So the fine seems to be for treating 3rd parties differently from their own stuff.
They could make their own popups require double confirmation instead...
>The agency said there is an "asymmetry" in which user consent for Apple's own data collection is obtained with a single pop-up, but other publishers are "required to obtain double consent from users for tracking on third-party sites and applications." The press release notes that "while advertising tracking only needs to be refused once, the user must always confirm their consent a second time."
They take issue with Apple making it easier for their apps but applying a different standard for third parties. I think this fine is fair.
* explain and prompt the user for consent
* if they acquiesce pop the real modal
* otherwise bide your time and try again later
The reason for this is because once you receive a rejection in the official modal you are not allowed to ask again.
A simple yes-no for third-party applications makes it easier for the user to reject tracking and doesn't make the process more cluttered than for Apple apps.
It's specifically recommended by apple.
https://developer.apple.com/design/human-interface-guideline...
If no, then first party vs third party having different standards of consent seems reasonable?
It's all just silly.
If Apple doesn't feel like they need additional consent and/or doesn't use ATT-blocked systems then they don't need that.
This is stupid.
Not sure how you collect all the necessary consent clicks without at least two clicks if a third party is involved?
Do they get a pass on collecting a consent click for one of the parties?
Or do you only ever need the consent for the third party to track?
My understanding was you needed to get consent for every company in the chain. Is that untrue?
Are they right about that? Does Apple provide the app with confirmation that the user consented, and if they do, is it legal to rely on that confirmation?
I'm not sure this is fixable?
Or maybe there is widespread misunderstanding of the requirements in this scenario? But I also thought the rule was tough enough to require verifying that extra consent? Maybe it's not?
Truly confused here.
App Publishers have instead used the explanation page as a "soft" consent form, so they can bug you later without being disabled at the system level.
Sounds like a good shakedown to me. Wait until they tweak it then fine them again for getting it “wrong”. I wonder if they even got the chance to change anything before they were fined the first time. And all because the regulator wants users to be advertised to more?
Granted, not all are fines for tracking users, but all sorts of violations. Reasoning is included in the table.
That's the exact of cynicism I'm talking about. It doesn't matter whether banning third party was good for users or not, only whether Google (or Mozilla) stood to benefit. This is absolutely toxic because it means objectively good changes get shouted down.
> Plus many people complained.
For what, Firefox?
When I install an app I get a single popup asking whether I want to share with advertisers or not.
I don't have to do anything twice.
Is it different in Europe or something? Is there a second popup there, and if so, what?
Not from Apple's end.
Apple mandates that all requests for permissions go through a single, OS-provided dialog. If a user accepts, the permission is granted; if the user rejects, the permission is not granted, and the app can't ask again. Simple enough.
App developers try to maximize their chances of getting that permission granted by adding another warm-up dialog before actually doing the official permissions request. Since those other dialogs aren't part of Apple's permissions request chain, they can be rejected by the user without consequence, and the app can present them as often as it wants.
There is nothing which requires third-party developers to use these additional dialogs. It's a design pattern (and an annoying one at that) which many developers have gravitated towards. Not all developers use it; in particular, Apple doesn't use it for their first-party apps. And apparently FCA is faulting Apple for not following that pattern themselves.
5 or even 10 years ago this would have been unthinkable in dutch politics, even if this has been called out a lot as a risk in tech circles.
[0] https://www.dutchitchannel.nl/news/602753/tweede-kamer-neemt...
The EU (through GDPR) also wants some sort of affirmative consent for tracking. That's fair, and results in one prompt. However, iOS obviously can't accept a "trust me bro" from the app itself that it's okay to enable cross-app tracking, so you need a second prompt. The obvious solution would be to combine the two, by allowing the ATT prompt to be used as consent for the purposes of GDPR. Why didn't French regulators go with this solution and decide to fine Apple instead?
Well, yes there is: I don't have carte blanche to do whatever I want with your data because you tapped an Apple dialog: I have to obtain your consent first.
more @ https://news.ycombinator.com/item?id=24109695 (via https://www.forbes.com/sites/johnkoetsier/2020/08/07/apple-a...)
EDIT: Throttled, so reply can go here:
> My previous comment directly addresses the "asymmetry" aspect.
