Apple called upon to provide greater clarity on its use and disclosure of unique device identifiers for targeted advertising

PIPEDA Report of Findings # 2013-017

November 20, 2013

An individual alleged that Apple was using and sharing her personal information in the form of a unique device identifier (UDID) without her knowledge and consent for tracking purposes.

Apple assigns a UDID to each iPhone, iPad and iPod Touch (iOS Devices) prior to sale. The company maintained that a UDID was not personal information because it alone couldn’t be used to identify a user. However, our investigation revealed that Apple also had access to Apple ID account details for each iOS Device user. We therefore viewed UDID as personal information.

Apple explained that it used UDID for administrative and maintenance purposes. In that context, we did not consider UDID to be sensitive information and we were satisfied that Apple had adequately explained such practices via general explanations in its privacy policy.

On the other hand, we found that UDID was used by Apple, and disclosed to third party app developers (via Apple’s iOS operating system), for the purpose of delivering targeted advertising to iOS Device users. In that context, we viewed UDID to be sensitive personal information as it could be used to create a detailed user profile, similar to a persistent cookie. While we found that Apple offered easily accessible opt-out options regarding the use of UDID in the delivery of targeted advertising, we found Apple’s explanations (which were comprised mainly of broad generalized statements in its privacy policy) to be insufficient. As a result, we recommended that Apple provide notice in a clear and prominent ‘just-in-time’ way to shed proper light on the practice for users.

During the course of our investigation, Apple ceased using UDID for advertising and phased out the disclosure of UDID to app developers. Apple replaced UDID with Ad ID, for advertising. Apple then added the option for users to easily and immediately reset Ad IDs which effectively erases a user’s history tracked by the identifier and shared with advertisers. Further, we were pleased to see that Apple implemented, in iOS 7, our recommendation that users be able to more easily find switches within their iOS Device privacy settings to reset that Ad ID and opt-out of receiving targeted ads.

Because of these developments, and because of Apple’s general explanation about the functioning of Ad ID in its privacy policy supplemented by a more specific explanation available via a link in device privacy settings, we found the complaint to be well-founded and resolved.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

1. The complainant alleges that Apple Canada Inc. (“Apple”):
   1. treats unique device identifiers as non-personal information when, in fact, they are personal information; and
   2. uses and discloses her iPhone’s unique device identifiers without her consent, particularly for the purposes of tracking.

Summary of Investigation

Definitions

2. The definitions below will apply for the purposes of this report of findings:
   1. “App” means an application designed for use on an iOS Device;
   2. “App Store” means Apple’s online store for iOS Device Applications;
   3. “Apple Services” means services provided by Apple and accessed with an Apple account (e.g. iTunes, iCloud, App Store, iMessage);
   4. “API” means an Application Programming Interface, the specifications for development of Apps for iOS Devices pursuant to terms and conditions in the PLA - there are many APIs, each for use by App developers to access specific functionality on the iOS Device;
   5. “iOS Device” means an Apple device designed to operate on Apple’s iOS mobile operating system (i.e. iPhone, iPad or iPod Touch);
   6. “PLA” means the iOS Developer Program License Agreement, the terms and conditions pursuant to which App developers may use the APIs and other Apple software and services; and
   7. "UDID" is a 40-digit alphanumeric hardware-based unique device identifier. It is set by Apple prior to sale of the iOS Device and cannot be erased or changed.
3. The facts and analysis below are based on representations provided by Apple both prior to and after the issuance of our preliminary report of investigation. Information provided by Apple subsequent to the issuance of our preliminary report of investigation and changes to our analysis resulting from that new information are included throughout this report of findings as “Updates”.

Background

4. The complainant relayed her concerns, as summarized in paragraph 1 above, to Apple’s Privacy Office via email (to privacy-ca@apple.com) in December 2010.
5. Apple responded to the complainant’s e-mail indicating that it believed its Privacy Policy to be in compliance with Canadian law, and that any user of the iTunes service who had updated the software on their iOS device within the past six months had expressly accepted this Policy.
6. The complainant subsequently filed a complaint with our Office under the Act in January 2011.
7. During the course of our investigation, our Office determined that given the nature of the issues raised in this investigation, a meeting with a technical professional from Apple would assist in our analyses. A technical representative from Apple visited this Office in August 2012 to explain: (i) Apple’s uses and disclosures of UDID; (ii) the planned partial deprecation, or phasing out, of UDID; and (iii) relevant changes that were to be rolled out with the release of iOS6 in the fall of 2012.
8. In March 2013, our office issued a preliminary report of investigation wherein we: (i) expressed several concerns to Apple arising out of our investigation; and (ii) made certain recommendations with a view to bringing Apple into compliance with the Act.

