Apps That Knew Too Much? Why Privacy Policy Does Matter in App Tracking Contrasting Issues

Elena Strappato
March 7, 2023
Apps That Knew Too Much? Why Privacy Policy Does Matter in App Tracking Contrasting Issues

Much as anonymous and abstract they may seem, digital personal data are meaningful about our personality, tell our life story, and hide our most intimate secrets. Therefore, any discussion about personal data is always involved with privacy concerns and controversial issues.


Since iOS 14.5 brought in the new privacy policy to regulate access to the users’ ID and personal data through their consent, the digital ecosystem has changed into a more privacy-oriented and user-friendly environment. However, some users may be perfectly unaware of how their personal data can still be misused. On the other hand, one might argue that app developers cannot bring out a free and high-quality product and at the same time renounce any form of monetization such as personal data collection sale.


When it comes to personal data - tracked and then sold through the apps we utilize - it is not as easy as it seems to comb through all the facets of such a complicated topic. In this sense, this article aims to discuss the ambivalent sides of app tracking, examining both the role of customers and the role of marketers after the privacy turning point introduced by iOS 14.5.


How Can We Explain App Tracking to Understand Privacy Policy


Apps tracking operations are precious not only to advertisers and app developers but can be advantageous to users as well. On the big picture, apps tracking becomes part of a monetization strategy that allows app developers and advertisers to target ads and customize their apps to guarantee a high-quality and free service to their customers.


On one hand, app developers of free apps may not have any other source of revenue but in-app advertising and in-app purchases to make their ends meet and craft a good product for their clients. Therefore, for instance, in free-to-play mobile gaming apps, app developers utilize users’ exposure to the ads based on their personal data and data collection and then serve inside their apps as part of their monetization strategy. 

Mobile Attribution Tracking


Moreover, when advertisers wish to promote their products or increase their user base, they need to combine several marketing activities with targeted advertising strategies based on app tracking and personal data collection. 

In mobile app promotion, app tracking grows particularly important when it comes to mobile attribution technology in mobile attribution tracking. Users' data allow attribution technology to attribute an app installation or conversion to the specific ad campaign or marketing activity that has generated it to advertisers’ advantage. 


A Matter of “Patterns and Not Identities”: What About IDFA tracking? 


It is important to note that advertisers’ understanding of users’ habits and preferences does not depend on their users’ personal life details or phone numbers since the data collection from apps tracking primarily depends on the client's unique ID or device identifier. In other words, on their IDFA tracking.

With the acronym “IDFA” or “IDFA Apple” – marketers and mobile app professionals refer to the Identifier for Advertisers that is assigned to a user’s device in the iOS ecosystem. It is used by advertisers and app developers to identify users’ device operating systems anonymously, track their personal data and gather information about users’ behaviors and habits on their mobile phone to develop an accurate targeted-advertising strategy.


Furthermore, the IDFA is fundamental for mobile attribution tracking and attribution technology to manage what in jargon is known as “deterministic attribution” - the most accurate mobile attribution tracking performed by the software of an attribution technology to link any app installation, conversion, clicks or impressions, to the marketer or advertising actor that generated it through the unique identifier e.g.., IDFA for Apple and GAID for Google.


App Tracking Transparency (ATT) and the Privacy-Oriented Shift in the IDFA Tracking


In April 2021, when Apple released the latest version of its operating system, iOS 14.5, advertisers were made to change how, shortly after, they would work with the IDFA tracking.


Among the various updates of iOS 14.5, a new privacy-focused framework called App Tracking Transparency (ATT) showed up, forcing advertisers to ask for users’ permission and get their consent before tracking their IDFA (device identifiers). Before, in fact, advertisers were able to understand whether a client was looking for a book on Amazon or for a pair of glasses on some other shopping apps to collect their personal data, and place targeted ads just through the IDFA tracking. After iOS 14.5 privacy turning point, such a process has become more and more difficult for advertisers.


Users can now decide whether to allow or not the IDFA tracking after downloading an app. It is up to them to choose between the opt-in and opt-out options whenever a prompt shows up. Considering free apps or apps whose revenues depend on ads, the general income of their advertisers is likely to decrease if users opt out and do not allow their IDFA tracking. It is through their clients’ ID, in fact, that advertisers can serve personalized and targeted ads.


As businesses state, their interest is in “patterns and not identities” – patterns of behaviors, taste and purchases to target their ideal clients. However, as we will soon see, personal identification without consent is not impossible for those who have access to raw personal data. Even when they are anonymized, personal data can still lead back to identifying individual users.


Location Data: Collecting Whereabouts to Know Who You Are


The IDFA tracking allows advertisers to gather specific pieces of information, also known as location data, based on users’ precise position, enabling app developers to serve targeted ads depending on clients’ geographical location for a considerably more efficient advertising strategy.