Apologies, you asked what the asymmetry was and I guess I'm still rather confused even after reviewing the thread. I think I've had too much caffeine...or not enough? :)
> The obvious solution would be to combine the two, by allowing the ATT prompt to be used as consent for the purposes of GDPR. Why didn't French regulators go with this solution and decide to fine Apple instead?
I've been involved in regulatory stuff before and it's considered overreach, generally, when the government does UX design for you. Hopefully, that's a solution Apple can consider, it's a great idea on your end, excellent for users and competition.
>The obvious solution would be to combine the two, by allowing the ATT prompt to be used as consent for the purposes of GDPR. Why didn't French regulators go with this solution and decide to fine Apple instead?
edit:
>Apologies, you asked what the asymmetry was and I guess I'm still rather confused even after reviewing the thread. I think I've had too much caffeine...or not enough? :)
The point is, I can see where the "asymmetry" is, but I don't understand why they went decided to fine Apple rather than do something on their side (ie. rework the idea of consent in GDPR to allow for reusing the ATT prompt) to fix the "asymmetry". I think most people would agree that the ATT prompt from iOS must stay, and it's better to address the "asymmetry" by making third party apps more streamlined, than by making iOS worse[1]. That would be entirely within the French regulators' remit.
I wonder if this sheds light: if they said exactly what to do, there's a strong argument that they went too far when business regulators became UI designers.
> Wait until they tweak it then fine them again for getting it “wrong”
I don't worry too much about it, I used to work at Google, companies and regulatory authorities are in constant contact. Generally, I haven't yet seen a company claim to have addressed a situation then gotten fined again.
> And all because the regulator wants users to be advertised to more?
I can't find that bit in the article and I haven't heard it before: could you share some more?
[1] https://developer.apple.com/design/human-interface-guideline...
I have to assume this this is the same "issue" with all Apple permissions. They can only be requested once by the app and if the user denies it then the user has to dig into Settings to turn it on later. To avoid/work around this a lot of app developers prompt the user before they trigger the OS-level prompt so that if the user says "no thanks" they don't "burn" their one chance to request a permission.
Apple, it seems, doesn't use those "pre-consent" screens so it's only 1 dialog. Also, to my knowledge, Apple doesn't allow it's apps to prompt with the system dialog multiple times either so they are on equal footing it appears.
As always it's important to see who is complaining/behind this:
> The French investigation was triggered by a complaint lodged by advertising industry associations.
Ahh, got it.
The "Autorité de la concurrence" seems to suffer from the same issue almost all government regulators suffer from, they know fuck-all about technology which is perfectly summed up with this:
> Benoit Coeure, the head of France's competition authority, "told reporters the regulator had not spelled out how Apple should change its app, but that it was up to the company to make sure it now complied with the ruling,"
Not only is it a "You need to make _A_ change but we won't tell you what it is"-type thing which is super annoying [0] but "Apple should change its app". If you don't understand the difference between an "App" and an "OS" then you should not be making rules for either.
ATT is a 100% win for consumers and I don't for a second believe the BS around "but what about small businesses!", just look at all the people championing small business, it's check notes, ahh, yes, Facebook and large ad agencies, bastions of small business /s.
[0] Yes, it's even more annoying when Apple does it to developers and I think we are all feeling a little bit of Schadenfreude over it.
This absolutely sounds like a problem caused by the law and not apple. Apps can’t rely on the prompt for legal authorization (presumably because it is filtered through apples apis?) and must therefore ask themselves.
The only two solutions I see to this is either Apple can’t prompt which means they can’t protect the user or the law can change to accept the prompt as authorization to track.
> The Autorité also found that the rules governing the interaction between the different pop-up windows displayed undermined the neutrality of the framework, causing definite economic harm to application publishers and advertising service providers.
https://www.autoritedelaconcurrence.fr/en/press-release/targ...
“Economic harm to … advertising service providers” says it implicitly.
Apple need one of these https://learn.microsoft.com/en-us/openspecs/
I do not really care if some businesses can no longer make money in the way they like to. I’m sure they’ll figure it out if they have to. Businesses existed for a loooooong time without tracking their customers. I’m sure they can do it again.
The second paragraph has what you want. From the article:
> The App Tracking Transparency (ATT) framework used by Apple on iPhones and iPads since 2021 makes the use of third-party applications too complex and hurts small companies that rely on advertising revenue ... The system harms "smaller publishers in particular since, unlike the main vertically integrated platforms, they depend to a large extent on third-party data collection to finance their business," the agency said.
Is there another way to interpret this than that the agency wants to protect advertizing and data collection practices by small businesses?
The Apple apps go straight to the permissions pop up.
How is it Apples fault they do this?
Likely they'll fall back in Europe to double-prompting as well in system apps.
Apple created this problem for itself when they decided that they wanted to double dip and become advertisers (while conveniently making advertisement less effective for everyone else). The amount they net from it surely can't be worth the trouble is causes. It's also simply scummy and always puts conflicting interests at play.
Still don't understand the two versus one confirmation thing. I have tracking entirely disabled so apps can't even request it, but it'd be nice to see some workflow of how Apple's tracking works versus everyone else. The complaint almost seems that Apple apps simply do track your details and use them for targeting, without any confirmation (which Apple argues is okay because there is no third party getting the deets), where others have to do the confirmation.
Weird you still have no idea why.
So let me tell you, there was a tribe in a village and they had many rules, some young boys hated the rules so they left and made their own village with no rules. One day one of them made a fire and let it unsupervised and many of their shacks burned so the boys decided that there should be one rule about not letting fires unsupervised.... the story continues with similar issues happening and they reluctantly adding one more tule, then one more rule until they get tot he same original rules from the original village.
Correct.
> The regulations are there to protect users
Also correct.
> a 3rd party application is more likely to harm the user, so less trust is warranted.
Not sure if I agree or not, but it doesn't matter.
I mean, I've had apps show a popup beforehand explaining what they want me to answer. But that's not required, nor does it seem common.
The native iOS permission dialog is only a consent about what the app can do locally, and doesn’t list the 1034 close partners that they will share your DNA with.
Makes me think.. one potential risk here is that vendors will band together under a common ”publisher” where apps can piggyback on consent from previous apps, just like the big guys do but without being part of the same feudal kingdom. Wouldn’t surprise me if this already happens.
It's the equivalent of fining a millionaire 150 EUR, or a regular person fifteen cents.
That's not a fine, it's a show put on for people who can't do division.
According to the article, the French agency believes they would have to ask twice:
> Third-party publishers "cannot rely on the ATT framework to comply with their legal obligations," so they "must continue to use their own consent collection solution," the French agency said.
You could argue that choice is questionable because Apple needs to follow its own rules, but also .. it is the Camera app. I think if you don't want the Camera app to use the Camera you probably should not have opened the app at all.
ATT (App Tracking Transparency) is the dialog that says something like "Facebook would like permission to track you across apps and websites owned by other companies. Your data will be used to ... $AppProvidedExcuseHere." with "Allow Tracking" and "Ask App Not To Track" buttons.
ATT is the First consent.
The SECOND consent this case is about is the in-app consent that needs to happen according to French law. I can't give an example of that because I do not live in France but I assume this is probably some horribly designed page inside a French app that asks you to share your data with the ad surveilance industry.
I’ve seen confirm (app) -> confirm (Apple), but never deny (app) -> deny (Apple).
I believe Apple's goal with the popups is to protect consumers' privacy from 3rd party apps, which is admirable. But where they went wrong is that they didn't apply the same process to themselves.
> Third-party publishers "cannot rely on the ATT framework to comply with their legal obligations," so they "must continue to use their own consent collection solution," the French agency said. "The result is that multiple consent pop-ups are displayed, making the use of third-party applications in the iOS environment excessively complex."
It's not harder at all. France are just mad that their small advertisers have to ask for permission again which is their own choice.
Don't give users a choice in tracking: complaints Give users a choice in tracking: now it's too many pop ups
And €150M is a lot of money, you can have on the order of a thousand people working on the problem for a year to get even. I am sure they can figure out a way.
Same idea with, say, a parking ticket for nonpayment. It may be nothing to a millionaire, but the important part is that in the long run, it is more cost effective to simply pay for parking.
Imagine if people from the old village came to the new village and said that they wanted to set up the rules they had in the old village but they want to live in the new village. Some people are perfectly happy in the new village, but the people who came from the old village say that the rules are unfair.
As someone who actively wants Apple provide a tighter experience, this is how I feel. I have a nice garden that I'm playing in, and others have a sandbox. They like my garden because it's sunny, but they want the rules of their sandbox to apply to my garden. The grown ups let them in, and now there's nowhere to play that doesn't have sand anymore.
