“Privacy. That’s iPhone.”
—Apple’s advertising campaign, ca. 2019On April 26, 2021, Apple quietly transformed digital privacy debates globally. Following the launch of its iPhone operating system (iOS 14.5), over 1 billion active iPhone users were automatically opted out of tracking services across mobile applications. With only 25% of users affirmatively consenting to such tracking, the policy significantly altered how personal information can be collected and shared online. But the decision was not limited to questions of surveillance; they also had major implications for the digital economy. Meta (previously Facebook), for example, estimated that the change would cost the company at least $8 billion in revenue and it paid for full page ads in the New York Times, Wall Street Journal and Washington Post, attacking the move as hurting “small businesses.”
After years of legislative failures in the United States and limited success in regulating the online tracking industry in Europe, Apple seemingly reconfigured the market for personal data in the space of a few months and, in the process, altered the regulation of privacy worldwide. Apple’s actions also stand in stark contrast to failed attempts by industry to tackle the issue, including the moribund Do Not Track protocol developed by the World Wide Web Consortium.
We seek to understand: what motivates private companies to regulate public interest issues like privacy in a digital economy? And when do they have consequences for market behavior? In contrast to arguments that privilege either the shadow of the state or functional industry interests, we build on research concerned with business power in private governance (Bartley Reference Bartley2022; Ponte Reference Ponte2020) and couple it with work on market structure (Rochet and Tirole Reference Rochet and Tirole2003; Rysman Reference Rysman2009) to develop an alternative explanation. In particular, we look at the way in which some platform companies serve as a key infrastructure in digital markets characterized by what the economics literature describes as a two-sided market. Two-sided markets exist when a firm mediates interactions between two different groups, each of which benefit when there are more participants on the other side of the market. From credit cards to gaming systems, the economics literature has mapped how prices and competition may work to the advantage of different market actors in such settings.
Here we interact these economic debates with broader issues of governance and power. We argue that companies operating as digital platforms may use private actor governance to consolidate their influence. More precisely, public-interest regulation on one side of the market (e.g., protecting the privacy of end-users) may increase the dependence of firms on the other side of the market (e.g., increasing the price paid for information by advertisers). In this way, private governance may serve simultaneously to address a public-policy issue, while also furthering a platform company’s market power.
Our argument has several important implications. First, it contributes to the growing literature on business power in the digital economy (Culpepper and Thelen Reference Culpepper and Thelen2020; Srivastava Reference Srivastava2023). Connecting literature on two-sided markets and private actor governance, we offer a specific channel for how firms may use their position as a market infrastructure to lock in business advantage (Braun Reference Braun2020; Farrell and Newman Reference Farrell and Newman2019). More generally, we suggest that the particular economic features of digital markets must be examined to understand their broader societal ramifications. Second, we call for greater attention to firm decisions in regulating the digital economy. While work in science and technology studies has long acknowledged the ways in which technical defaults and standards impact the everyday lives of citizens (see e.g., Bijker, Hughes, and Pinch Reference Bijker, Hughes and Pinch1989), much of the political science literature has focused on formal legal processes adopted by governments and more recently on soft laws by private actors (Abbott and Snidal Reference Abbott and Snidal2010; Vogel Reference Vogel2008). In analyzing Apple’s policy, we demonstrate how, with a flip of a switch, a single company transformed the data collection system underpinning surveillance capitalism for hundreds of millions of people across the planet.
Private Rules and Public Policy in a Digital Economy
From speech to privacy, broad public interests are increasingly governed online by policy decisions taken by private companies, either individually or through industry associations (Ruggie Reference Ruggie2004; Avant, Finnemore, and Sell Reference Avant, Finnemore and Sell2010). Famously hard to define (Mattli and Woods Reference Mattli, Woods, Mattli and Woods2009, 13), we understand public interests as important social values, whose protection matters to broad swathes of society. Viewed in these terms, references to the public interest often aim to distinguish between the issues that should be coordinated by governments and those that should be left to individual choices (Bozeman Reference Bozeman2007, 87-88). And yet companies regularly take policy actions with significant effects on public interests, including most recently in digital markets, and form a core concern for research on private actor governance.
