A

By now you've probably heard about marketecture Live. We put on two sold out events jam packed with the most insightful advertising content around. Speakers included Eric Seoufer, James Borrow from Universal Ads, Mark Grether from PayPal, Olivia Corey from Houzz, and of course me and the Mark Detector Group. Well, this spring we're coming back bigger and better with a two day that's shaping up to be a must attend event March 10th and 11th in New York. We're putting on the new tent pole event in collaboration with Adweek and TV Red and you absolutely need to be there. Early bird tickets are 25% off and qualified brands and agencies can be comped. Go to marketlive.com right now that's marketecture live.com to get the early bird discount.

B

Welcome to the Monopoly Report the Monopoly Report is dedicated to chronicling and analyzing the impact of antitrust and other regulations on the global advertising economy. If you are new to the Monopoly Report, you can subscribe to our weekly newsletter@monopoly-report.com and you can check out all of the Monopoly report podcasts@monopolyreportpod.com I'm Alan Chappelle. This week my guest is Alan Butler. Alan is the Executive Director and President of the Electronic Privacy Information center, or epic. EPIC is an advocacy organization that pursues a wide range of civil liberties, consumer protection, and human rights issues. Prior to his appointment as Executive Director, Alan Butler managed epic's litigation, including the amicus program, and filed briefs in emerging privacy and civil liberties cases before the US Supreme Court and other appellate courts. Today we're talking about the French Competition Authority's recent decision characterizing Apple's implementation methods regarding app tracking transparency, or att, as abusive within the meaning of competition law. Given Apple's dominant market position in mobile app distribution, Alan and his colleague Callie Schrader at EPIC wrote a blog post a little while back about the decision. As you might imagine, EPIC took issue with the decision stating, and I quote, invalidating the ATT system is not a good way to promote competition in the ad marketplace, and it would deny users an actual meaningful choice to protect their privacy in a tech ecosystem that is overrun by surveillance. I am delighted to have Alan on the podcast to share and perhaps build on Epic's perspective after reading Epic's article, which, by the way, I'm posting in the Show Notes so you can read it too. My sense is that EPIC may be overstating the popularity of ATT with consumers and they are underappreciating the dearth of monetization options available to app publishers in Apple's ecosystem and seeing ATT more through a privacy lens, where I tend to see ATT as more of a cynical cash grab by a big tech company. I think this is going to be a spirited discussion, so let's get to it. Hey Alan, thanks for coming on the podcast. How are you?

C

I'm doing great, Alan. Thanks for having me.

B

Well, I'm really looking forward to this discussion. So I suspect that most of my audience is at least familiar with the Electronic Privacy Information center or epic. But just in case, would you mind just sharing a bit about Epic's role within the larger privacy community, what your goals are, how things work with Epic? Sure, yeah.

C

Epic is a nonprofit research and advocacy center. We've been around since 1994 and focused on defending the fundamental right to privacy for all people online. We're based in Washington, DC. You can visit us at our website, epic.org and we do all kinds of different advocacy and public engagement work around tech policy and privacy issues.

B

Just a quick aside about Epic. I think it was 2005, I was at Fordham, which is where I went to law school, by the way. But they had some event where Mark Rotenberg was at, and he did the near impossible feat of taking his slide deck, literally throwing it up into the air and doing his presentation regardless of the order. And darn it if Mark did not stick the landing with it. I thought it was a kind of a brilliant display.

C

We always, we go for Flash and you know, pizzazz when we can certainly.

B

Well, fantastic. So let me set the table here with a little bit of background. Apple announced in 2021 that it would roll out a new feature called App Tracking Transparency, or att. And it was designed to enable users to directly control whether mobile apps on iOS can track their activities across apps and services. So Apple's ATT system gave a user two options. Option A was users can turn off cross app tracking, which removes their device's idfa, which for those who don't know, is the UID used for cross site tracking, or option B where users can give their permission to allow tracking in cross context behavioral advertising. So ATT has been the subject of a number of inquiries from the EU competition regulators, and we can get into that in a minute. But Epic, I think it was you and your colleague Kali Schroeder. Did I pronounce that correctly?

C

Schrader.

B

Yeah, Schrader. Apologies. Callie Schrader, you released a blog post sharing your thoughts specific to the way the EU competition authorities had taken issue with att. So first I'm curious, you know, what made you and your colleagues at Epic decide to weigh in on Apple att?