Uses of UDID by Apple

9. Apple indicated to our Office that it treats UDID as personal information under the Act only if and while it is combined with other information about an identifiable individual.
10. At the time the complaint was filed, Apple’s Privacy Policy read in part:

    Collection and Use of Non-Personal Information

    We also collect non-personal information − data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

    • We may collect information such as . . . unique device identifier . . . so that we can better understand customer behaviour and improve our products, services, and advertising (emphasis added).
11. Apple maintains a record of every UDID assigned to an iOS Device. The UDID is added to this record prior to the iOS Device being shipped for sale. While the record does not contain any other customer information, Apple does have the ability to link the UDID to an identifiable individual. Under limited circumstances (i.e. fraud, customer support or when compelled as part of a legal proceeding), Apple does link UDID with other personal information associated with a customer’s account, such as name, address and email address.
12. The following is a list of all material purposes for which Apple currently uses theUDID:
    1. Administration and Maintenance:
       Apple provided a detailed explanation of the various ways in which it uses UDID for administration and maintenance purposes. Such uses include fraud detection, file back-up and re-installation, and access management for new iOS Device services.
    2. Personalization: Apple does not use UDID for the purposes of tailoring delivery of Apple Services to iOS Device users (e.g. to remember language preference or make music suggestions in iTunes). User activity is tracked by Apple within each authenticated Apple Service, using Apple Account information, to permit Apple to provide and improve that service.
    3. Advertising:

       How Apple used UDID for advertising

       1. iAd is Apple’s mobile advertising platform.
       2. Before the release of iOS6, on September 19, 2012 (the “iOS6 Release”), iAd used the UDID to help serve interest-based ads. Each Apple Service would, using the iOS Device: (i) tie preference data (i.e. user activity within that Apple Service on the iOS Device, not including web browsing activity), along with iTunes Store demographic data in respect of the user, to the UDID; (ii) use that preference and demographic data to associate the user with one or more iAd-defined ‘buckets’ (e.g. “gamer” or “reader”); and, (iii) send the UDID, along with a list of buckets with which the user has been associated, to iAd. iAd does not use UDID for the serving of ads to iOS Devices operating on iOS versions 6 or later.

       How Apple Notified Users of its use of UDID for advertising

       3. Apple describes its interest-based advertising practices in the “Cookies and Other Technologies” section of its Privacy Policy:
          
          “Apple and its partners use cookies and other technologies in mobile advertising services to control the number of times you see a given ad, deliver ads that relate to your interests, and measure the effectiveness of ad campaigns” (emphasis added).
          
          Update 1: Apple asserted, in its response to our preliminary report of investigation, that iOS Device users are able to obtain further information regarding its use of unique device identifiers in the “Collection and Use of Non-Personal Information” section of its Privacy Policy:
          
          “We may collect, use, transfer, and disclose non-personal information any purpose.”
          
          “We may collect information such as . . . unique device identifier . . . so that we can better understand customer behavior and improve our products, services, and advertising.”
       4. The iTunes Store also aggregates certain information, in a manner that it is not attributable to an identifiable individual, and provides it to iAd for the purpose of analytics. For example, the iTunes Store may share with iAd that thirty percent of iPhone users within a specified demographic group are “gamers”.

       Users’ ability to opt out of Apple’s use of UDID for advertising

       5. Apple provides iOS Device users the ability to “opt out” of receiving interest-based ads via the link http://oo.apple.com. This link is accessible in the “Cookies and Other Technologies” section of Apple’s Privacy Policy. There is a link to the Privacy Policy on every page of Apple’s website. Apple also provides instructions on “How to opt out of interest-based ads from the iAd network” in the “Support” section of its website. Apple indicates that opting out in this way takes effect for all iOS Devices attached to a particular Apple Account. Opting out also results in the exclusion of data related to those iOS Devices from the aggregated data provided by the iTunes Store to iAd. As explained below, with the release of iOS6, users can also opt out of the receipt of interest-based ads from iAd through the use of the “Limit Ad Tracking” switch. In iOS 6, this “switch” is found in the iOS Device Settings under “Advertising” settings, which are found under the “About” tab, which is in turn found under the “General” tab.
          