Despite a number of structural conditions (e.g., globalization, digital technologies, and growing faith in the rationality markets) that support such efforts, there persists remarkable variation in the adoption and implementation of meaningful private actor governance (Abbott and Snidal Reference Abbott and Snidal2010; Bartley Reference Bartley2003; Cerny Reference Cerny1995). Private actor governance here specifically refers to policy actions taken by non-state actors to regulate their own conduct (Eberlein et al. Reference Eberlein, Abbott, Black, Meidinger and Wood2014; Grabs, Auld, and Cashore Reference Grabs, Auld and Cashore2021). It includes codes of conduct, certifications, standards, best practices, and other forms of soft laws, which private actors can monitor and implement through various means, such as audits or algorithms (Vogel Reference Vogel2008; Srivastava Reference Srivastava2023). To explain variance in private actor governance emergence, scholars frequently turn to three explanations. The first emphasizes how the implicit threat of state intervention may incentivize private action, the second considers the functional role of private actor governance, and the third looks at the power dynamics at play. We hereafter review each one and derive clear expectations for the emergence of private actor governance in digital markets.
Shadow of Hierarchy
A long line of work explains the emergence of private actor governance by what is known as the shadow of hierarchy (Héritier and Eckert Reference Héritier and Eckert2008, Reference Héritier and Eckert2009; Schillemans Reference Schillemans2008). It maintains that a firm’s willingness to act to address public-interest concerns is conditioned by the probability of government intervention. According to this work, firms would rather regulate their sector internally than be subject to the direct command and control rules of states. As the probability of regulation grows (either because of increased issue salience or greater regulatory capacity of the state), firms attempt to preempt state efforts. Private actor governance, then, is viewed primarily as a substitute for public actor efforts and a means for firms to retain control over the development and implementation of such systems rather than delegate away such authority to the state (Malhotra, Monin, and Tomz Reference Malhotra, Monin and Tomz2019). Following this explanation, we should expect digital firms to engage in greater private actor governance as the probability of credible state intervention increases (Newman and Bach Reference Newman and Bach2004). Looking at the regulation of artificial intelligence, Auld et al. (Reference Auld, Casovan, Clarke and Faveri2022), for example, show how various firms adopted private rules to “fend off” government actions.
Functionalism
The functional explanation, by contrast, adopts a demand and supply model in the absence of state involvement (Büthe Reference Büthe2010). By setting standards or other forms of private regulation for themselves, private companies can benefit economically from governance that has not been provided by public rules (Green Reference Green2013, 41-43; Spar Reference Spar, Cutler, Haufler and Porter1999, 47). Firms may collectively attempt to coordinate to resolve market failures, which can produce considerable business inefficiencies. As more businesses adopt the same standards, they are notably less likely to have to conform to multiple standards at once or to change their production standards in the future, limiting adaptation costs (Green Reference Green2010). Moreover, firms may reduce their compliance costs by adopting standardized practices established by industry associations or other firms (Beaumier Reference Beaumier2023). Private rules can also offer preferential treatment “through improved reputation” (Grabs, Cashore, Auld, and Cashore Reference Grabs, Auld and Cashore2021, 1183). By embracing socially recognized standards, private companies hope to increase their profits (Prakash and Potoski Reference Prakash and Potoski2012) or at least shun negative publicity (Haufler Reference Haufler2001). When adopted collectively, this represents a club good where adopters of a specific standard have equal access to its “signaling benefits” (Prakash and Potoski Reference Prakash and Potoski2012, 125). Collective efforts also reduce the risk that one company’s bad behavior might tarnish the reputation of others (King and Lenox Reference King and Lenox2000).
The supply of private rules is generally assumed to follow expected economic gains. While some point to variables like the costs of compliance (Cashore, Auld, and Newsom Reference Cashore, Auld and Newsom2004) or market structure (Auld Reference Auld2014) to explain which private rules will be adopted and when, they generally agree that private rules should emerge once private actors have a demand for rules and the expertise, including the technical know-how, to supply it (Abbott and Snidal Reference Abbott and Snidal2010; Bush Reference Bush2017; Green Reference Green2010, Reference Green2013). In effect, private companies follow the rules developed by others because they consider that they know how best to govern their sector or industry. This in turn ensures that governments and civil society organizations do not contest private rules or attempt to replace them.