Along with other information, such as user searches, the IDFA tracking and location data collection provide information shared by apps with data buyers. These mobile location companies analyze, share, and finally sell location data to advertisers. The latter need insights into consumers’ behaviors and habits to develop a location-targeted advertising strategy.


As the New York Times reported in an inquiry into location data in 2018, some users are conscious that some apps can track their precise position. However, they may not be perfectly aware of them snooping on their daily habits or private lives through their movements, especially with respect to some purposeful apps such as jogging or running apps. Our movements – and the private and personal maps they create - are not simply geographical coordinates but tell our preferences and tastes. 


To put it simply, location data consist of personal information based on people’s precise position and movements that companies track, store, and sell every time users allow them to do so. Customers sharing their position will receive local news or weather forecasts, as other information needing their precise location. Subsequently, app developers will analyze and sell personal data collection for advertisers and marketers aimed to get a deep insight into users’ preferences or habits and design customized ads.


“We look to understand who a person is, based on where they’ve been and where they’re going, in order to influence what they’re going to do next,” said an executive in the New York Times interview.  


We are talking about anonymized and aggregated data, in other words, stripped of their identifying user information that should appear only in the form of statistics made on a geographical basis. Therefore, they are not supposed to release information about names, phone numbers, or other precise identifying information or personal data. Moreover, companies can use location data in multiple ways and adopt many different approaches.


Some companies may want to delete a considerable part of personal data for privacy reasons. However, anonymizing location data does not ensure that individuals accessing them for whatever reason won’t ever access raw location data and identify a person by following private movements they want to keep secret.


When Safety and Privacy Concerns Need to Go Arm in Arm: The Case of Period-Tracking Apps


In the NYT inquiry, some interviewees seemed to cope with the idea that some apps needed to track their movements and get their location data to get what they wanted. We are talking about apps whose purpose depends on location data and IDFA tracking. In other words, “tracking” is what users ask them to do: tracking calories, sleep hours, morning runs…and menstrual cycle. 


With period-tracking apps, i.e., apps that track menstrual cycles, we refer to a subcategory of mobile health apps (mHealth) that not only has to do with women’s sexual and reproductive health. In the United States, since Roe v. Wade was overturned, demands for privacy and safety have grown critically more and more crucial. 


Period-tracking apps have become even more popular since the Supreme Court set aside Roe v. Wade, taking away the constitutional right to get an abortion. They did improve their ranking nearly by 48% with breakneck speed – especially two app leaders such as Stardust and Clue. At the same time, people needing an abortion started to feel more vulnerable to privacy threats. In such a climate, personal health data regarding women’s sexuality, among the most intimate and sensitive, risk being weaponized and used against women seeking for an abortion practice. 


Personal health data stored by period-tracking apps can tell when your period stops and starts, and so reveal confidential information about your pregnancy. For this reason, it is pivotal for users to understand their period-tracking apps’ privacy policy regarding their personal data collection and monetization. In this case, the concept itself of consent to the opt-in option for the IDFA tracking and the collection of location data may become obsolete and less meaningful since it is women who ask for these app-tracking operations to track their period. 


On the other hand, there is no federal law protecting sexual and reproductive health-related information. App developers can choose to share personal data either with the third parties companies they work with or with authorities on request without any notification to users. 


App developers of free period-tracking apps are more likely to share users’ device IDs with advertisers and track users because they need to collect advertising data to generate revenues and guarantee a higher-quality and more accessible service. Unsurprisingly, paid apps can be safer since they do not need to track their users but are also less accessible to anyone.  


On the other hand, women’s personal data can also be used for medical research, to unravel the riddles of female health. Bearing in mind how women’s health and care is underrepresented in medical research, such a collection of personal data can even represent a great opportunity to improve our insights into female health and reproductive well-being.

As Evan Green, the director of the digital rights advocacy group Fight for the Future has lately said in an interview, “any app that is collecting sensitive information about your health or your body should be given an additional level of scrutiny”. 

No Clear-cut Conclusions When It Comes to Personal Data, Privacy and App Tracking

When it comes to discussing personal data treatment in relation to such sensitive issues, like period-tracking apps and the potential threat represented by the mistreatment of data collection, any clear-cut and unambiguous opinion tends to be simplistic. 

Collecting personal and location data does not necessarily represent the great evil, they can even be a useful resource to do research and improve knowledge. They also allow app developers to put on the market more accessible and well-working products.  

However, users should not get to the point of bartering their personal data security for accessibility. In this sense, we are not stating the obvious if we demand regulations that outlaw the mistreatment of personal data and safeguard the right to privacy, accessibility, and health. Both marketers and customers would benefit from it.