C

Sure. Yeah. And thanks again for having me here for the conversation. I think that we look back at the last few decades, certainly working in privacy, and it's terrifying times. More and more data being collected about us online every day. I think the advent of the smartphone in particular created kind of a massive new inroads into people's private lives and information. And certainly the way that Internet services have grown and evolved have made it, you know, easier and easier to collect data out people and harder and harder for people to protect themselves online. So we don't get always get a ton of wins on the privacy side in the privacy community. And I think, you know, to see, as we did a few years ago, a company like Apple roll out a feature that actually feels like it does something is pretty important. Certainly we've seen other services and other platforms add privacy settings in different ways. But what was interesting about ATT when it rolled out is it really cut across apps and services and dealt with an issue that was previously really invisible to iPhone users in particular. This is same is kind of true in other platforms, but to stop cross app cross site tracking directly on the phone. And we saw in the years after that rolled out a massive backlash kind of as you would predict from the ad tech community. You know, things were moving along as they were and you know, we didn't feel any particular need to say a ton about it at the time because things were going well. But recently this year, we saw releases and actions from European competition authorities that were looking in to app tracking transparency from a competition angle. And we felt kind of missed the mark in their thinking about how this tool implicated the privacy interests of users versus the interests of publishers and advertisers.

B

So that's a great overview and I appreciate it. Two quick asides. First, you said something to the effect of it's been really hard to be a privacy advocate low these last decade or two. It hasn't been easy to be a privacy officer or even involved in privacy over the last two decades. Although I would imagine your role has been even more difficult. But it's tough all over here in the privacy world. My second observation was originally made by a guy named Eric Sufert when he was looking at att. And I thought he made a really apt comparison. He said Apple went and robbed the mob's bank. And I think that there's a whole bunch of there's a whole bunch of nuance into that. But I think that at the bottom line is, well, the ad tech community, the tracking community is not necessarily the most sympathetic participant in the, you know, the larger digital media ecosystem. Now they do help fund content and we can have a discussion about, you know, at what cost. But I will concede that they are not always the most sympathetic group of folks. But I wanted to get into the substance of the article first. It seemed like EPIC was drawing a distinction between third party tracking and first party personalization. Do I have that correct? And I guess if I'm right, why are those distinctions meaningful?

C

Sure. I think there are a lot of really important differences between first party and third party data uses that are reflected in pretty much every privacy regime set of privacy principles going back for 50 plus years. And you know, first and foremost is the limitation and sort of use and disclosure principles that are embodied in laws like the GDPR or like the California Privacy Protection Act. Right. A transfer to a third party or collection and onward use and transfer. A third party party in some cases is literally defined as a sale under California law. But even if it isn't, it is a shift in the context and implications of a use of a person's data. Right. First party data uses are at least uses by an entity that an individual intentionally interacts with.

B

Right.

C

And I think that's an important distinction.

B

Fair. Although I would question whether that distinction is nearly as meaningful in the context of ELAW as it is in US law. Because when you go first party third party, whether you like this or not, you're almost citing the Digital Advertising alliance code. I mean that's sort of the been the embodiment within the ad space that first party up until fairly recently got a free pass and then third party kind of had to do all these extra things. But I will acknowledge that there has been a distinction in US law. My curiosity is whether you think that equally applies to eu.

C

I mean as a US based lawyer, I can't pretend to be a like ultimate expert on EU law. But I guess what I will say is that I think the principles enshrined in the GDPR reflect limitation on purposes of processing. They reflect the, you know, relationship between the data subject and the data controller or processor. And ultimately like there, there are differences between the legitimate bases and purposes for which different types of controllers or processors process data. And there is a difference between the first party user relation subject relationship and the third party subject relationship. And I also think that it's different to say that there is A distinction between first party and third party processing versus saying first party ad processing uses are all okay in all circumstances. Which is not what I'm saying.

B

Sure. Yeah. And I, and I, I hope that I wasn't implying that that was what you were saying. So I guess that might be the first point where we have, We've got a little bit of disagreement in how we're looking at things. I, I would argue two things and I would love your response. But you know that EU focuses much more on specifics of evaluating each processing activity and less about the distinction between first and third party. And then my second observation would be if you look at the competition and markets authority, and I've been rather critical of them, but the one thing they do pretty well over there is issuing reports and their 2020 report. When they define tracking, they did not distinguish between first party and third party tracking as being meaningfully different.

C

Yeah, to take those in order, I think that, you know, it is focused on the type of processing. But I guess my answer is to say I think these are two sides of the same coin and that further processing by parties that are further removed from the data subject is a different type of processing and a different type of purpose. And in particular processing of data across of a user across different apps and services, that particular type of personal data and how it can be used to build profiles of individuals, which is what third party ad tracking companies do, is both a different type of processing and a different type of data and implicates and poses, I think uniquely acute risks for individuals.

