The Autorité de la concurrence:
The Autorité de la concurrence has fined Apple €150,000,000 for abusing its dominant position in the sector for the distribution of mobile applications on iOS and iPadOS devices between April 2021 and July 2023.
[…]
However, while the principle of the ATT framework is not problematic in terms of the likely benefits for users as regards privacy protection, the Autorité found that how the framework is implemented is abusive within the meaning of competition law, in particular as the implementation methods artificially complicate the use of third-party applications and distort the neutrality of the framework to the detriment of small publishers financed by advertising.
These regulators seemed particularly irritated (PDF) by how similar App Tracking Transparency is to GDPR requirements, without being fully aligned with them. Because the ATT prompt does not allow developers to specify which third-parties are receiving tracking data, developers must include a second opt-in screen that provides more details about how their data will be used. This is fairly granular — arguably too much — but Apple’s version lacks detail. If a user agrees to third-party tracking, is their consent fully informed if they do not know with which advertisers their information is being shared, or even how many? I am not sure they do.
They also seemed to disagree with how Apple defines tracking. German regulators are also interested in what amounts to self-preferencing, even if that is not Apple’s intent. The authority has not yet published the text of the decision, which will hopefully answer many of the questions I have.
One thing I am curious about is how the regulator reconciles Apple’s apparently “not problematic” attempts at improving user privacy with the callous disregard toward the same shown by ad tech companies. Trade groups representing those companies, including the French offices of the IAB and MMA, were among those who filed this complaint. Both trade groups are loathsome; their inability and failure to self-govern is one reason for this very privacy legislation. Yet Apple’s particular definition of “tracking” is something only relevant to very large platform operators like itself. There is very clearly a conflict of interest in Apple trying to apply these kinds of policies to competitors, especially as Apple expands its ads business.
John Gruber:
It’s clear that only one of these two things — Apple’s ATT or French/EU privacy regulations — was actually effective at reducing tracking: ATT. No one claimed that French or EU privacy laws resulted in Meta losing a fortune because they had to adjust their kleptomaniacal thievery of users’ privacy. But by all accounts, including Meta’s own, ATT cost Meta billions. And yes, ATT hurt small businesses too — small businesses that were built upon surreptitious tracking that users had neither awareness of nor control over. […]
I am not sure the available evidence supports this conclusion. In response to E.U. legislation and a record fine, Meta has introduced versions of Facebook and Instagram at a free tier with less personalized advertising — targeted only based on factors like a person’s age, gender, and the context of the ad — and a paid tier with no advertising at all. Depending on how many people opt into each tier, it may reduce Meta’s revenue. This, to me, sounds at least as productive as ATT, which had a mixed impact on ad tech companies like Meta. I am sure it cost the company money; I am equally sure it found new ways of figuring out how to target advertising based on the massive amount of personal information it continues to collect.
Smaller ad tech companies have not escaped regulators’ attention, either. Criteo, a French personalized advertising business, was fined €40 million in 2023 over privacy law violations. Orange was fined €50 million last year for a similar reason. Both are IAB members now on the winning side, as it were. Nobody looks good here.
I still believe both of these prompts are an inadequate solution that foists the burden of adequate privacy protections on end users. ATT and privacy legislation are two ways of approaching a similar problem. But one of these is operated by a massive private corporation with its own priorities taking a quasi-regulatory role, and it should be subject to governance with that in mind. I was optimistic about ATT; however, it is insufficient without strong privacy laws. I hope French authorities can settle this with Apple in a way that prioritizes users.