          Update 2: Apple has confirmed that with iOS 7, the Limit Ad Tracking option is now available under Privacy settings.

App Developer Access to UDID

13. Apple created iOS which runs on the iPhone, iPad and iPod touch devices. Apple indicates that iOS is analogous to traditional operating systems that run on personal computers, such as Windows and Linux.
14. While iOS is the underlying software that controls certain aspects of device operation, a user can choose to download additional Apps to add a broad range of customized functions to their iOS Device.
15. When a customer chooses to download an App from the App Store, he or she is downloading a software program, distributed by Apple from its App Store servers but designed by a third-party App developer. The extent to which Apple is involved in the functioning of the App and the information handling practices of the App developer is limited, as outlined below:
    1. App review - Apple performs a live, human review of all Apps before approving them for inclusion into the App Store. Apple does not, for various legal and practical reasons it explained to our Office, obtain access to the source code that would reveal whether the App collects data or shares such data with third parties.
       Update 3: Apple clarified that it does subject Apps to random audits and performs thorough investigations of Apps where there is reason to believe that they may be violating Apple’s PLA.
    2. Contractual controls - Every iOS App developer is required to consent to the PLA. That agreement contractually precludes App developers from collecting, using and disclosing “user data” and “device data” without prior user consent. It further specifies that developers may only use such information to provide a function or service that is directly relevant to the use of the application or to serve advertising in accordance with the PLA. User data and device data are not defined in the PLA; however, App developers must comply with all applicable laws (including privacy and data protection laws and regulations) of jurisdictions in which they make their App available. Apple indicates that what constitutes “user data” and “device data” may vary according to jurisdiction.
    3. Technical controls - Apple designs and programs iOS. Apple creates programming guides and protocols that explain to developers how their software can interact with iOS, and designs the APIs which are the specific commands and functions that allow third-party Apps to “talk” to and interact with the iOS software on a user’s device. APIs are a part of all current computer operating systems. Third-party developers can pick and choose from hundreds of different APIs when creating their unique applications. While Apple announced that it was deprecating, or phasing out, App developers’ access to UDID in iOS 5, at the time of issuance of our preliminary report of investigation, App developers were still able to access the UDID from an iOS Device by using an API.
    4. Additional technical controls for specific information - Apple has implemented increased controls over access by App developers to location information obtained through Apps. Apple’s operating system has isolated location data such that upon first access by an App to the associated API, iOS will display a consent box to the user. Only after the user accepts will iOS allow the App to access the requested location information. With iOS6, Apple extended the consent model outlined in paragraph 15(c) of this report to control access to contacts, calendar events, photos, reminders and BBS (i.e. Background Bluetooth Services). In addition, iOS6 allows the App developer to add a purpose statement to the consent box. Apple indicates that, from a technical perspective, this approach could be applied to control access by App developers to UDID. Apple also states, however, that it is very mindful of "pop up" fatigue and has attempted to balance the number of potential pop-ups with privacy risk.
16. As of the date of the iOS6 Release, the App Store provides App developers with the option of providing a link to Privacy Statements or Privacy Policies associated with an App, which would be displayed in the App Store prior to download.

Partial Deprecation of the UDID

17. Apple is in the process of partially deprecating, or phasing out, UDID. Apple stated that its decision to deprecate UDID was based in part on concerns regarding misuse of the identifier by third party App developers. While use by Apple of UDID for administrative and maintenance purposes will not be discontinued completely, Apple indicated that access to the UDID API by App developers would be removed in a future release, subsequent to iOS6.
18. With the release of iOS6, Apple has introduced three new separate software-based identifiers - “App ID”, “Vendor ID” and “Ad ID” - each to be used for distinct purposes previously achieved using UDID. Each new ID will be in the form of a random 128-bit ‘Universally Unique Identifier’.
19. Apple continues to use the UDID for administration and maintenance purposes, as outlined in subparagraph 12(a) of this report, after the iOS6 Release.
20. At the time of issuance of our preliminary report of investigation, Apps could still access UDID but Apple indicated that such access would ultimately be discontinued as outlined in paragraph 17 of this report, after which App developers would only be able to access the three new identifiers, for purposes outlined below.
    Update 4: Apple confirmed in its response to our preliminary report of investigation, that as of 1 May 2013, Apple no longer accepts new or updated Apps that access UDID.
21. As of the iOS 6 Release, the PLA stipulated that, for any version of iOS that provides access to the ‘Ad Support’ APIs, an App developer must check a user’s Limit Ad Tracking preference prior to using either the UDID or the Ad ID to serve advertising to that user.