B

Okay, well, fair enough. And I think you had a second point.

C

Yeah. And I think, look, there's been a variety, there's been a range in approaches to tracking, profiling, online behavioral advertising, targeted advertising. We've seen in the US Certainly a bunch of different definitions, a bunch of different approaches. I don't think anyone's found one single like framework or solution. You know, I'm biased in that EPIC has put out, you know, model language here in the US at the state level that we think works, but we've certainly seen a range of approaches. But I do think kind of back to my prior point that there is a difference with cross app site. Cross source tracking is a different type of profiling activity than single source, single context.

B

Okay, well, fair enough. I want to move on because your article goes into a whole bunch of different points. So another thing that you talked a bit about was the, the recognition of the importance of effective privacy controls. So help us distinguish the privacy controls in place pre att with the ones in place as a result of att, you know, how were they different? Why is that important? And then how can the business community apply those types of learnings more generally?

C

I think first thing I'll say, and maybe this is a bit provocative, but in my world probably not, is that I don't see consent mechanisms as they get applied in most online contexts right now is a real privacy control. I think the implementations of cookie consent of other just in time consent notices in general have been quite awful for decades. They're kind of aggressively, I know to say anti user, but we've certainly seen lots of dark patterns, lots of circumstances where it's pretty clear that the mechanism is structured and designed specifically to disincentivize the user from engaging with it and to feel pointless and futile to pop up all the time to annoy the user into clicking yes to be in every way possible an anti privacy control. I guess I would say one thing that I think is importantly different about how ATT functions is it is a single choice that persists, you know, in a particular context. Right? In the context of a user's engagement with their own device across apps and services. I do think that that is fundamentally different and really in line with what we've seen here in the US is the push for universal opt out mechanisms. For example, you know, ATT is not considered currently a universal opt out mechanism, but I think that is a shared DNA of function there.

B

So I, I think we agree. I think that consent mechanisms have the propensity to be gamed in a whole bunch of different ways. I've gone as far as to say that they really aren't helping any of the constituencies, particularly the EU tends to have a, a very myopic view that, you know, consent is like the first thing they pull out of the toolkit often. And I think that's a mistake. I've had Tobias Juden from the Data Tilson on the Pod and we went back and forth around the possibility of even outlawing behavioral advertising in Norway, which I'm kind of in favor of, if only because it's an admission that the current system and process just isn't working for anybody. And in my view, like, sure, try that now, I certainly don't want to be the one to, you know, I, I don't have to deal with the economic consequences of that in the same way that the publishers do, but from a pure experimentation standpoint, I'm wildly in favor of that. So I, I would tend to agree that, that those types of choice Mechanisms are, we'll just say, problematic. And there is something nice about a very clear mechanism. But what I want to get into a little bit is how Apple is pushing that consent mechanism. Your paper seemed a bit dismissive of the notion of I'm going to use air quotes here, which nobody's going to see, but double opt in requirements and that it was EU data protection law requiring this and not Apple. And so help me understand your thinking there.

C

Sure. So the way that this, this part of the paper in specific was in response to the analysis in the French competition authorities sort of, you know, published analysis from earlier this year that framed this function of the ATT system as triggering, causing whatever you want to call it, quote unquote, double consent, as you say. I don't actually think one, I don't think it's double consent because first of all there's a question for the user about whether they want to allow any of the apps on their device to, to track what is happening across different apps and services. And if a user says no, as you said at the top of the pod, IDFA is turned off. The device itself essentially deactivates functions of cross app tracking. It doesn't make it impossible, but it makes it more difficult for third parties to track or to ask for per app permission for cross app tracking. The double comes in when an app itself has its own CMP consent management protocol or a process for per user that comes up maybe when you sign up for an account, depending on how the app implements it, that essentially that app is asking for permission, that cmp, that consent flow is exactly the thing I'm describing as not a real privacy mechanism, also not required by EU law. Right. EU law does not require a cmp. Apps decide to implement a CMP to take advantage of the GDPR consent basis for processing. But that's not the only basis for processing. And also we've seen in the years over the Facebook meta litigation that companies will try all different forms of legal basis as an assertion of particularly basis for processing. That's not consent. So yes, if an app chooses to implement a CMP as its legal basis for processing eu, then a user will go through two prompts, but those prompts are different and they accomplish different things, I guess, in my view. So, and again, Apple is not requiring companies to implement a cmp. They choose what legal basis to use for their processing.