Following this functional explanation, we should expect digital firms to voluntarily follow private actor governance schemes, allowing them to resolve market failures. Investigating private actor governance in the privacy space, Beaumier (Reference Beaumier2023) shows how various firms voluntarily follow rules devised by industry associations to rely on their expertise and reduce their transaction costs. Auld et al. (Reference Auld, Casovan, Clarke and Faveri2022) also argue that firms like Google have adopted regulations to oversee the use of artificial intelligence to reduce their reputational risks.
Business Power in Two-Sided Digital Markets
In contrast to arguments based on the shadow of hierarchy or functionalist accounts, we build on business power explanations emphasizing the distributional politics and conflict arising from private actor governance and adapt them to the structural dynamics of digital markets. Existing work demonstrates that firms can use private rules to shape other actors’ behavior and generate private gains (Büthe Reference Büthe2010, 13-14; Bartley Reference Bartley2022, 189). Scholars studying global value chains argue that lead firms can attempt to extract more added value and further entrench their dominant position by ostensibly promoting better environmental or labor practices (Dallas, Ponte, and Sturgeon Reference Dallas, Ponte and Sturgeon2019; Fuchs and Kalfagiani Reference Fuchs and Kalfagianni2010; Gereffi Reference Gereffi1999). Looking at the global agri-food value chain, Ponte (Reference Ponte2020, 79) talks of the “sustainability-driven supplier squeeze” to describe how lead firms use sustainability standards to accrue benefits while pushing most of the costs onto their suppliers and de facto excluding new ones from joining the market.
Private rules do not only gain authority through voluntary agreement but also through coercion (Graz and Nölke Reference Graz and Nölke2008, 12). While lacking states’ legal authority, lead firms use their dominant position in the global marketplace to reward or penalize smaller companies (Mayer and Gereffi Reference Mayer and Gereffi2010, 9; Dauvergne and Lister Reference Dauvergne and Lister2012, 40). Firms can offer better purchasing policies to companies that comply with their rules or outright exclusion of their valuable supply chains if companies do not. Market structure often underpins existing work on such business power accounts (Ponte and Grabs Reference Ponte and Grabs2019). Drawing on the insights of previous work on two-sided markets and infrastructural power, we develop an argument explaining private actor governance in digital markets.
Here, the particular nature of the market structure plays a role in shaping the choices of digital platforms. Two-sided markets refer to market structures in which the decision by two sets of private actors to interact with each other through an intermediary creates distinct economic logics for actors on different sides of the market as well as for the intermediary (Rochet and Tirole Reference Rochet and Tirole2003; Rysman Reference Rysman2009). Examples of two-sided markets include online selling platforms (sellers and buyers), card-payment systems (merchants and cardholders); video-game consoles (gamers and game developers); shopping malls (stores and shoppers); and newspapers (advertisers and readers). In each case, an intermediary, which in the digital domain is often referred to as a platform, serves to link the network on one side (sellers, merchants, game developers, stores, advertisers) to the other side (buyers, gamers, shoppers, readers).
Significantly, the relative dependency on platform services tends to vary across the groups of actors that the company connects, creating an opportunity for platforms to extract value from the group that is less able to substitute its services (Rysman Reference Rysman2009, 130). In the literature on two-sided markets, this is known as a cross-network externality. Traditional or so-called “direct” network-effects arguments describe situations where the value of a network grows as more users join. The value for individuals using Twitter, for example, increases as more people join and post on its platform. Such arguments have been used to explain why platforms tend toward monopoly, as potential challengers must not only provide a better service but also replace the value of the existing network. Cross-network effects, by contrast, describe cases where the value of using the services of a platform for one group of users rise as the number of users from another group rises. For example, the value of using the Amazon platform increases for sellers as more buyers use it. Conversely, the value for buyers to use the Amazon platform increases as more sellers join it. A massive virtual store is in effect worthless if no shoppers or sellers come. User behavior on both sides of the intermediary, then, can have important consequences for the intermediaries’ market power.
Platform companies acting as intermediaries can force trade-offs between users on both sides. As consumers become attached to Amazon, the latter can pressure sellers for concessions to attract more consumers. Video-gaming console makers sell their machines at a loss to build a large user base for game developers, while charging game developers a cut of their royalties for each sale (Rochet and Tirole Reference Rochet and Tirole2003). Platform companies keep a share of the extracted value in line with the substitutability of the benefiting side of the market. The less dependent a group is on the platform, the more the platform needs to share the value either in the form of reduced prices or other benefits.Footnote 1 Importantly, platforms can attempt to shape supply and demand on both sides of the market by changing pricing models and private regulation, which alters the composition of users and their ability to substitute the platform’s service on different sides.