New Software-Based Identifiers

22. App ID: For each App installed on an iOS Device (operating with iOS version 6 or later), the device will create an App ID and provide it to the App developer upon request via the App. The App developer may choose to store the App ID with the App on the device so that, for example, the device can be identified as having already acquired rights to use the App.
23. Vendor ID: An iOS Device (operating with iOS version 6 or later) which currently has no App supplied by a particular vendor (a “Vendor App”) will, after a Vendor App is installed on the device and makes the request, generate a Vendor ID and provide it to the App developer via the App. The Vendor ID will be available to each subsequent Vendor App installed on the iOS Device to allow interaction between Vendor Apps (e.g. achieving a certain level in one game may provide access to bonus content in another game from the same vendor). If all Vendor Apps are deleted from the iOS Device, the Vendor ID will also be deleted.
24. Ad ID: Each iOS Device (operating with iOS 6 or later) generates an Ad ID for the purpose of assisting Apple and others with the serving of advertising. For such devices, iAd will no longer use UDID for serving advertising.

How App developers use Ad ID

25. The iOS6 PLA requires that App developers use Ad ID only for the purpose of serving advertising.

Apple’s notification to users regarding use of Ad ID

Update 5: In addition to the notification outlined in the update to sub-paragraph 12(c)(iii) of this report, Apple explained in response to our preliminary report of investigation that the user of an iOS Device operating on iOS version 6 or later is also able to learn more about the use of Ad ID for advertising purposes, by clicking on the “Learn more” link at the bottom of the iOS Device “Advertising” settings page:

“iOS 6 introduces the Advertising Identifier, a non-permanent, non-personal, device identifier, that apps will use to give you more control over advertisers’ ability to use tracking methods. You can reset a device’s Advertising Identifier at any time. And, if you choose to limit ad tracking, apps are not permitted to use the Advertising Identifier to serve you targeted ads. In the future all apps will be required to use the Advertising Identifier. However, until then you may still receive targeted ads.”

Users’ ability to opt out of Apple’s and App developers’ use of Ad ID for advertising

26. As explained in subparagraph 12(c)(v) of this report, iOS6 provides iOS Device users the ability to “Limit Ad Tracking” in the iOS Device’s settings. If the user chooses to Limit Ad Tracking:
    1. The iOS6 PLA provides that App developers will only be allowed to use the Ad ID for limited advertising purposes. The current list of those advertising purposes includes frequency capping, tracking conversion events, estimating the number of unique users, etc.; the list does not include serving of interest-based ads. For Apps compiled for any iOS version providing access to the ‘Ad Support’ APIs, App developers agree to check a user’s advertising preference before using either the UDID or the Ad ID for serving advertising.
    2. iAd will comply with the user's choice to "Limit Ad Tracking" (as explained in subparagraph 26(a) of this report). On all devices, iAd will also continue to comply with the user’s choice to “opt out” of receipt of online behavioural advertising, as outlined in subparagraph 12(c)(v).
27. With the release of iOS 6, Apple allowed iOS Device users to reset the Ad ID (i.e. erase and generate a new Ad ID) through the device’s settings by choosing “Erase All Content and Settings” without choosing “Restore from Back Up”. This would effectively erase all applications and data, including Ad ID, from the device and delink any previously collected tracking information from that device.
    
    Update 6: In Apple’s response to our preliminary report of investigation, Apple highlighted that with the release of iOS 6.1 on 28 January 2013, Apple now offers a “Reset Advertising Identifier” button in iOS Device “Advertising” settings, which allows the user to reset Ad ID without having to “Erase All Contents and Settings”.

Application

28. In making our determinations, we applied the definition of “personal information” under subsection 2(1) of the Act, and Principles 4.3, 4.3.2, 4.3.5 and 4.3.6 of Schedule 1 of the Act.
29. Section 2(1) defines personal information as information about an identifiable individual.
30. Principle 4.3 states that knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 clarifies that the principle requires “knowledge and consent”, and that the organization shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.5 provides that in obtaining consent, the reasonable expectations of the individual are also relevant. Principle 4.3.6 further stipulates that the way in which the organization obtains consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.