B

Okay, so a lot here which, which is great. So my first thought is, all due respect to Meta and Google and even sort of to Apple, how they manage the GDPR and EU data protection law is sort of an interesting curiosity to the rest of the digital media world. But like, I don't know that you can find a single app publisher who went from contractual necessity to legitimate interest to consent. I mean, that's a, that's a meta thing and, and they have their reasons for doing that. But the main point that I, I'd like to make here is that it's not necessarily optional for apps to ask for that additional consent. I mean it, it is if you know there's a revenue impact to trying to go live legitimate interest. And I'm not even sure you can do legitimate interest and do any flavor of targeted advertising. And so there's a revenue hit. So it's not like apps, you know, woke up in the morning and decided, well, I'm gonna, I'm gonna float this additional consent mechanism. But I think my broader point is this. Apple imposes att. It dictates how ATT is presented to users. ATT is not sufficient according to EU data protection law to get a consent. So I'm curious, why is that not an Apple problem?

C

My on the French Competition authority's analysis of this, and where I think I most maybe disagreed with it, was the idea that because this ATT prompt is not legally required under the gdpr, it is therefore an impermissible burden on competition. And in my view that is essentially pitting competition interests, in particular the competition interests of ad trackers, not just publishers, but ad trackers, against the privacy interests of users. And I don't think that that is the right way for a competition authority to strike the balance, maybe as the wrong term here, but to weigh the balance of interests. Right. I think that if we go down that road, any privacy protective system design setting can be framed as a danger to industry that is interested in collecting and monetizing people's data. And therefore any privacy protective action by a company with large, you know, key market share or control over device, platform, et cetera, is going to be framed as anti competitive, you know, abusive of market power. And that ultimately, and I think this back to your first question is, was what, what really triggered this blog post is I think, destructive to privacy.

B

Okay, fair enough. So a couple of things I would take issue with and the last you just talked about. So the first is it it's easy to hold out. Well, this is beneficial to the trackers, but it's also beneficial to publishers, otherwise publishers wouldn't be using the trackers. And so, and I would disagree with your characterization that you that the, that the French competition authorities said that the, the issue was that ATT was insufficient. What they were saying was there was, there were different means that Apple might have used to combat this issue, so it lacked proportionality. But what I'm saying is that if Apple had chosen to make ATT's disclosures sufficient so that they would constitute a consent, that a second consent would not be required. Ergo, it's a double consent, I think.

C

So I'll start with the second point. I think that the implementation of, you know, as you alluded to earlier, like most publishers, most app developers and media companies working in the EU have had to develop a consent, some form of consent management protocol system. There's different flavors of that. I think the idea that that system for all publishers would be managed by a single platform on the device level seems pretty unrealistic because it's not one size fits all. So I don't know that that works. I mean, I'm sure that someone could try to develop that. I think they're free to do so, or you can pitch it to Apple. But it seems that doesn't seem particularly practicable to me. And so in that sense, like, I don't know that the solution, envision solution as a solution. I think in reality what would happen is ATT would just go away. We wouldn't have it anymore. I don't think there's a scenario where Apple is going to develop a unified CMP that then like wraps ATT into it. And if it did, then what would ATT become? Right? ATT would just become like one more of 15 settings buried in a CMP and then it wouldn't actually be effective anymore.

B

Well, okay, I would maybe challenge the one size fits all thing because Apple could give publishers some ability to customize how ATT worked and could set baseline requirements. I mean, they've got 30 other criteria by which they use to bounce apps from the App Store. And by the way, that's how things work in the browser world. And again, the elephant in the room here is that if publishers can't monetize via advertising, the next best way to do it is via subscriptions. And Apple gets a 30% vig on the subscriptions.

C

That reminds me to the first point raised in the prior question. I think that this is a, this point about, and what you just said about monetization. I think this point about publishers and monetization is something that comes up a lot in the discussion around privacy, targeting, profiling, surveillance, advertising, whatever set of phrases we're using in a particular context. And I think one thing that think is important for me that I always need to push back on a little bit is that there's a difference between advertising and profiling, cross app tracking and all the forms of sophisticated data extraction and collection and targeting that are happening right now on the Internet. And it's not to say that there's no theoretical additional value to publishers from all that data collection, but I'm very skeptical that that it is all that it is sold to be in part because the folks most prominent in selling the economic benefits of all that tracking are the companies that sell the tracking services. So I'm a little bit skeptical of the value proposition to publishers of marginal personal data collection extraction versus the advertising itself.