Here, private actor governance becomes a source of business power as it can impose a redistribution of economic benefits between the two sides of the market. Platform companies can act when they have failed to capture the rents generated by cross-network externalities and can use private actor governance to either reduce competition for such rents or alter market dependencies. Private actor governance may serve as an important tool for both. On one hand, such efforts can delegitimize competing platforms, reducing the ability of market participants on one side of the market to substitute the intermediary. On the other hand, private actor governance can cultivate a user base on one side of the market that is more attractive to the other side of the market. This can be due to the user base’s high quality or commitment to staying with the platform. As the value of the user base grows and competition from other intermediaries decline, the other side of the market becomes more dependent and must pay more for access. In this way, a platform in a two-sided market may use private actor governance to enhance its position in the market, while also addressing a public-interest concern.
Platform companies will be best positioned to use governance initiatives to exert such power once they have developed sizable user bases on both sides of the market. Importantly, however, private actor governance can also shape the demand for the platforms’ services, as just discussed. By addressing the public interest, private governance can attract more users and thus reinforce cross-network externalities. It can also reduce competition from other platforms, further solidifying its position as the key intermediary.
Private actor governance in the context of two-sided markets can, then, represent a form of infrastructural power (Braun Reference Braun2020; Rafi Atal Reference Rafi Atal2021; Valdez Reference Valdez2023). Closely linked to the concept of structural power (Barnett and Duvall Reference Barnett and Duvall2005), infrastructural power describes how actors controlling key market arteries in the global economy can leverage their position to their advantage (Petry Reference Petry2021). In the context of digital platforms, intermediaries can embed their governance preferences in the design of technologies that the two sides of the market use to connect to each other (Beaumier and Kalomeni Reference Beaumier and Kalomeni2022; Cioffi, Kenney, and Zysman Reference Cioffi, Kenney and Zysman2022; Srivastava Reference Srivastava2023). Instead of working to code their preferences in laws (Pistor Reference Pistor2019), digital platforms with infrastructural power can code their preferences in their own business standards and terms of service, shaping the rules by which each side can connect to the other. In this way, such policies have a multivocal form of authority (Padgett and Ansell Reference Padgett and Ansell1993), whereby the same governance action can have different meanings for participants on the two sides of the market (e.g., enhancing reputation for one, while disciplining the other). Table 1 summarizes the three explanations and highlights their respective argument and expectations.
Information Assets, Privacy, and the Politics of Online Tracking
Personal information is a crucial asset in most industries today (Newman Reference Newman2010). Broadly understood, personal information means any information that is tied to the identity of a specific person. It traditionally referred to information like phone numbers, home addresses, and credit card purchases. With the advent of the Internet and digitally connected devices, a new trove of personal information became accessible to companies, including IP addresses, geo-localization data, or online search history, which, even if sometimes anonymized, can be combined to build increasingly detailed individual profiles and predictive models (Newman Reference Newman2008; Wong Reference Wong2023). These are then used by companies to make various business decisions like risk assessments, optimization strategies, or targeted marketing (Newman Reference Newman2010, 1291).
Starting in the early 2000s, companies began to couple personal information to a system of advertising, which monetized that data. Commonly (and often derisively) known as surveillance capitalism (Zuboff Reference Zuboff2019), firms like Meta or Google generate detailed profiles of individuals. They then serve as advertising brokers to firms selling goods ranging from apparel to vacation travel. For a sense of the magnitude of this market, Meta sold nearly $115 billion in ads in 2021 (Statista 2023), which is comparable to the annual budget of the country of Indonesia.
At the heart of this economic system lies an online data collection method, the so-called cookieFootnote 2 (Leta Jones Reference Leta Jones2020). Cookies are small alphanumerical identifiers saved on someone’s device (i.e., computer or smartphone) allowing companies to identify them. They originally aimed to enhance online user’s experience by allowing websites to perform simple functions like remembering a user’s country or language setting while avoiding having to ask them to re-identify themselves every time they logged on to their website (Sipior, Ward, and Mendoza Reference Sipior, Ward and Mendoza2011, 2). Cookies were similarly used by companies to remember what consumers put in their digital cart when shopping online. These early uses of cookies recorded the collection of personal information by companies with which someone was in direct contact and are nowadays known as first-party cookies.