Analysis

31. Our analysis addresses Apple’s use of UDID and Ad ID, as well as Apple’s alleged disclosure of these identifiers to App developers. Apple creates these identifiers in part for its own use, and then provides App developers access to them. While Ad ID was introduced by Apple after the complainant submitted her complaint to our Office, we do nonetheless consider Ad ID to be relevant to the underlying complaint; it is another unique identifier used to identify an iOS Device, and it was implemented by Apple to replace UDID for the purposes of serving advertisements.
32. App ID and Vendor ID, on the other hand, are created by an App developer for its own purposes, using the iOS Device. Our analysis will, therefore, not address these two identifiers.

Do UDID and Ad ID Constitute Personal Information?

33. The Act defines personal information as “information about an identifiable individual”. This Office has previously found that a piece of information can constitute personal information where there is a serious possibility that an individual can be identified through this information, either alone or in combination with other available information.
34. More specifically, we have found that information which, in and of itself, might not be considered personal can be considered personal where an organization has the capacity to link the information to an identifiable individual (See for example: PIPEDA Case summary #2009-010 - Assistant Commissioner recommends Bell Canada inform customers about Deep Packet Inspection; and, PIPEDA Report of Findings #2011-006 - No evidence Facebook shares personal information with other sites via social plug-ins, investigation finds).
35. While UDID and Ad ID may not, in and of themselves and separate from any other available information, necessarily identify an individual, Apple does have the capacity to link and associate such identifiers with individuals. As mentioned in paragraph 11 of this report, Apple has the capacity to link UDIDs to individual account information, and indeed, does so under certain circumstances. Given that Apple can link its UDIDs and Ad IDs to individual Apple account holders, in our view, UDIDs and Ad IDs both constitute personal information under the Act.

Does Apple Obtain Meaningful Consent for its Use of UDID and Ad ID?

36. The form of consent required under the Act for the use of personal information will depend on the context. More specifically, it will depend on, amongst other things, the type of information, the sensitivity of that information, and the reasonable expectations of the individual.

Use of UDID for Administration and Maintenance

37. Apple’s explanation in its Privacy Policy of its uses of non-personal information, as quoted in paragraph 12(c)(iii) of this report of findings, provides limited detail with respect to its use of UDID for administrative and maintenance purposes. We are, however, satisfied that users would reasonably expect Apple to use UDID for administration and maintenance purposes, as summarized in subparagraph 12(a) of this report of findings. Furthermore, we do not consider UDID to be, in this context, sensitive in nature. We are therefore of the view that Apple can rely on implied consent of iOS Device users for such uses.

Use of UDID and Ad ID for Advertising

38. WhileUDID and Ad ID may not, on their face, appear to be sensitive personal information, they can be used as powerful tools in the context of user profiling and online behavioural advertising:
    1. The permanent nature of UDID renders it more sensitive than other identifiers, like cookies, in such context. The UDID could serve as a reference for tracking a user’s activity on an iOS Device for as long as he or she employs that device.
    2. While Apple’s new software-based Ad ID is not necessarily permanent, in the context of iOS 6, it is certainly persistent. With iOS 6, a user could only reset the Ad ID by choosing to “Erase All Contents and Settings” in the iOS Device settings (i.e. restore their iOS Device to factory settings without backing up data). Doing so would generally be undesirable for a user, except for the purpose of transferring the device to a new user. In the context of iOS 6, we therefore considered Ad ID to be a persistent identifier to which tracking data could be linked for as long as a user employs an iOS Device.
       Update 7: Apple has informed our Office that, with iOS 6.1, it added a “Reset Advertising Identifier” button, accessible in iOS Device Advertising settings, such that the Ad ID can now be reset without restoring the iOS Device to factory settings. We would, therefore, now consider Ad ID to be less sensitive than UDID (i.e. more like a cookie) in the context of user tracking for the purposes of Online Behavioural Advertising.
39. In December 2011, this Office published Guidelines entitled Privacy and Online Behavioural Advertising (the “Guidelines”). In the Guidelines, we explained that in certain circumstances, implied consent could be considered reasonable for the delivery of online behavioural ads provided that individuals are: (i) made aware of the purposes for the practice in a manner that is clear and understandable; and (ii) easily able to opt out of the practice with immediate effect. While each case must be assessed based on its specific facts, the Guidelines provide a useful framework for consideration of the use of identifiers in the delivery of interest based ads.
40. In a section of its Privacy Policy dedicated to the use of “Cookies and Other Technologies”, Apple explains its practice of delivering interest-based ads. This explanation does not, however, specifically indicate how unique device identifiers may be used in that process. In our preliminary report of investigation, we indicated that we did not find this notification to be sufficiently clear and understandable to form the basis of users’ meaningful consent to the use of UDID or Ad ID for online behavioural advertising.
    