It seems that this logic would prevent any regulation of what happens on macOS or iOS, since anyone who is using either has knowingly bought into the Apple ecosystem. (And analogously for Windows, since anyone who is using it has knowingly bought into the Microsoft ecosystem.)
I don't live in france but I'm familiar with the popups. many apps on first install will give you an in-app prompt asking if they can send you push notifications. If you accept, you get the system prompt. if you decline, you don't. I'm not a regulator, but it seems they've misread this one IMO - they only need to provide the conseent at the platform level and can opt out at the platform level if they so wish.
Surely the same argument can be applied to the cookie law - many sites feel like they need consent therefore it's unfair over people who think they only need one prompt.
I buy Apple specifically because I want the level of privacy that their platform provides. If third party devs don’t like it, they can ship for Android.
A good faith interpretation of the parent's comment might assume the tribe's leaders started making arbitrary rules about fires which were of questionable benefit to the tribe and when the tribe did things there own way the leaders took bananas from them as a punishment.
If the rules being made are not of clear benefit to the tribe then surely it is right to question them? Your point that rules can be good should be self-evident, as is the inverse - that rules can be bad. What's important here who is the beneficiary of those rules.
Clearly the consensus is that YES, they were harmed, and the proof is the Web 2.0 revolution driven by the eventually broken browser monopoly by Firefox and Chrome. But at the time the tech industry trenches were filled with platform fans cheering Gates et. al. and claiming sincerely to want the benefits of the unified Microsoft Experience.
Every time you take an Uber or reserve an AirBnB you're demonstrating the fallacy of that kind of thinking.
Basically: yes, competition is good always, no matter how tempted you are to believe the opposite.
More logical is to compare it to their yearly profit. Net income was $74B last year.
So the fine is ~0.2% of that, which is pretty significant for something as tiny as having two pop-up messages rather than a single combined one.
And for a regular person making $50K/yr, it would equate to a $100 fine. Not fifteen cents.
No pop-up is needed to reject what is already banned union-wide. Therefore, a banner that is trying to collect my explicit+specific+informed+voluntary consent to partially lift that ban is not a "pop-up that lets users reject". Its a "pop-up that lets users surrender" some of their rights & freedoms.
And browser choice in the EU had little long term affect
https://arstechnica.com/information-technology/2014/12/windo...
In fact them limiting more and more third party access to data is just a play to boost their own selling of your data.
I don't mean ads for Apple products. I mean the ads that Apple sells in News, the App Store, where they track your behavior to personalize the ads you see and to see if you ever buy what the ad is selling.
I'll just leave you with the fact that Apple across two decades paid pennies in taxes in Italy (claiming few millions in revenues) because they would have bullshit like Apple Ireland selling Apple Italy iPhones for 1000€s and selling them for 1000€s plus vat.
Meanwhile Apple Ireland was buying those iPhones for the pennies it costs to make them (few hundred $ at best) and thanks to Irish corporate taxes being close to non existent (0.5%) Apple has paid virtually nothing for decades.
If you believe that us European voters love our countries to be subsidized by rich American countries you're out of your mind, but what we dislike is being taken advantage over and over.
Privacy is about making access transparent, not by having customers in tiers.
I swear there's a parallel world with lunatics saying they are glad that only XCode can access their file system and processes and they don't want that Vim, VSC, Emacs or IntelliJ crap.
Just maybe if the EU spent more time encouraging innovation instead of passing laws, they would have a real tech industry.
Every Mac and Windows user who uses Chrome made an affirmative choice to download Chrome and didn’t need the government to help them make a decision.
Today in the US, even though the average selling price of an iPhone is twice that of an Android where there are dozens of choices and Android is backed by a trillion dollar company, 70% of users in the US choose iPhones.
In every single country, people with more money choose Apple devices using their own free will even though there are dozens of cheaper Android devices to choose from.
Just like people said “no” to ad tracking when given a choice and now the ad tech industry isn’t happy with that choice.
That being said in that specific case this is odd because in general:
- EU (albeit not France) gives plenty of time to OS developers to adapt and often talks to them directly when they are as big as Apple
- The timing makes it look like with a different less disruptive administration it would've went differently
In any case US companies abusing any possible loophole for paying pennies for decades in Europe don't get any sympathy by me.
In fact Apple is making more and more money on ads because they limit data access to third parties, but still sell yours in search and store.
