Apple Privacy News

The European Commission fined Apple €500 million for violating the Digital Markets Act by preventing app developers from steering users to alternative purchasing channels outside the App Store. Apple was ordered to remove the anti-steering restrictions within 60 days. Apple announced it would formally appeal the fine.

Apple disabled Advanced Data Protection for iCloud in the United Kingdom after the UK government demanded backdoor access to encrypted user data under the Investigatory Powers Act. New UK users can no longer enable the feature, and existing users were required to disable it. Apple stated it would 'never build a backdoor' but complied by withdrawing the feature entirely rather than weakening its encryption.

Apple agreed to pay $95 million to settle a class action lawsuit alleging that Siri recorded users' conversations without their knowledge or consent, and that some recordings were shared with third-party contractors for review. The settlement covered owners of Siri- enabled devices purchased between September 2014 and December 2024, with eligible claimants receiving up to $20 per device for a maximum of five devices.

Apple unveiled Apple Intelligence at WWDC 2024, emphasizing a privacy-first approach to generative AI. The system processes most requests on-device using Apple silicon, and when cloud processing is needed, routes data through Private Cloud Compute — custom Apple silicon servers with a hardened OS that cryptographically guarantees user data is not stored, logged, or accessible to Apple after fulfilling a request.

Apple began enforcing privacy manifest requirements for all new and updated App Store submissions. Apps and third-party SDKs were required to include privacy manifest files declaring data collection practices and providing approved reasons for using listed APIs. Submissions that failed to include valid privacy manifests were rejected by App Store Connect.

Apple announced sweeping changes to iOS, Safari, and the App Store in the European Union to comply with the Digital Markets Act. The changes, effective in March 2024, allowed sideloading apps through alternative app marketplaces, alternative browser engines not based on WebKit, and alternative payment processing. Apple introduced a new fee structure including a 'Core Technology Fee' of €0.50 per annual app install above one million.

Apple tightened App Store privacy rules, requiring developers using certain APIs to provide approved justifications or face app rejection. The updated guidelines specifically targeted fingerprinting techniques that apps and SDKs used to covertly track users by accessing device signals like disk space, boot time, and active keyboards without a legitimate purpose.

At WWDC 2023, Apple announced privacy manifests and required reason APIs, mandating that developers declare exactly what data their apps and third-party SDKs collect and justify their use of sensitive system APIs. Apple also introduced enhanced Safari tracking protections and Private Browsing that locks automatically when the browser is not in use.

Apple officially abandoned its controversial plan to scan iCloud Photos for CSAM, stating that 'children can be protected without companies combing through personal data.' The reversal followed over a year of sustained criticism from privacy researchers, civil liberties groups, and cryptography experts who argued the system could be exploited for broader surveillance.

Apple introduced Advanced Data Protection for iCloud, extending end-to-end encryption to 23 data categories including iCloud Backup, Photos, Notes, and iCloud Drive. With the feature enabled, only the user's trusted devices hold the encryption keys, meaning Apple itself cannot access the data even if compelled by law enforcement or in the event of a cloud breach.

Apple announced Lockdown Mode, an extreme security feature designed to protect users targeted by state-sponsored mercenary spyware such as NSO Group's Pegasus. Lockdown Mode strictly limits attack surfaces by blocking most message attachment types, disabling link previews, restricting web technologies, and preventing unknown device connections. It shipped with iOS 16 in September 2022.

Apple began enforcing a new App Store requirement that all apps supporting account creation must also provide an in-app option for users to delete their account and associated personal data. Apps failing to comply were rejected or removed from the App Store. The requirement, originally announced in January 2022, was extended to June 30 to give developers more time to implement the feature.

Apple launched Communication Safety in Messages in the United States with iOS 15.2, which detects and blurs sexually explicit images sent to or by children's accounts in family groups. Unlike the shelved CSAM scanning proposal, Communication Safety processes images entirely on-device and does not report to Apple or law enforcement.

Apple released iOS 15 with Mail Privacy Protection, which prevents email senders from using invisible tracking pixels to determine whether and when users open emails, and hides users' IP addresses. The feature disrupted the email marketing industry's reliance on open rate metrics by preloading email content through proxy servers regardless of whether the user actually opened the message.

Apple announced plans to scan iCloud Photos for known child sexual abuse material (CSAM) using on-device hash matching before upload, along with Communication Safety features for Messages. The CSAM scanning proposal drew immediate backlash from privacy advocates, security researchers, and civil liberties organizations who warned it could be repurposed for government surveillance.

At WWDC 2021, Apple announced iCloud+, a premium subscription tier bundling iCloud Private Relay and Hide My Email with existing storage plans. Private Relay routes Safari traffic through two separate relays so neither Apple nor network providers can see both who a user is and what sites they visit. Hide My Email generates unique, random email addresses that forward to the user's personal inbox.

Apple launched App Tracking Transparency (ATT) with iOS 14.5, requiring all apps to obtain explicit user permission before tracking their activity across other companies' apps and websites. Studies showed the majority of users opted out of tracking, significantly disrupting the mobile advertising industry and costing platforms like Meta billions in lost ad revenue.

Apple began requiring all apps submitted to the App Store to include privacy nutrition labels disclosing what data they collect, how it is used, and whether it is linked to users' identities. The labels appear on each app's App Store listing, giving users transparency before downloading.