B

So I would tend to agree that we are heading headlong into an increasingly Orwellian world. But that is different from a notion that publishers need to be able to have the autonomy to figure out how best to keep the lights on. And I think ATT kind of kneecaps.

C

That this is a multi sided market, right? Publisher are the customers of advertising products. Unfortunately, the market right now is dominated by surveillance fueled advertising products. And I think that is a fundamental threat to privacy and it's been the growing threat to privacy for two decades. And it's bad. From my perspective, epic's perspective, I would like publishers to have different and better options to monetize their products and services that don't require them to track what apps I'm clicking on, what text I'm sending in apps, what sites I'm visiting to track me and profile me all over the Internet. Publishers should be able to sell ad space and support their media without building detailed profiles of everything everywhere that I go and everything that I do online.

B

Fair enough. And now it sounds like all roads lead through Norway at this point. And if that happens, I hope that there is an honest assessment of the impact because I hear you in your skepticism. I will say I don't really know, but I have a hard time believing that a large segment of the publisher community is quite that naive as to say, well, we're going to continue to do this even though we don't know it works.

C

I don't. I mean I think a lot for a lot of publishers. My impression, look, I'm not a publisher and I don't represent publishers.

B

But.

C

But my outsider's impression is that publishers don't have a lot of say in how the ad systems work.

B

Right?

C

They're buyers in this market and the sellers in this market have pretty Dominant control. I mean, we have, we're having a Google Ad search monopoly remedies right session here in the United States this fall and we'll see what happens in that case. But the thing that concerns me about the intersection between, you know, privacy and competition in the Google case in these, you know, CMA reviews of att, is that I don't want to end up in a world where we recognize that there are competition problems in this market and we decide that the remedy is that everyone needs to have access to all these people's data all the time in order to make this ad market fair. That's in my view, a worse world.

B

I completely agree, but I would make the opposite argument and that the output of this can't be that six companies have all the data and nobody has any of the other data because that's not a good outcome either. And so the thing that I'm trying to explore generally within this podcast, and we're touching on this today, I think is how do we find that middle where maybe you aren't going to love it, but you can hold your nose and the publisher community and the digital media world that isn't, you know, the big six or seven is able to continue to survive.

C

And I think one thing I'll come back to about, about ATT and one thing that I think is also not really given full shrift in the French Competition Authority review last spring, you know, is the fact that there is a difference between the advertising service that Apple is doing on its platform, which is to my understanding, informed by data of how people use Apple apps and not how people use third party apps. That is a fairly small universe of information versus what the type of information that these companies had access to about people when cross app tracking was all, you know, wide open season before att.

B

So my understanding is different. My understanding is that Apple uses information from their logged in users, certainly Apple apps. So we agree there. But they also do pull app installs and downloads from third party apps and that Apple's distinction is that they roll that up into large cohorts and I forget if it's a 500 or 5,000 users. So I think that's the distinction that Apple is holding onto. But that sort of begs the question, are consumers because we've talked about publishers, we've talked about Apple, certainly. But how are consumers feeling about this? Do they see a meaningful distinction between one to one tracking and we'll just say one to a thousand tracking?

C

Yeah. And that's I think a really great question. And I'll admit I'm not a pollster and we haven't gotten into the field yet of doing any of our own polling. But you know, my impression from reporting over the last few years since it rolled out is that, you know, people did tend to choose not to track more often than, for example, people choose to kind of click through three levels of CMP to select, you know, strictly necessary only processing. And that's the sort of thing that then the fringe competition authority uses as evidence that this is actually harmful to competition. When it's like, well, actually I think it's a measurement of the fact that CMPs are putting these extra layers on people and actually are a fundamentally less preferential choice than a single mechanism like an ATT or like we'll start to see like a UoM. I think people understand the difference even though it's complicated and we don't expect users to understand everything. I think users get like, oh, this button turns it off versus like oh, if I click these three buttons, then this one time I'm visiting this one website, maybe it'll be kind of turned off.

B

Okay, but it doesn't really turn it off. It turns out everybody else but Apple. And that's an important distinction if you're having this conversation. I think that if you're going to talk about the popularity of the program, you almost have to tease out what the program is. Because if the question is do consumers like tracking in a vacuum, the answer is absolutely no. But if your question is do consumers like third party one to one tracking more than what Apple's doing, there's actually some research out there. I'll leave it in the show. Notes from Columbia and a couple of other places that actually suggest that consumers don't really understand the distinction between the cohort model and the one to one model. So the consumer preference argument I think might not be as strong an argument, at least based on current research, than one would think.