The more proactive approach is tractable since it preserves competition (easy) instead of low prices (hard, on shakier legal footing)
Compare what Apple does on iDevices. Safari comes pre-installed, and every competing browser can only skin the OS engine; competing browsers can't actually port their own offerings. On top of that, if you actually want to sell a browser, Apple will get a cut of your sales.
And yet, Apple's app store and ecosystem doesn't seem to be treated as a monopoly in this regard. If not here, why wouldn't they also get away with all of their other anti-competitive practices?
FWIW, I think they should be treated consistently as a monopoly. As a backup option, I'll settle for consistently treated as not-a-monopoly.
Mixing and matching rulings will only serve to hurt in the long run.
Apple has convinced a lot of people through sheer PR force that they are 100% trustworthy and therefore all of their restrictions and self-bypasses of those restrictions are warranted. Either all of it is OK, or none of it is, unless Apple enjoys getting it wrong and getting fined.
Google and Facebook also insist that they never sell the massive amounts of personal data they collect on their users.
That doesn't mean that your data isn't being exposed to random people or that it isn't being used against you.
https://www.theguardian.com/technology/2019/jul/26/apple-con...
The more proactive approach requires an omniscient regulator that you hope preserves competition but really can only guarantee current prices and incumbent profits.
Workarounds include having the other person message you first, or manually typing wa.me/+number into your browser.
Slightly more info: https://android.stackexchange.com/questions/229390
The legal system, including the discovery process, and basic accounting to calculate when the selling price is lower than BoM cost.
Now it's your turn to answer my earlier question.
... except in the EU where it's now legal to deliver a non safari browser engine through alternative app stores.
It's just that no one will do it for just the EU...
The laws are created for all, all people, all companies. We do not give Apple exceptions because reasons like this guy likes it as it is. When Apple decides to do business in a country it accepts the laws there, if they do not like the laws then they can just refuse to do business there.
My response is on topic for the comment it responds. But in case someone else fails to understand the message, the rules are added because someone made something bad intentionally or now,
so can you guess why the companies were forced to add "Unsubscribe" in their emails? do you think someone imagined this rule for no reason ?
It's telling that the former CEO of Apple was famous for driving a car without plates, and parking in handicapped parking spaces, just because he could.
A) A consumer seeing more of their ads B) A consumer seeing the same number of ads C) A consumer seeing less of their ads
Well, yes. These are billion dollar companies. Always follow the money. The incentives change everything.
>This is absolutely toxic because it means objectively good changes get shouted down.
Probably because "objectively good" changes often follow before even more harmful decisions. Many have long lost their benefit of the double for these Big Tech trillionaifes. And the reputation is deserved.
>Third-party publishers "cannot rely on the ATT framework to comply with their legal obligation
Yeah, as apple loves to do, rules for thee but not for me.
>France are just mad that their small advertisers have to ask for permission again
Because Apple's isn't good enough, but in apple fashion you must use it (but they dont). Yeah, anti-competitive.
Like, do we want protections from corporations or to continue to let them stomp on using hopes they become the corporation one day?
This is just more an extension of the DMA lolly gagging they are doing where there's a clear solution that Apple takes its sweet time strolling towards.
Yes, they do.
>Apple does not sell your personal data including as “sale” is defined in Nevada and California. Apple also does not “share” your personal data as that term is defined in California.
From their privacy policy (C. 1/31/2025) It's enough to comply for a definition under a single state in a single country. They make a billion off ads so I'm sure they loophole the heck out of that.
"at what point do we admit that the EU is strongarming US tech to their will"?
You can't win here.
So price controls is your answer? The Costco rotisserie chicken is illegal monopolization in your world.
> What mechanism can the regulators use to prevent competition going out of business while maintaining the artificially low prices?
The legal system, including the equitable power to split up companies under antitrust law.
There is a reason that the proactive approach has been roundly rejected by courts in the modern day, despite Lina Khan’s best efforts to push it. Despite your comment earlier about preserving competition being “easy” (preserving competition via regulation is never easy) and preserving low costs being “hard” and on “shakier legal footing,” the test for antitrust remains consumer harm, not competition.
In a few years we can compare who got it right.
So I guess the question hinges on if the data Apple shares with their partners can be fingerprinted or not.
As as I understand, declining to use the ATT framework just means they don't share the system advertising identifier (IDFA). That does not mean the information they do share cannot be fingerprinted.