. 

In a case where the data is collected by a business to sell or share it with a third party or discloses the information to the service provider, shall first enter into an agreement with a third-party or such service provider specifying that the data has been collected, sold, or shared only for limited and specified purposes. However, the consumers will always have the right to ask the business to delete their personal data.

While in India, the right to privacy including the right to protect personal data was recognised as a facet of Article 21 in Justice K.S Puttaswamy v. UOI (2018). A committee headed by a former judge of the Supreme Court Justice B.N Srikrishna suggested a law on personal data and on the basis of it the Personal Data Protection Bill, 2019 was drafted. 

The Bill states that the data should be collected in a fair and reasonable manner without infringing upon the right to privacy of the user which is protected under Article 72 of the Information Technology Act, 2000. The Bill is yet to become a law. 

The Bill under Section 3(28) seeks to protect personal information which is defined as the one relating to the “natural person who is directly or indirectly identifiable, having regard to any characteristics, trait, attributes, or any other feature of the identity of such natural person, whether online or offline or any combination of such features with any other information and shall include any inference drawn from such data for the purpose of profiling.”

Currently, there is limited recourse available for the protection of personal data which is present under Section 43A of the IT Act. In case a wrongful loss is caused to someone’s sensitive personal data by a body corporate, then in those cases, such body corporate or any person on behalf of the body corporate will have to pay damages for negligence in implementing and maintaining reasonable security practices and procedures. This Section is read with the 2011 Rules on reasonable security practices and procedures. However, it is only limited to ‘sensitive personal information’, such as passwords, sexual orientation, medical history, and biometric information to name a few. 

Thus, the standards set by these government regulations are clear in regards to the right to protect the personal information of the users. Apple’s privacy change may be the first step in redefining the dimensions of tracking users’ personal information through third-party advertising in harmony with the current standards of privacy. It may be expected that other tech giants will eventually follow the footprints of Apple since the current atmosphere around privacy necessitates them to do so.  

Conclusion

These days tech wars are very common because it comes down to money and profit-making. However, Apple’s new policy can be considered as a ray of change as it ensures that at least the company is serious about securing the privacy rights of its users. At the same time, this also highlights Facebook’s chaotic method of tracking and collecting data of the users without an authentic mechanism to regulate the same. 

Facebook’s recent reactions can be considered overly estimated since other companies such as Snapchat and Twitter have extended their support towards the policy and have also clarified that the same would be modest. Although Facebook seems to be advocating for the rights of the small businesses, the episode of Cambridge Analytica (Facebook’s data scandal), where it became public that the platform was using political advertising to harvest data which would have potentially influenced US election campaigns and the Brexit referendum, cannot be forgotten.  

Even Facebook’s founder Mark Zuckerberg clearly confessed before the US Congress that he does not know how exactly the data collected by Facebook is used. It was also disclosed that the data of non-users of Facebook are collected too. To make such a blatant statement despite knowing that the world is watching him is a sheer act of negligence in the times where protecting personal data is quintessential.

At the same time, the other side should also be critically scrutinised because Apple may simply be acting out of interest by adopting an expensive way of negating its competition. Apple is also not new to antitrust suits and has been penalised from time to time for using unfair means to earn profit. It remains to be seen whether Apple is being loyal to its customer or just acting out of hypocrisy because, in the end, profit-making motive rules the market. 

References

• https://www.theguardian.com/news/series/cambridge-analytica-files
• https://www.ftc.gov/tips-advice/competition-guidance/guide-antitrust-laws/antitrust-laws 
• https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter2-subchapter1&edition=prelim 
• https://www.ftc.gov/enforcement/statutes/clayton-act 
• https://www.cnbc.com/2018/03/21/facebook-ceo-mark-zuckerbergs-statements-on-privacy-2003-2018.html.
• https://www.theverge.com/2020/12/17/22180102/facebook-new-newspaper-ad-apple-ios-14-privacy-prompt. 
• https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/requesting_access_to_protected_resources.
• https://developer.apple.com/app-store/user-privacy-and-data-use/.
• https://www.facebook.com/adpreferences/ad_settings/?entry_product=account_settings_menu.
• https://www.facebook.com/help/1075880512458213/control-the-ads-you-see.
• https://digitaladvertisingalliance.org/principles
• https://www.facebook.com/help/1075880512458213/control-the-ads-you-see
• https://policies.Google.com/technologies/ads?hl=en-US.
• https://policies.google.com/technologies/voice?hl=en-US
• https://www.facebook.com/business/help/488070228549681?id=288762101909005.

---

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: