What Startups Can Learn From Apple’s Privacy Position

by Emily Ashley & Lourdes M. Turrecha

Tomorrow, Apple releases one of its more controversial iOS14 features: privacy labels.

At a time when new technology tools seem to get creepier in their overcollection and misuse of user personal information, Apple’s privacy position is striking.

For years, Apple has been public about its privacy position, which reflected in its branding and advertising, in the Apple v. FBI case, in its business model, and in its actual product releases.

iOS14, for example, includes an onslaught of privacy and security features that provide unprecedented transparency into what app startups and third parties are doing with user data, and new user controls over their data.

In this two-part series, we analyze Apple’s privacy position. We provide takeaways for startups in this Part 1. We then go into detail on some of the notable iOS14 privacy features in Part 2.

What is Apple doing differently?

At a high level, Apple’s privacy position reveals the following seemingly counterintuitive approaches:

• A Contrarian Business Model. At a time when startups become unicorns from business models dependent on data, Apple’s business models largely do not focus on monetizing its users’ personal data. The difference is striking even when made against its biggest device and app store competitor, Google. Apple pulls in significant revenue from its hardware sales, not from its users’ data. Even its software offerings do not focus on data monetization. For example: Apple’s Apple Card — instead of monetizing information about its individual users’ spending habits like most credit card providers do, Apple encrypts purchase details so Apple can’t see these details. While Apple does use some card data for metrics, it uses anonymous and aggregate data in its card transaction analytics.
• A Privacy-Forward Brand. Apple’s commitment to privacy is reflected in its brand. Apple privacy billboards have sprung up in some cities. There is even one near a Google building in Toronto, perhaps serving as a challenge to the competing tech giant to take on a similar level of commitment towards privacy.

Credit: @joshmcconnell

• User-Centric Design. Apple cofounder Steve Wozniak is known for his “humans over tech” creed. In simple terms, he believes that tech is supposed to be built to serve humans, not the other way around. This creed to put Apple users first is reflected in how Apple designs its products with privacy in mind. In its Human Rights Governance statement, Apple explains that it feels a deep sense of responsibility to make technology that respects human rights, and that it builds privacy protections into all of its products and services.
• Privacy Design as Product Excellence. Apple has long since been considered the gold standard in tech for design and product excellence, and this holds true when it comes to product privacy. In an ocean of poorly designed products — at least from a privacy design standpoint — Apple sets itself apart by incorporating privacy into its product design. Apple’s treatment of privacy as part of product excellence aligns with increasing developing consumer expectations for more privacy.
• Privacy Innovation. Unlike many of today’s tech tools, Apple’s approach to innovation takes privacy into account. For example, Zoom CEO Eric Yuan infamously admitted earlier this year that they never thought about privacy in building Zoom. In contrast, Apple has been able to hire a small army of privacy engineers and practitioners to design and engineer privacy into its products. A LinkedIn search of Apple employees with the keywords “privacy engineer” returns a result of 490 Apple employees — although this number is likely not accurate, it’s telling enough given most tech companies don’t have any dedicated privacy engineers to own product privacy. While the two companies are not comparable in size or maturity, the point remains that younger companies can learn from Apple’s privacy-centric approach to innovation.
• Understanding Privacy. It also seems like Apple put some thought into understanding privacy in crafting its privacy position. On its website, Apple declares that privacy is a fundamental human right and that it believes in innovation that gives customers control over their information. These human rights and individual control points reveal an understanding of privacy that many others — especially those who conflate privacy as secrecy or as merely security — don’t have. It is this understanding that guides privacy innovation in Apple’s product development.
• Recognition of Privacy’s Value. All of the above points reveal Apple’s recognition of privacy’s business value. Some argue that Apple is favorably set up to recognize privacy’s value and dedicate the necessary resources given its position as the most valuable public company. But there are many other brands in close proximity to Apple’s position, such as Amazon and Google, who take very different approaches to privacy. By viewing privacy as an opportunity to innovate, as Apple claims, it is able to create tools and products that not only solve user concerns, but also create both value and a sense of trust from consumers and regulators. Others still argue that it would be unreasonable to expect smaller companies that don’t have Apple’s or Google’s market shares to dedicate significant resources to privacy. These companies should not lose sight of the long game in making privacy strategy decisions. Emerging startups like Brave and DuckDuckGo have proven that it’s possible to build privacy-first companies.

What can startups take away Apple’s privacy position?

Startups have a lot to learn from Apple’s privacy position, despite the stark difference in company stage, size, and market share.

Apple is not alone in moving the needle on privacy.

Privacy has increasingly become a hot topic in tech.

Even outside tech, regulators, consumers, advocates, and leading brands are beginning to demand that privacy be a necessary consideration when developing new products and services.

That said, some companies still treat privacy as a compliance hurdle rather than an opportunity to innovate, especially with various privacy laws springing up in different states and countries.

Apple’s approach is to prioritize privacy in its designs and products.

