The EU Has a Plan to Fix Internet Privacy: Be More Like Apple

Like millions of other internet users in Europe, when Alexandra Geese, a German member of the European Parliament (MEP), wants to read something on the internet, she first has to open and scroll through several options to refuse to share her data with third-party advertisers. Europe’s landmark privacy law, the General Data Protection Regulation (GDPR), means websites have to ask users for consent to be tracked online. But many companies make refusing consent much harder than granting it, meaning Geese’s search to opt out can take more time than she intended to spend on a website. “The problem with the current GDPR is that it's not being enforced properly and therefore people don't have a real choice,” she says.

Geese is among the European lawmakers currently drafting some of the world’s strictest rules against technology companies in an attempt to fix the opt-out function of the internet.

As MEPs pondered how to give that real choice to European internet users in January, an existing system developed by Apple was presented as a possible template for reshaping the internet. In 2021, the tech giant introduced a new privacy pop-up that it said would give users a real choice about whether they want to be tracked. The feature gives iPhone users two very simple options when they download new apps—“Ask App Not To Track” or “Allow.” Statistics that showed up to 98 percent of iPhone users took this opportunity to opt out were taken as evidence by some MEPs that people would choose to protect their privacy if they had the chance. “I really believe that privacy shouldn't only be an option for people who can afford premium devices or premium Apple products,” says German MEP Tiemo Wölken, from the Progressive Alliance of Socialists and Democrats.

Now European lawmakers want to apply Apple’s idea across all major online platforms—a definition that includes online marketplaces, app stores, and social media platforms—and force them to display simple options when people first visit a website. On January 20, a majority of MEPs voted in favor of an amendment to the Digital Services Act (DSA), which stated that refusing consent for ad tracking should be no more difficult or time-consuming than providing it. Another amendment proposes banning dark patterns—design choices that try to influence a user to consent to tracking. For proposals to make it into the final version of the DSA, they must be approved by the European Council, which represents heads of government in the 27 member states. If proposals survive these negotiations, they could become law as soon as the end of this year.

But recent revelations about Apple’s once-lauded system show it is not the clear-cut option EU lawmakers might have hoped for. It is vulnerable to workarounds, and the “do not track” option does not block all tracking from advertisers. Since the tracking changes rolled out in July, companies such as Snapchat parent Snap and Facebook have been sharing user signals from iPhones, as long as that data is anonymized and aggregated. Apple said developers are not allowed to use signals from the device to try to identify a user, but this has not stopped advertisers from gathering anonymous data to target users. An Apple spokesperson says these rules “apply equally to all developers.”

A Snap spokesperson said the company has designed privacy-protective solutions that measure “aggregate conversion data, without tying off-platform activities (like installing an app or visiting a website) back to specific Snapchatters.” Facebook declined to comment.

It’s unclear whether Apple has endorsed these techniques, but it means that if users are under the impression that Apple's new rules mean all tracking has now stopped, they are wrong. Regulators have made note of that fact. In December 2021, Poland’s competition regulator addressed some misconceptions about Apple’s App Tracking Transparency feature. “This does not mean that users’ information is no longer being collected and that they do not receive personalized ads,” the regulator, known as UOKIK, said at the time. Apple also faced an in-depth probe in France to determine whether the privacy change will harm advertisers.

Advertisers say they are developing this new generation of tracking tools in collaboration with tech platforms—not as workarounds to their rules. “All the GAFA [Google, Apple, Facebook, and Amazon] have proposed some ideas and suggestions and offers in order to target people without cookies,” says Sébastien Emeriau, chief strategy officer of advertising agency Havas Media France. Google has introduced Federated Learning of Cohorts (FLoC), a system that tries to give advertisers a way of targeting ads without revealing information about individual users by grouping people together according to their interests. Meta’s CAPI system, or conversion APIs, cross-references brands’ data from their online stores, for example, with information from Facebook profiles to help with targeting. “[CAPI] is a way to target more precisely without using cookies,” says Emeriau, adding that “Google is about to put together some audience segments that are very small, but also very coherent, and then you can target them.”

The accuracy of these new tracking tools has already sparked concern among groups who oppose targeted advertising. Google’s FLoC has been labeled a “terrible idea” by US digital rights group The Electronic Frontier Foundation (EFF) because it acts like a “succinct summary of your recent activity on the web.” The EFF has warned against replacing third-party cookies with a new system where a “user’s behavior follows them from site to site as a label.”

If Europe were to impose a system similar to Apple’s across all online platforms, internet users might think they were getting comprehensive tracking protections when in reality tracking would continue via workarounds and new techniques. MEPs in favor of switching to an Apple-inspired internet say they are aware of this risk. But Wölken believes the DSA would be more resilient to workarounds than Apple’s system because the legislation would be enforced by a government regulator, not a company acting in its own interest. “It's a company's business decision to offer this option to its users,” he says. “It can be changed at any time.” Under the EU Parliament’s proposals, both national authorities and the European Commission would be able to enforce the DSA. “What we see is that the enforcement chapter in the DSA is stronger than the one that we know from the GDPR because it's slightly more centralized,” says Jan Penfrat, senior policy advisor at EDRI, a Brussels-based digital rights group. “So the European Commission would have the power to take on cases when they see that national regulators aren't up to the task.”

In short, it may take time and it may not be perfect, but MEP Geese argues the DSA would be an important first step toward fixing the current system if the EU Parliament's version of the law is passed. Unforeseen workarounds are not something they can legislate against at this stage, she says. “We will cross that bridge when we get there, you can’t foresee everything.”

• 📩 The latest on tech, science, and more: Get our newsletters!
• The metaverse-crashing life of Kai Lenny
• You can rent a robot worker for less than paying a human
• This recyclable boat is made from wool
• Are you sure you know what a photograph is?
• Humanity has turned land itself into a menace
• 👁️ Explore AI like never before with our new database
• 💻 Upgrade your work game with our Gear team’s favorite laptops, keyboards, typing alternatives, and noise-canceling headphones