Let’s Not Get Competitive About Tracking Mobile Users: How EU Competition Authorities Are Threatening to Roll Back Privacy Protections on iOS

EPIC is not shy in its criticisms of Big Tech’s online tracking abuses. Behavioral advertising is one of the driving forces behind surveillance capitalism and one of the biggest threats to privacy online. We have fought hard for years to rein it in, both as an unfair trade practice and through a much-needed comprehensive privacy law. But hard-fought progress in curbing ubiquitous online tracking is now at risk from the complicated interplay of privacy and competition enforcement. Finding regulatory solutions will be essential to preserving user rights and fair markets in the digital age.

This interplay has come into focus this year in particular as multiple EU competition authorities are moving forward with investigations into Apple’s privacy features that limit third-party app tracking. These investigations were spurred by complaints from the ad industry of “abusive” treatment by one of the largest mobile platforms, and the response so far has not given adequate weight to the privacy interests of mobile users. It is especially important in these cases for competition authorities to consider the broader context and trend of increasing legal protections for user privacy and the need for tighter restrictions on this type of tracking and profiling.

*          *          *

One of the most pernicious forms of surveillance advertising is cross-site and cross-app tracking—the monitoring and profiling of users based on what they read, where they go, and what they do on their private devices. For years, users had no visibility into this and no way to control it. Legal protections hadn’t caught up to the rapid proliferation of tracking tech, and mobile users were particularly vulnerable because using a different browser or a VPN would not solve the problem.

Then, finally, users caught a break. Apple announced in 2021 that it would roll out a new feature called “App Tracking Transparency” to enable users to directly control whether mobile apps on iOS can track their activities across apps and services.

Apple’s ATT system gives a user two options:

1. They can turn off cross-app tracking and not give this permission to any apps (or allow apps to access their device’s unique identifier for advertising); or
2. They can “Allow Apps to Request to Track” and be presented with a pop-up each time they download an app that gives them the ability to grant per-app permission to track across other apps for targeted advertising or other non-essential or functional uses.

The ATT prompt explains the tracking sought and gives the user the option to consent to or deny the tracking. Users can also change their preferences in their device settings. This does not affect first-party tracking, which allows companies to track user activity within their own apps, websites, or other media.

ATT is incredibly popular with Apple users and has been repeatedly praised by privacy advocates and authorities for its clarity, its ease of use, and the power it gives individuals over their data. Experts acknowledge that it isn’t a silver bullet for all privacy problems, but it patched a big hole that advertising companies exploited to track and profile mobile users.

The ad tech industry, unsurprisingly, went ballistic. In his opening keynote at the Internet Advertising Bureau’s annual conference in 2023, the IAB’s CEO referred to Apple’s privacy settings as part of an “extremist movement” against their industry and an “existential threat.”

Let that sink in for a moment. The ad industry has so little regard for user privacy that it publicly blasted a mobile platform that dared to give users the option to easily turn off cross-app tracking as “extremist.” When it comes to extreme positions, it would be hard to go further than ad tech representatives who are threatening to leave the state of Maryland because of a new law that prohibits the sale of sensitive data.

But as the ad industry was challenging ATT publicly, the IAB’s quieter and more dangerous work was already well underway. Beginning in 2020 when the system was first proposed, representatives of the ad industry went knocking on the doors of global competition authorities, looking for a regulator willing to treat their “existential threat” as an abuse of Apple’s dominant market position. The French competition authority laid out the chronology in a March 2025 analysis of its €150M fine against Apple. The United Kingdom launched and then shuttered its own investigation. And similar investigations have been publicly acknowledged by authorities in Germany and Italy.

These investigations are fundamentally about the interplay between user privacy protections (both those required by law and those offered and created by online service providers) and competition standards. Indeed, the analysis of the French competition authority was informed by opinions of the French privacy authority CNIL through a novel collaboration. But while the French authority acknowledged the legitimacy of the privacy interests served by the ATT system, it found that Apple’s “implementation methods” were “abusive within the meaning of competition law” given the firm’s dominant market position in mobile application distribution. Their conclusion turned on an analysis of whether the “obstacle to targeted advertising” posed by the ATT system was “disproportionate or lack[ed] objective justification.”

The decision of the French authority identifies three competition abuses that supported its fine:

1. “an artificially complex framework” for app tracking,
2. a “non-neutral framework” for the presentation of user choices, and
3. an “asymmetry” of treatment between Apple and the app publishers regarding tracking permissions.

However, their analysis of all three of these abuses rests on the same core assumption: that Apple’s system requires publishers/app companies to obtain “double consent” to track users. But it is GDPR and French data protection law that impose privacy obligations on those publishers, not the ATT system. And consent is not the only legal basis under which they can process data. So it is little comfort to assure that Apple is “free to enact consumer protection rules in addition to those imposed by regulation” when the decision takes that option away by treating those protections as “abusive” because the ATT feature does not also satisfy the publishers’ own data protection obligations.

This assumption—that facing multiple privacy prompts poses an unjustified barrier for users, and that the barrier is asymmetrical because it only takes on click to not be tracked—is especially suspect when you take a step back and survey the recent trends in both legal protections and industry practices. Many jurisdictions in the United States now require that companies comply with a “Universal Opt-Out Mechanism” to give users a one-click solution to block tracking across sites and services. California went further this year to require all browsers to build this feature in to make it more accessible. The trend is towards these simple, unified mechanisms to turn off tracking and even to delete personal data across a range of services. And in that context, ad tech companies have been arguing for their right to repeatedly prompt users to “opt back in” to tracking. So it is hard to see their complaints to EU competition authorities about double consent to be anything other than a bad faith argument in favor of their tracking practices.

*          *          *

Competition authorities need to recognize that a feature respecting a user’s informed choice regarding control over their own data should not be treated an abusive or anticompetitive practice. Competition authorities should not be in the business of providing special protections to the commercial surveillance industry by concluding that these protections are “not necessary.” The vast majority of iOS users disagree and prefer to protect their privacy against cross-app tracking.

The conclusions that the ATT system creates an asymmetry and lacks neutrality in presentation also don’t hold up to closer scrutiny. The system is universally applied to all apps that seek to track users across other companies’ apps, websites, or other properties or to share that user data with data brokers. And while it is true that the ATT pop-up does not appear for Apple’s apps, this is for a simple reason: Apple’s advertising system does not track users across third party apps and services. There is no preferential treatment of cross-app tracking for any provider; it is the ad companies that are asking for extraordinary legal protection for their invasive business practices.

In fact, the same sorts of disingenuous arguments that the advertisers have made against App Tracking Transparency could be made against the privacy features protecting mobile users’ sensitive location data. Those features are certainly an “obstacle to targeted advertising” and user choices to allow precise location tracking don’t eliminate companies’ obligations to comply with GDPR and other privacy laws. But it would be absurd to say that layered protections for user’s sensitive location data should be treated as “obstacles” to competition that are “unjustified.”

While it is unsurprising that the ad tech industry and app developers are unhappy with a system that prevents them from building user profiles and tracking their activity across devices and the broader internet, we hope that competition authorities will consider the full picture. Indeed, if the ad tech industry feels that giving individuals an informed choice about their data poses an “existential threat” to their business model, perhaps that is a sign that their business model should be restructured.

Invalidating the ATT system is not a good way to promote competition in the ad marketplace, and it would deny users an actual, meaningful choice to protect their privacy in a tech ecosystem that is overrun by surveillance. We cannot believe this was the intent of pro-competition frameworks or of the authorities investigating this matter. We urge those authorities to consider and weigh the important privacy interests of mobile users and the need for stronger (not weaker) protections for their data.