C

I'll note that, you know, as you mentioned, like Apple having data about what apps people purchase and what apps people download in the app Store is still fundamentally different than them having information about how, how long you're using an app, what buttons you're clicking in the app, what, how you're switching between two apps. All of the cross app data that ATT is actually limiting third parties from collecting is very different from download and purchase data.

B

But Apple has taken a very broad stroke and said you're not entitled to any of that information. And number two, we don't really know what Apple's collecting because they don't really tell you. And like every once in a while something comes out. It's like, oh yeah, they're doing this as well. And so I'm less willing to give Apple the benefit of the doubt than I am for just some standard ad tech company. But I think that, and please tell me if I'm putting words in your mouth, but it sounds like the crux of your argument is that because what Apple is doing is, I'll say, less bad than what third party tracking is entailing, that Apple is justified in imposing a different disclosure regime on this third party tracking than it does on its own internal tracking mechanism. And is that a fair way of looking at it?

C

I don't know that that's exactly what I'm saying. I think it's possible to like, I think, look, as a privacy advocate, you know, I want to evaluate the behavior of everyone in the marketplace, but I think that the behavior of Apple as a designer of iOS and the settings of iOS devices, for example, and what those devices do or do not do with respect to people's data is an essential piece of that. I think that adding a setting to devices that give users a choice to turn off cross app tracking to deactivate the IDFA is something that actually puts people in control of other people tracking them. And the fact that Apple is doing advertising based on what apps people purchase and download in the App Store is something that can be evaluated and judged based on its own dimensions. And if you say if we don't trust their representations in their privacy policy on their website, like they should be subject to review and investigation as well, notwithstanding what ATT does. But the idea that ATT is somehow like a roundabout way to pump up Apple's ad product I just don't think is borne out in anything we've seen.

B

Apple's ad revenues since ATT have skyrocketed. I mean, this was entirely. Well, look, not entirely, I don't want to be so cynical, but you know, start from the date of ATT was announced and look at where Apple's advertising revenue is now and it's gargantuan. It has clearly grown as a result of this policy. And just one other data point that might be helpful is there, there was actually a study out of, I think it was USC where they polled 11,000 consumers and they showed them in a vacuum the ATT prompt, which is kind of the scare screen. Do you really, really want third party tracking versus what Apple's prompt was? And unsurprisingly like the number of opt ins for the prompts was like doubled for Apple's personalization prompt. So they kind of set up the system in a way to ensure that people were not going to say yes to third party tracking, but that they were going to be okay with Apple's personalization. Now if you can justify that because you think Apple's personalization is not as good or less bad than the third party ad tech, I can appreciate that distinction. But as a matter of competition law, in my view at least, it's hard to argue that there was not a clear economic benefit to Apple for pursuing this policy because publishers had had really two options. Try to get a consent or go subscription, which again, Apple takes 30% of.

C

The cut, or do advertising that doesn't rely on cross app tracking, which is also what Apple is doing. I mean, I don't know like this, this drives me crazy a little bit because Apple is not doing cross app tracking for their advertising. Right. Are they using cross app tracking?

B

They are pulling app downloads from apps that they do not own or control and using that as part of their targeting mechanism.

C

Purchases from the Apple App Store that they do own and control of products in the Apple App Store in the same way that someone else selling a store would have data about what products people buy in their store. Again, doesn't mean that like that necessarily means the ad practices are fair. But that's not the same thing as tracking. Like, I'm in the Uber app and then I switch over to the Lyft app and now Uber knows that I'm looking at Lyft and now it plugs that into my profile. Or the same thing times a thousand different apps. I just think it's, it's. I don't know. I find this argument, and I've heard this argument in many different ways since ATT rolled out in 2021. I struggle to not see it as a completely cynical argument of the ad tech industry to justify like their own existence. And I don't think it's a pro publisher argument. I think these products get pushed on publishers as like, this is what's going to save you. And it's like again, we're talking about a layer of cost on top of advertising. I don't know, I don't mean to go off on like 10 tangents. Like, I just, I think they're fundamentally different things.

B

I. Yeah, and that, that may be the main point of disagreement. I would argue that just because something's going through your pipes does not necessarily mean that you have an economic interest in it. And it's not like Apple's allowing publishers to opt out from the use of their data for Apple's targeting. I mean, it's not like they're getting a cut of the revenue from the hundreds of millions of dollars or whatever it is that Apple's made. But it is unfair. That would be the one thing I would say.

C

It is unfair to whom?