Over the years, however, a new generation of third-party cookies emerged. In these cases, the bit of data saved on a person’s devices is not used by companies to identify consumers when they interact with them on their websites. Instead, it aims to “follow” them as they move across other websites and learn about what they do. Marketing companies chiefly use third-party cookies to target individuals based on their online activities and why we tend to see ads for things we previously searched for. As opposed to contextual advertising where marketers adapt their ads based on the environment (e.g., beer ads during a sports game), they use the information collected from following individuals’ activity to send them ads personalized to their individual traits revealed through their online activity (e.g., baby products’ ads for a pregnant woman). Significantly, third-party cookies also allow marketers to collect information on the effects of advertising (Tene and Polonetsky Reference Tene and Polenetsky2012, 303). They can track how many times an individual interacted with a specific ad (e.g., liked or visited a webpage) and how many of these interactions led to actual sales, which they then use to showcase their effectiveness to companies paying them to advertise their products or services.
For their proponents, cookies help resolve many built-in inefficiencies in traditional markets and, most notably, the so-called “knowledge problem” (Hayek Reference Hayek1945). Instead of having to rely on indirect indicators to approximate consumer preferences, such as price or contextual variables, they offer companies a way to make decisions in a context approximating full information. By using data on individuals’ online activity, companies can notably assess the size of their consumer base and how best to target them. Moreover, they can do this without spending significant resources to collect personal information first-hand. Small and medium enterprises effectively rely on a few large digital platforms, such as Google or Meta, specialized in collecting and analyzing online users’ personal information and offering targeted advertising services with the help of third-party cookies. As for consumers, they are thought to benefit from a more personalized experience online (Chellapa and Sin Reference Chellappa and Sin2005, 182). Search results can notably remember which websites specific users previously accessed and prioritize them when they search something in the future. They can also help users find products and services that are more likely to match their preferences, while supposedly avoiding undesirable content.Footnote 3 Finally, companies like Meta argue that they allow users to freely access many online services supported by paid advertisers.
At the same time, cookies, and especially third-party cookies, raise concerns by creating what appears to be a constant state of surveillance online. Surveys of consumers’ attitudes toward online advertising show that a vast majority of people are indeed worried by the loss of control over their personal information online coming with the tracking of their behavior by private companies (Libert Reference Libert2015, 6; Thill Reference Thill2001, 923-924). In one survey examining consumers’ views regarding targeted advertising, most participants saw no benefits to receiving personalized ads or actively associated target ads with a form of privacy violation and would prefer to receive random ads (McDonald and Cranor Reference McDonald and Cranor2010).
Far from simply an issue of consumer preferences, online tracking, as a system of price discrimination, can also be abused for more general discrimination based on race, age, or other protected classes in many countries. Using data about their users, firms can adapt their pricing strategy based on an individual’s characteristics (Spencer Reference Spencer and Rothchild2016, 107). Over a multiyear period, Meta, for example, has been sued by a range of plaintiffs, who allege that they were offered different market opportunities from advertisers based on such sensitive characteristics. As more and more commercial activity goes digital, one could imagine a two-tier society, with some consumers receiving privileged economic chances, while others do not. Ultimately, then, individual level marketing risks a virtual redlining based on protected categories like religion, sex, gender, or sexual orientation (Hao Reference Hao2019; Cauffman Reference Cauffman2021; Zang Reference Zang2021).
In recent years, commercial tracking has drawn new criticisms as a potential entry point for government surveillance as well. Reports made available by Edward Snowden in 2013, for example, showed that the National Security Administration (NSA) in the United States used data collected from cookies developed by Google in its global surveillance program. According to one estimate, as many as 1 in 5 websites were still likely to provide information to the NSA after the Snowden revelations (Libert Reference Libert2015, 6). Criticisms of Yandex’s and TikTok’s online data collection practices, in light of their respective relation to the Russian and Chinese governments, further highlight the security implications of private companies’ global data practices.