    Update 8: The notifications raised by Apple subsequent to issuance of our preliminary report of investigation (see updates to sub-paragraph 12(c)(iii) and paragraph 25 of this report of findings) explain how Apple uses unique device identifiers and Ad ID, as “non-personal information”, for the purposes of delivering advertising. While we remain of the view that such information is personal information when used by Apple in the delivery of advertising, we accept that these notifications are sufficient to form the basis of users’ meaningful consent to such a practice.
41. Apple does provide a simple, one-click process that allows users to immediately opt out of receiving interest-based ads from iAd. Apple also provides the option to opt out of receiving targeted ads from any source, including iAd, using the “Limit Ad Tracking” switch in the iOS Device Settings. That said, we felt that the location of that switch in iOS 6 may not have been intuitive for the user.
    
    Update 9: Apple has explained to our Office that the “Limit Ad Tracking” switch and associated explanation are, with iOS 7, now accessible via the device’s “Privacy” settings. In our view, this location will be much more intuitive to the user.

Does Apple Obtain Meaningful Consent for its Disclosure of UDID and Ad ID?

42. In Apple’s view, granting access to UDID and Ad ID via API does not constitute a “disclosure” of personal information by Apple. Apple indicates that iOS, not Apple, controls access to information through APIs; when a developer accesses data from a user’s iOS Device via iOS, there is no direct interaction with Apple or its servers, and Apple does not know that the App is accessing information on the device.
43. We note, however, that Apple controls, by design, the functioning of its iOS operating system. Furthermore, Apple (either directly or via iOS): (i) assigns UDID and generates Ad ID, at least in part for its own use, (ii) stores those identifiers on the iOS Device, and (iii) controls access thereto. More specifically, Apple alone decides which information will be accessible to App developers via the APIs it develops for its iOS operating system, and restricts such access, via pop-up user consent prompt, for information which it considers to be particularly sensitive (e.g. location or photos). In this context, we find that Apple is disclosing UDID and Ad ID which are “personal information” under the Act.
44. Given this finding, Apple must ensure that users provide meaningful consent for such disclosure. This is consistent with the views we have expressed in the context of other complaints involving the accessing of information by third-party application developers from information technology platforms (see, for example, PIPEDA Case Summary #2009-008: CIPPIC v. Facebook Inc.).
45. In determining the requirements for meaningful consent in this context, we noted in our preliminary report of investigation that in our view: (i) UDID and Ad ID (for iOS versions 6 and earlier), which can be used in the compilation and construction of extensive user profiles, can constitute sensitive personal information, and (ii) iOS Device users would not reasonably expect such identifiers to be disclosed by Apple to App developers upon request. We were therefore of the view that for consent to be meaningful in this context, Apple would have to ensure that such consent is obtained from the iOS Device user in each instance, before the device UDID or Ad ID is disclosed to the App developer.
46. Apple could meet its obligation to ensure meaningful consent for this practice by taking reasonable measures to verify that such consent is obtained by App developers on its behalf. In order to rely on a contractual requirement as evidence that App developers have obtained such consent, Apple would also have to ensure that App developers are aware of, and comply with, that contractual obligation.
47. While the PLA may create a contractual obligation for App developers to obtain informed consent in advance of accessing UDID and Ad ID via API, the PLA does not, in our view, clearly state such a requirement to obtain consent. Furthermore, Apple’s App review process does not allow Apple to verify, with confidence, that App developers actually obtain consent before accessing unique identifiers from Apple. In the absence of any evidence that App developers are well aware of the contractual requirement that they obtain meaningful consent and that they actually comply with such an obligation, Apple cannot presume that users have consented to its disclosure of UDIDs or Ad IDs to App developers. We were therefore of the view in our preliminary report of investigation that Apple was disclosing UDIDs and Ad IDs to App developers without obtaining users’ knowledge and consent.
    
