Companies are doing whatever they can to meet rising user demands for more privacy, transparency and control in regards to their digital lives. The question continues to be: What are the right and wrong ways to give the user what they want?

Apple believes it has the solution with its App Tracking Transparency framework, which requires mobile application developers to obtain opt-in consent prior to serving targeted advertising via Apple's Identifier for Advertisers. Since ATT became effective April 26, developers bound to the framework issue a one-time prompt regarding user tracking preferences while giving users full control over permissions for individual apps.

"Retailers have relationships with their customers and try to understand them on an app, through web browser or offline in store. That whole story about a customer is their first-party data and they've relied on various ad partners to help them with that.” Kelley Drye & Warren Partner Alysa Hutnik, CIPP/US, said. "To now have that be an opt-in approach … There's an educational journey in digital advertising for many businesses and I think they're just getting caught up. It's not with malintent (from Apple), but suddenly they can’t rely on third parties making decisions for them."

The pro-privacy sentiment of Apple's new standard is certainly a draw for users, but what kind of lift is it taking for developers and advertisers to rise to ATT's requirements? Simply put: A lot.

"In these first few weeks, we have a massive industry challenge, and I'm concerned,” Safeguard Privacy Co-Founder and CEO Richy Glassberg said. "I think there are some at one end of the bell curve that get it while others are asking 'What's happening here? How do we deal with it?' Compliance is a huge tactical nightmare right now for all sides."

Interpreting ATT's 'tracking' definition

One of the biggest struggles on the ATT compliance front is making sense of Apple's framing of what constitutes tracking. Apple's definition covers targeted ads based on collected data, various data sharing through data brokers and third-party advertisers, and third-party software development kit placements. It sounds straightforward enough, but professionals see the definition as problematic on various levels.

"They just up and used this language for tracking that technically is what you're doing, but you might not know what that means as a consumer," BigID Vice President of Privacy and Policy Heather Federman, CIPP/US, said. "It comes off as somewhat scary and, for all intents and purposes, you would not agree to that."

As much as the language around tracking is causing stress, there was potentially a way to avoid the misunderstandings and hard feelings. Hutnik indicated Apple did developers no favors as far as preparing them for what to expect with its definition.

"I think the overtime, updated FAQs and clarifications have caused a decent amount of consternation," Hutnik said. "We're all working with terms Apple has defined that don't track with terms we are accustomed to under laws and other self-regulatory best practices. While Apple believes they've been crystal clear, I don’t think the industry views that the same way."

Other compliance challenges, potential workarounds

Glassberg along with Wayne Matus, Safeguard Privacy's executive vice president and general counsel, explained a trickledown issue stemming from a double opt-in dilemma Glassberg said "no one is talking about." Not only are apps being tasked with obtaining consent under ATT, but then they continue to provide their pre-existing consent toggles for regulatory compliance. The double opt-in presents risks to business models depending on a user's willingness to consent at both stops.

ATT also fractures the marketing system as far as current versus prior data collection goes, according to Matus.

"All of this old data held on you is still there and it’s not touched. This new non-tracking business doesn't affect that legacy data or those who have it," Matus said. "This means, for the advertising ecosystem, immediate interest advertising is affected, but long term-interest advertising isn't affected at all. So you've created a bifurcated world of data."

From a technical compliance standpoint, Federman worries that app developers could potentially find methods to bypass ATT's standards.

"We're assuming that developers will have to follow the SDK that is presented here," Federman said. "There were already various reports about the workarounds that were going to happen. Whether those go through remain to be seen, but I could see this causing the unintended effect of more nefarious forms of tracking, like device fingerprinting."

Workarounds and ignorance are always possibilities ATT will face, as they are with any law or standard. The difference between non-compliance with standards is the punishment rarely matches the crime.

"You can say you're doing any of these things to meet standards for transparency, viewability or anything else. But even if you didn’t, no one is giving you a fine or putting you in jail. They're standards," Glassberg said. "So when it comes to ... actual privacy laws, if you don’t comply, there are serious consequences. So, my question is, did Apple help you comply or make things more uncertain?"