In reaction to these growing privacy concerns, a group of non-governmental organizations led by the Center for Democracy and Technology suggested creating a Do Not Track system in 2007 at a workshop organized by the Federal Trade Commission (Tene and Hughes Reference Tene and Hughes2014, 449). Inspired by the Do Not Call registry in the United States, they suggested developing a publicly available list of websites using cookies where people could indicate their desire for companies not to track them. While never adopted, this idea of allowing people to limit tracking spurred several regulatory debates over the years. Yet, third-party cookie surveillance continued relatively unabated. In effect, more than 80% of marketers in the United States indicated using them in their advertising strategy as recently as 2020 (Statista 2021a). In Europe, a study similarly found that 74% of websites were using third-party cookies between 2015 and 2018 (Trevisan et al. Reference Trevisan, Traverso, Bassi and Mellia2019, 5).
Apple Eats the Cookie
In April 2021, Apple released a new version of its operating system, iOS 14.5, including an App Tracking Transparency (ATT) privacy feature. Apple limited third-party cookies and cross-app tracking on its iPhones, upending global privacy debates and leading analysts and industry experts to discuss the “demise of cookies” (Brodherson et al. Reference Brodherson, Broitman, Macdonald and Royaux2021) or the “post-cookie era” (IAB Europe 2022). As a result of the technical default, Apple users are automatically opted out of third-party tracking, forcing companies to get the explicit consent of individuals to collect and share their data with third parties.
Apple’s New Data Infrastructure
The ATT privacy feature has two key requirements (Apple 2023a). First, app developers must detail their data collection practices in a “privacy vignette” on the App Store before users download their applications. The vignette must list the type of data collected and include a link to the company’s full privacy policy. Second, applications can only track what users do on other applications or websites after obtaining their consent via a prompt that briefly explains the reasons for tracking. App developers can send the prompt at any time, but they can only track users after the prompt has been displayed and the user has consented.
If users give their consent for tracking, app developers can share their information with others, as well as track their online activity using an individual identifier associated to their device.Footnote 4 This allows companies to combine data from various sources to personalize their marketing efforts to single users and evaluate the effectiveness of their advertisements. For instance, a company could use information about users’ previous online searches or other applications they currently use to send them personalized in-app advertising. The company can then evaluate the impact of sending these advertisements by tracking the user’s behavior after leaving their application. It can take the form of calculating different ratios, such as an ad-to-click, ad-to-download, or ad-to-sale, and sharing this information with companies paying for advertisements.
However, if users opt out of tracking, which is now the default, the application can collect information about them, but it cannot share it with other applications or track their activity across multiple applications. This means that companies face new hurdles to use external data sources to deliver personalized advertising. Instead of sending an advertisement to a specific individual, an application could at best send it to a group of individuals like women between 20 and 30 years old. The application will also face new limits on its ability to measure the impact of its advertisements.
Growing the Apple App Store
Before the implementation of its new privacy feature, Apple was already known for imposing stricter restrictions on which applications could be featured on its App Store than its main competitor, Google and its open-source operating system Android. In effect, iPhone users can only download applications from the App Store, while Android users can technically download apps outside its Play Store. This notably led to a contentious fight between Apple and a small number of iPhone users “jailbreaking” their smartphones to download apps unavailable on its App Store (Eaton et al. Reference Eaton, Elaluf-Calderwood, Sørensen and Yoo2015, 225).
At the same time, app developers on the App Store operated in a relatively open data ecosystem. While having to agree to Apple’s terms of service and pay it a commission on their revenues, they could chiefly collect information from iPhone users and share it with minimal restrictions. Apple even helped them by attributing an Identifier for Advertisers (IDFA) to each iPhone allowing app developers and advertisers to individually identify their users on the App Store. This open data environment was key to attracting app developers as Apple was competing with Google (Ezrachi and Stucke Reference Ezrachi and Stucke2016). With the ability to generate advertising revenue and develop their services, the number of apps grew exponentially, thus increasing the value of iPhones for users over time. Apple App Store had more than 1.6 million applications available to its users at the time of writing (Statista 2022).
Fewer Third-Party Cookies
With a fully developed app environment and over 1 billion iPhone users, Apple used its intermediary position connecting two sides of the market (i.e., advertisers and users) to extract a greater share of the cross-network externalities. Parallel to the imposition of the ATT feature, the company reorganized its marketing system, which simultaneously reduced individual-level surveillance, made app developers more dependent on an internal Apple ad program, and limited the ability of competing intermediaries like Meta from offering competitive services.