B

As my question, it is unfair, it is unfair to publishers and it's unfair to the ad tech ecosystem. While you may not like that ecosystem, a large part of the success of Apple's app store was derived from Apple's inviting everybody in saying here's an idfa, you use it as you wish. So you created a vibrant app store or an app environment and then you've.

C

Kind of pulled the rug, I guess. In my view, any privacy protection at the OS level, whether you're talking about iOS, whether you're talking about Android, whether you're talking about some other platform, any privacy protection at the OS level that limits ad tracking in any way under this view is going to be decried as anti competitive and destructive to competition of the ad tracking industry. And that ultimately in my view is a cynical anti privacy perspective. Like that's, that's how I see it. And like where does Apple rank right now in the overall like ad marketplace? What percentage of share of ad marketplace do they have?

B

I don't know. I can put that in the show notes, but I can tell you it has grown exponentially. And so I mean if the, the crux of the argument here seems to be that they are meeting a policy goal on the privacy front and that that justifies some unfair practices on the.

C

Competition front, I think that unfair on the competition front is a loaded term, right? Things can have competitive, anti competitive effects, but whether that's fair or not, and the proportionality analysis that you mentioned I think has to take into account the user's interest in a multi sided marketplace like this, right? Otherwise, to my point, anytime any setting is decreasing the amount of user tracking that can happen, it's going to be labeled as, as unfair to competition. If we don't take in the proportionality analysis of the user privacy interest, in my view, the French competition authority essentially said because GDPR doesn't require Apple to do this, it is therefore not proportionate.

B

Yeah, I think that's another point of disagreement. I think that they were saying that there were alternative mechanisms by which they could have achieved their privacy goal.

C

Right? That's a point of disagreement because I don't agree that they would achieve that that alternative, the mechanism would achieve the same thing if you had a cmp, a unified CMP protocol layer or something. Right. And the att setting is one of 14 settings in the CMP. I don't think it works the same way. Right. I don't think that's the same setting from the user's perspective. Right. We're thinking about a user who cares about their privacy and doesn't want what they clicked on when they opened an app, how long they had the app opened, what five different types of apps they've been using in the last 24 hours to be fed into a profile about them. That user then has to weave their way through. This CMP on a per app basis is just not the same setting.

B

Well, fair enough, but I think your analysis is assuming that the only options are att, a browser based like CMP and there's other options. Right.

C

I didn't see the French competition authority suggesting any. I don't know like the user, if they're. There's kind of in my view either unified option for the at the user device control level or not when it comes to deactivating IDFA or making a single decision across apps and services like if Apple, let me put it a different way, you know, California as I mentioned, and now several, I think maybe it's 12 or more other states in the US several other states in the US have adopted a UOM some form of universal opt out mechanism rule. Right. That has to at least now in the early stages bank apply to browsers. But you could see a future potential implementation in other user agent settings. Right. And that's legally required in the us, not legally required in the eu. Is that unfair to competition in the same analysis to have a universal opt out mechanism?

B

Well, I, I think it, it actually is completely fair provided that a browser manufacturer is not using that opt out mechanism to preference their other ad products. And there's Connecticut and a couple of states have actually come up with anti preferencing provisions within the law. So it is clearly a concern and I don't know why the French competition regulator didn't say and here's four solutions of how they could have done it better. My sense is that regulators often won't do that for a whole bunch of reasons. But one thing Apple could have done is tried to have some level of parity as between the types of disclosures because the tone of what's happening with third party tracking is abjectly different than the tone with Apple's personalization.

C

I think the parity is between the Apple, whatever you want to call it, Apple cmp, the Apple AD personalization settings interface and the per app cmp. That's the parody. They're both companies that have access to certain data about users. Right. The Amazon app.

B

Right.

C

Has access to information about what I'm shopping for, what I'm purchasing, what I'm viewing. There's a privacy flow and policy within the app. So does that the Apple app. That's where you measure parity. I don't think that viewing parity between a third party tracking setting and a iOS and app store setting is the same. I just don't think those things are. I don't know. I don't think you can measure parity between those two things because they're not the same.

B

Okay, yeah, that's just another error. I think we might, we might disagree. I think if you hold up those two streams objectively that they're designed. I mean you started the conversation saying that, you know, large companies tend to game these consent streams and I think Apple is no exception where they have clearly positioned what they are doing to be palatable and what the third party trackers to not be. And so I think that is what the competition authorities were ultimately trying to get at.

