New Terms of Service required of developers marketing their products via the Apple App Store have introduced heightened legal risks to using data collected by iOS apps – an issue that could challenge certain alternative data vendors and the asset managers who use this data. These new policies have been implemented by Apple in the wake of Facebook’s recent privacy scandals.
Apple Terms of Service Changes
In the past few months Apple has changed its App Store Terms of Service for App Developers to better address new privacy laws like GDPR, which was implemented in May 2018, as well as the growing concerns of individuals about the privacy of their data collected by these apps. In the wake of these changes, Apple has recently started to remove third-party apps from their App Store for violating the new terms.
The most concerning changes for the alternative data industry are found in Section 5.1 of the App Store Review Guidelines. These changes can be summarized as follows:
- App developers must obtain consent from users to collect their data. In addition, users must be informed how and where their data is being used.
- Data collected for one purpose may not be repurposed without additional user consent.
- Data collected by apps sold through Apple’s App Store may only be used for two reasons, to improve the app or to support the serving of advertising.
In addition to simply asking users to provide their permission to collect data, Apple is requiring app developers to explain what the data is used for and how it is shared. In addition, Apple is cracking down on instances where the data is used for purposes unrelated to improving the user experience.
Consequences of these TOS Changes
These changes could be quite problematic for a number of alternative data providers that purchase or obtain user data from third-party app developers, especially firms that aggregate, analyze and market geolocation or app usage data. iOS apps can also be used for other purposes, such as collecting transaction data or other consumer activity.
At a minimum, the new standards for iOS apps will reduce the size of affected datasets. Geolocation data suppliers indicated that geolocation data attrition ran around 25% when GDPR was being implemented in Europe. At the extreme, it may require alternative data vendors to forgo relying on iOS apps for data collection. Those alternative data vendors continuing to use data collected by iOS apps will need to conduct extensive due diligence to determine that sources are compliant with the new Apple Terms of Service (TOS) because risks to end users are elevated by the new terms.
The new Apple TOS creates heightened legal risk for fund managers if they utilize data collected in violation of Apple’s App Developer standards. One Wall Street attorney who specializes in the fund management and alternative data space explained that asset managers that invest based on this type of data could be subject to potential insider trading actions because this data would be nonpublic, material, and used in clear breach of a duty that the data source (the app developer) has to Apple, the OS provider. In this situation the alternative data provider would be seen to be the tipper and the buy-side investor would be the tippee.
While Apple has taken action against a few app developers who were in breach of its new Terms of Service, it does not appear that the firm has aggressively started going after app developers that supply some of the larger alternative data vendors who sell app usage or geolocation data. It is unclear whether this is merely an oversight or an indication that Apple doesn’t actually understand how some of their app developers have been commercializing user data.
It is also our understanding that other OS vendors (like Samsung for the Android OS) have not implemented similar restrictions for their app developers. Despite this, alt data vendors may have difficulty creating meaningful datasets if they were required to exclude data from iOS apps.
Data subject to Apple’s new Terms of Service now have two new levels of risk: increased risk of privacy violations and exposure to insider trading sanctions. Privacy standards were a pre-existing risk for any data previously collected by iOS apps, but now the standards have been tightened to levels that approximate GDPR rules in Europe.
The new risk is introduced by providing prosecutors with a fiduciary standard, a lever that is lacking in the case of many forms of alternative data [see our white paper on alternative data risks for a deeper discussion]. The only alternative data case that the US Securities and Exchange Commission has prosecuted involved data analysts for Capital One Financial Corp who profited from trading based on spending patterns mined from the bank’s internal credit card transaction data. The SEC successfully argued that the defendants violated Capital One’s code of conduct and other rules the company established to regulate its employees’ use of proprietary data, and thereby breached a fiduciary duty to Capital One.
Consequently, we believe that Apple’s new Terms of Service for app developers has created a number of potential business and legal problems for alternative data vendors in this space and for the asset managers who use this data. The team at Integrity Research will continue to follow this topic and keep our readers informed of any new developments in this space.