Non-compliance could also be a product of the aforementioned misunderstanding companies are contending with.

"I've walked through with a number of the business partners and they are very confused," Hutnik said. "You can hold their hand and walk through, but so many companies just do not have the funds to hire an outside counsel to go through this with them. In good faith, they're going to do the best they can, but it’s going to go one way or the other."

A step forward for privacy?

As tough a time as businesses are having grasping Apple's framework, ATT is by all accounts a step in the right direction from a consumer privacy standpoint.

"We were excited about the change because there just haven't been real mechanisms, whether it be from a private or government standpoint, that were as strong as this in terms of limiting certain kinds of tracking," Electronic Privacy Information Center President and Executive Director Alan Butler said. "Certainly the ability to turn off by default the type of pervasive tracking that's increasingly creeping into the mobile devices."

The early returns show that user control is highly desired as Flurry Media's report on opt-in rates from 2.5 million devices showed 4% of U.S. mobile users opted in while the number jumped to 12% worldwide. Federman isn't sure how narrow the sampling was for those numbers, but she would be curious to see whether opt-in rates jump with any sort of pre-disclosure, like the one deployed by Facebook and Instagram explaining how opt-ins were required to maintain the same services users are accustomed to.

Given what the early numbers show, though, Matus wonders if Apple's move could effectively spell the end of targeted advertising under the ultimate realization they aren't even necessary.

"I've always questioned the effectiveness of certain targeting practices. Do you really need to see a picture of the same pair of jeans 100 times? From the perspective of reach, frequency and monetization, it often doesn’t make sense. How does this type of targeting make the consumer feel? Does it compel them to buy or resent the brand? These laws and standards, especially (the EU General Data Protection Regulation), are attempting to give consumers some control over their data and online experience, empowering them to resist certain practices."

With the consent model itself, Federman supports what Apple has done in terms of simplification for the sake of the users.

"They make this very normative for users, which I can appreciate," Federman said. "Everybody already has so much stuff going on, so keeping it simple is a good way to do it."

Should Apple be taking the lead?

Many have questioned whether it's appropriate or fair to have Apple setting the bar for an entire industry. The move wreaks competition issues, but a larger point of contention in the privacy space is how ATT compliance doesn't add up to regulatory compliance.

"It doesn't necessarily follow the regulatory standards to a tee so I think that's where you get into that issue of how many stakeholders were actually consulted, including regulatory bodies," Federman said. "I think that kind of goes to the challenge we're seeing. For me, I would've felt a little bit more placated by this if they had those conversations."

Federman and Hutnik both indicated they never heard about any sort of consultation that took place. Even if there was consensus among Apple and some other companies, Butler opined it still wouldn't "give you a true standard."

Butler pointed to the "failure of the self-regulatory approach" adopted by the U.S. Federal Trade Commission in the 2000s for why Apple felt empowered to step forward. He also alluded back to the company's competitive standing.

"Because Apple doesn't compete with the Googles, Facebooks and others in the world of internet advertising, they get a benefit essentially of requiring a technique that doesn't harm them," Butler said. "That, plus the strict private governance model of the iOS app store, is kind of the perfect storm to allow this technology to be rolled out at the impetus of even a single company."

Much like the issue of a potential patchwork of U.S. state privacy laws, Apple's solo moves may cause a ripple effect among fellow players in the mobile device market that results in ATT-like rules for other platforms or services.

"Apple does this, but we forget that they are only 50% of the U.S. mobile market and 15% globally. If Android is doing something else, we have a fragmented market," Glassberg said. "This has gotten so complex to the point where I wonder if there are any regulators that understand it. And now we've got companies trying to legislate. I give Apple a lot of credit for doing this. But why are they doing it? They shouldn't be the ones that have to."

Photo by Sara Kurfeß on Unsplash