C

I mean, put it a different way, the iOS operating system on an operating system level has access to everything the user does. That's not in the secure enclave. Right. But in the policy they are not using all of that data. Specifically the cross app usage data is carved out of the policy in the same way that, so they essentially you could view it as Apple has turned ATT like off for themselves with respect to cross app usage data and then third part use for third parties. Users have this option to say maybe I want a third party to be able to know what app, how I'm using different apps and if so, then I'll click that button and then I'll. I'll click the consent in the pop up. So I don't know, I. That's more of the parody I see.

B

Fair enough. And I'm going to let you have the last word on that. This has been an absolutely fantastic discussion. I really appreciate you coming on and these are exactly the type of discussions I'm trying to engage in here because I think a large portion of my audience is clearly in the ad space and I don't think that they hear enough of commentary spoken as eloquently as you do from our critics. So Alan, I really appreciate you coming on.

C

Thanks for having me. Really nice to have the conversation.

B

Thanks. Well, I was right. That was certainly a spirited discussion. But one place where I think Alan from EPIC and I were in agreement is this. It is really important for industry nerds like me and for advocates to get outside of our respective bubbles and hear from those who have different opinions. One thing I learned years ago from a friend named Rigo Wenning who used to work for the W3C. Rigo emphasized the importance of direct communication with your critics, but he also reminded me, always leave the discussion feeling like you can have a beer with the other side. And I think that's where Alan and I ultimately landed today. Also, I'll take a really smart person calling my views cynical and then eloquently backing up those sentiments every day of the week as it makes for great podcast episodes. All that said, I have a few thoughts. First, a good deal of epic's thinking here seems to be based on two key points. Point one that Apple's tracking is more benign by definition than third party ad tracking, and point number two that this difference justifies Apple's approach. Now, I shared a couple of different consumer studies in the show notes that offer a different perspective, one of them from Columbia University, and that study provides evidence that the types of privacy enhancing technologies or pets that Apple uses here with its cohort ad models do not meaningfully address the privacy issues that consumers really care about. I noted a second study coming out of USC which suggests that Apple's presentation of its own tracking is vastly different than the way it characterizes third party ad tracking, and that this difference in presentation serves almost as a dark pattern to ensure that twice as many users ultimately consent to Apple's type of tracking for personalization. My second thought about the episode. My sense is that Alan was underappreciating the economic impact of ATT on Apple's ad business. I've seen reports that Apple's ad business grew from something like 3.5 billion when ATT was introduced in 2021 to over 6 billion by early 2025. And that doesn't include any additional subscription revenues generated by Apple as publishers are forced to move to subscription models and where Apple of course takes its up to 30% vig. I don't think it's productive to have these types of discussions in a vacuum, as there are clear economic implications in play. Third, I think that the EPIC folks are less willing to recognize that Apple could have taken a different approach to achieve the goals of protecting users privacy, and that Apple therefore failed the proportionality test. As I suggested during the discussion, Apple could have given publishers the ability to customize the ATT prompt language, or Apple could have created something closer to parody regarding how Apple's tracking is characterized versus how third party tracking is characterized. But rather, Apple chose a path that benefited Apple's bottom line, and that makes it harder for them to claim that ATT was entirely about protecting user privacy. And I think that's what the French competition authority, and not to mention the competition authorities in Germany, were really getting at here. My final point is a really important one. Alan implied that the ad tech community doesn't care about publishers and well, if you look at this through a historical lens, there is some truth behind Alan's point. I'm hoping that it's less true than it was 15 or 20 years ago, because the reality is that this is a symbiotic relationship in digital media. Ad tech needs a vibrant publisher community, and publishers need an independent ad tech community to survive. That said, I don't think it's fair or accurate to imply that contextual advertising alone is going to be enough for publishers to keep the lights on. And from my side of the room, hand waving away the economic implications entirely just isn't productive. And it's not just economic implications for publishers. There's some evidence that suggests that consumers pay higher prices and in markets with more exposure to att. Before I conclude the episode, I want to extend a quick thank you to Professor Garrett Johnson, Associate professor of Marketing at the Questron School of Business at Boston University, for his insights on how some of the consumer research I cited in this area Garrett, we gotta get you on the podcast one of these days. We've got a bunch of other fantastic guests coming up on the Monopoly Report podcast over the next few weeks. Please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube, or wherever you listen to your podcasts. And thanks for listening.

A

Thank you for listening to the marketecture Podcast. New episodes come out every Friday and an insightful vendor interview is published each Monday. You can subscribe to our library of hundreds of executive interviews at Markitecture tv. You can also sign up for free for our weekly newsletter with my original strategic insights on the week's news at News Market tv. And if you're feeling social, we operate a vibrant Slack community that you can apply to join@adtechgod.com.