Startups can learn a lot from Apple’s privacy position beyond the surface regulatory pain point, including the following points:

• Meeting Customer Privacy Expectations. Apple understands something that many companies don’t: customers care about privacy. This is true with businesses and with consumers. For example, businesses reported a 270% return on their privacy investments. Similarly, more than half of Americans have abandoned a service because of privacy and nearly all Americans believe that more should be done to ensure that companies protect consumer privacy. Perhaps most relevant here, of the Android users who switched to iPhones, 32% indicated doing so because of Apple’s perceived privacy or security benefits relative to Android.
• Recognizing That Creepy Tech Is Out. We’ve seen increasing backlash against tech companies in recent years. This so-called “techlash” is particularly obvious when it comes to privacy, with more than half of Americans reporting that they’ve abandoned an online service due to privacy concerns. Privacy criticisms have increased and gone mainstream as illustrated by the recent Netflix hits, “The Great Hack” and “The Social Dilemma.” Users are becoming aware of what major social tech companies are doing with their personal data and startups themselves are questioning the ethics of their own product designs. In direct contrast, Apple’s business model and privacy position allows Apple to take matters into its own hands. Apple’s iOS platform privacy standards raise concerns about platform owners dictate how third parties innovate, but platforms like Apple have a baseline responsibility towards its users. iOS14 puts an end to the days of third-party flashlight apps unknowingly over-collecting user data, without notice or consent.
• Accepting That Privacy Designed & Engineered Tech Is In. There is a rise in privacy tech development as evidenced by an increasing number of privacy tech tools, more funded privacy tech startups, and customer demand for privacy designed and engineered tech. Apple has taken the lead amongst Big Tech companies in designing and engineering privacy into its products. Following iOS14’s privacy-heavy release, Google released Android 11 with its own but limited set of privacy features. Beyond Big Tech, there are a slew of privacy tech startups with solutions gaining mainstream adoption, such as Signal for messaging, Brave for browsing, and DuckDuckGo for search.

What are potential challenges in adopting a privacy-forward position?

When considering a privacy-forward position like Apple’s, one clear hurdle stands out: Apple is a tech giant with a tremendous amount of resources that startups simply do not have. Even without an army of elite privacy technologists, lawyers, and professionals, startups can still take a page out of Apple’s privacy book when considering how to put privacy first and finding innovative solutions to some of their privacy challenges. That said, below are some of the challenges that startups could face in setting their privacy strategy:

• Walking The Privacy Talk Takes Time, Resources, And Communication. Privacy professionals, engineers, and business teams need to work together to make privacy-forward decisions that comply with the law and put users first. By incorporating privacy into the development process, startups can treat privacy as one of the many customer product requirements, which would minimize the amount of time customer service representatives and engineers spend addressing privacy issues after a product goes to market. This would also enable marketing teams to leverage product privacy features in marketing the product. All of these, of course, involve resources which are limited for early-stage startups.
• Higher Privacy Expectations. Lastly, once a company begins to develop a privacy position — especially if done publicly, tied to its brand — people come to expect more from such company. Apple is not exempt from increased privacy expectations. For example, earlier this year, Apple came under attack for its reported $8–12B deal with Google to use the Google search engine as the default in Apple products. Privacy-minded consumers would prefer to use privacy-forward search engines like DuckDuckGo, but they simply cannot compete with Google’s budget to win the Apple deal. And although Google is responsible for the actual data practices related to Google search, Apple is not beyond reproach — it is responsible for not choosing a more privacy-forward default search engine for its products.
• Data Monetization Limitations. One might be tempted to jump to the conclusion that a forward-thinking privacy position means completely abandoning any data monetization business model. But there are ways to monetize data in a transparent manner that puts the choice in the user’s hands, and even shares the monetized value with users. Startups can anonymize and aggregate data so that they can benefit and innovate based on such anonymized and aggregate data analysis without using specific users’ identities. While these methods may limit data use or analysis, companies that adopt them benefit by reducing privacy risk and strengthening user trust.

Local Differential Privacy: Apple limits data monetization using local differential privacy, which allows Apple to gain insight into what users are doing while simultaneously protecting their privacy. This technique adds noise to a data set before it is even sent to Apple. Device identifiers are removed and the data is transmitted to Apple through encrypted channels, dropping metadata that could identify a user, such as IP addresses. Apple then aggregates the data to calculate statistics and share with relevant teams to innovate new products.

Privacy Budget: In addition to implementing local differential privacy to aggregate data, Apple implements a privacy budget to set limits on how much data is collected from users each day, breaking up data points into broad categories. For example, Apple may collect data to improve emoji suggestions, and in doing so, they can refer to the privacy budget to determine how much emoji data they can collect each day from each user. By limiting the data contributions it takes from each user each day, Apple both minimizes data collection and reduces the risk of users being inadvertently re-identified through large data sets.

• Tensions In Business-to-business Privacy Requirements. Some critics point out that platform operators dictating requirements on startups raises concerns. But, by not enforcing any privacy or security requirements, platform operators raise more serious concerns for both app developers and users. Requiring developers to adopt platform privacy and security standards in the app development process will help address potential privacy issues, such as regulatory scrutiny or user backlash, before they become real problems.

Apple’s privacy position reveals lessons for startups that don’t know where to begin with their privacy strategy. This includes challenges that startups may face in adopting a privacy-forward brand. Yet, Apple demonstrates that it can be done. Like it or not, Apple has set — and will likely continue to set — privacy standards for developers who want to be a part of its ecosystem. In a way, startups either need to adapt or be left behind. Apple shows that there’s clear value in moving the needle on privacy.