    Update 10: Based on Apple’s addition of the “Reset Advertising Identifier” function in iOS Device settings, for iOS versions 6.1 and later, we no longer consider the Ad ID to be sensitive information. We therefore accept that Apple’s explanations to users (as detailed in paragraphs 12(c)(iii) and 25 of this report of findings) could form the basis for meaningful consent to Apple’s disclosure of Ad ID to App developers for advertising purposes. We also note that Apple is no longer granting access to UDIDs for App developers who submit new or updated Apps after 1 May 2013.

Recommendations

48. In our preliminary report of investigation, we recommended that Apple implement certain changes to ensure that it obtained users’ knowledge and consent in respect of Apple’s uses and disclosures ofUDIDs and Ad IDs. More specifically, we recommended that Apple:
    1. amend its Privacy Policy to reflect that UDID and Ad ID constitute personal information, at least under the Act;
    2. amend its Privacy Policy to provide an adequate explanation of its intended uses of UDID for the administration and maintenance purposes;
    3. inform users in a manner that is clear, apparent and understandable, via Privacy Policy and other up front communication methods, how UDIDs and Ad IDs are used by Apple to deliver advertising and interest-based ads;
    4. take adequate steps to ensure that an iOS Device user has provided meaningful consent prior to its disclosure ofUDIDs and Ad IDs to third parties, including App developers, by:
       1. amending its Privacy Policy to,
          • explain when Apple may disclose UDID and Ad ID (or unique device identifiers in general) to third-parties, including App developers,
          • describe how such identifiers may be used in the serving of interest-based advertising, and
          • urge users to consult the privacy handling practices of those third-parties to which such identifiers are being disclosed; and
       2. informing iOS Device users at the decision point, prior to disclosure of UDID or Ad ID, using clear language in a prominent message, that such identifiers will be disclosed to a specified third-party (e.g. App developer), so that the user can make an informed choice regarding whether or not to consent to that disclosure.
49. We also suggested that the location of the “Limit Ad Tracking” option would be more apparent and intuitive for users if included directly under iOS Device “Privacy” settings, although we were of the view that Apple provides sufficient options for iOS Device users to opt out of the receipt of interest based ads.

Findings

50. While we do not accept Apple’s general characterization of UDID or Ad ID as non-personal information in its Privacy Policy and other communications to customers, we are satisfied that Apple’s use and disclosure of UDID and Ad ID are now in compliance with the Act. This assessment is largely due to the significant changes which Apple has implemented to its privacy practices, as well as the further information provided by Apple subsequent the issuance of our preliminary report of investigation, as detailed in the various “Updates” throughout this report of findings.

Use by Apple of UDID for Administration and Maintenance Purposes

51. Upon further review and based on discussions with Apple subsequent to the issuance of our preliminary report of investigation, we accept, as outlined in paragraph 37 of this report of findings, that Apple can assume implied consent for its use of UDID for administration and maintenance purposes.

Use by Apple of UDID and Ad ID for Advertising Purposes

52. With the release of iOS 6, Apple no longer uses UDID in the delivery of interest-based advertising.
53. We accept that Apple’s explanations to users, both in its privacy policy and in iOS Device Advertising settings (post iOS 6), provide sufficient information to form the basis of meaningful consent to Apple’s use of Ad ID for the purposes of serving interest based advertising.
54. We found that Apple does provide simple and immediately effective options for users to opt out of Apple’s use of Ad ID in the delivery of interest-based ads. We are also pleased to see that subsequent to the issuance of our preliminary report of investigation, Apple has moved the “Limit Ad Tracking” option to a more intuitive location, in iOS Device Privacy settings.

Disclosure by Apple of UDID and Ad ID to App Developers

55. We are pleased to see Apple’s deprecation of UDID for the purposes of Advertising. Apple ceased using UDID for advertising in iOS 6 and apps new or updated after 1 May 2013 can no longer access UDID.
56. Given Apple’s addition of the “Reset Advertising Identifier” option on iOS Devices, we no longer consider Ad ID to be sensitive personal information. We are satisfied that Apple’s explanations of its use and disclosure of Ad ID, in that context, are sufficient to form the basis for meaningful consent to that disclosure under the Act.

Conclusion

57. We therefore find this complaint to be well-founded and resolved.