Specifically, Apple created an application programming interface (StoreKit ad network or SKAdNetwork) controlling other companies access to its users’ data. App companies must wait at least 24 hours before having any feedback and can only have data at the crowd level, not the individual, making it more difficult to attribute an outcome to a specific advertisement (Apple 2023b). More precisely, Apple operates according to a 4-tier system. Depending on how many people—targeted by a specific advertising campaign—interacted with an ad (i.e., views, clicks, downloads, etc.), advertisers will have access to different levels of data granularity. The fewer users who interact with an advertisement, the less data advertisers can access as there are greater risks that firms could identify the users. For many companies, the ability to draw a causal link between their advertising spending and their business growth is crucial, influencing their decision on how much and where they allocate their advertising budget, which in turn has a profound impact on websites and applications whose business model heavily relies on advertising revenues (CMA 2021, 317).
Importantly, advertising companies and app developers no longer have direct access to the iPhone data infrastructure. Instead, they have to go through Apple’s API SKAdNetwork, which puts Apple at the center of monetizing the data ecosystem. Figure 1 shows graphically the change in the data infrastructure before and after the adoption of the ATT privacy feature and how it affects the relation between the two sides of the market. Before the implementation of ATT by Apple, advertising companies and app developers received individual data based on Apple IDFA or another tracking device allowing them to follow individuals as they moved through cyberspace. This information could be used to improve the content of future advertisement, adjust their placement, or justify advertisement pricing. After the implementation of the ATT, Apple first attributes a data tier to an ad campaign and determines what level of data granularity is available to advertising companies and app developers. These firms then receive crowd data based on the data tier applicable to them, which theoretically enables them to assess the effectiveness of a given ad campaign. Significantly, they no longer have data at the individual-level. And equally important, competing intermediaries like Meta or Twitter do not have access to third-party cookies, which follow individuals across apps. In contrast to a more functional account, which would expect affected companies to voluntarily join a new standard, the procedural decision to create ATT reflects a unilateral move imposed by an intermediary in a two-sided market with quite important implications for market participants.
Taking Advantage of the Cross-Network Externality
Through its intermediary position in the two-sided-market, Apple extracted benefits for iPhone users by imposing its regulatory preference on advertisers and third-party developers. On the user side of the market, it provides additional benefits to iPhone users in the form of new privacy controls. If they refuse to be tracked, application developers and advertisers cannot use Apple’s identifier. Apple also prohibits applications from adopting other tracking methods, such as device fingerprinting, to circumvent this measure. According to different industry analyses, only 20% to 30% of iPhone users worldwide opted into tracking after the implementation of the ATT privacy feature (Flurry Analytics 2021; CMA 2021, 327). In most cases, advertisers and third-party developers are left to use crowd data under the restrictions imposed by Apple to evaluate the impact of advertising campaigns.
At the same time, Apple’s privacy commitment is part of a larger brand strategy to grow a middle- to high-income user base, who buy premium products (CNBC 2021; Dudovskiy Reference Dudovskiy2021). As Apple indicates, it effectively aims to create a sense of exclusivity by offering its users “access to innovative features like iCloud synching across all their Apple devices, Tapback and Memoji, as well as industry-leading privacy and security with end-to-end encryption—all of which make iMessage unique” (Higgins Reference Higgins2022, emphasis added). The blue color associated with messages sent from iPhones is simultaneously becoming a status signaling tool, pushing close to 75% of smartphone users between 18 and 25 years old to own an iPhone. This is especially significant as young users account for a disproportionate share of the digital market. Meanwhile, the share of iPhones out of all smartphones sold continues to grow steadily in both developed and emerging markets (McGee Reference McGee2023a).
Apple’s privacy change proved costly on the other side of the market. Early reports estimated that it could erase as much as 10 billion USD in joint advertising revenues for the most popular application in the App Store, with Meta alone standing to lose close to 8 billion dollars (McGee Reference McGee2021). Earning reports by key digital platforms confirm these early expectations. After years of steady growth, Snapchat started 2023 with a 7% year-on-year decline in quarter-to-date revenue (Snap 2023a, 15; Snap 2023b, 2). This represented a loss of approximately US$70 million. While it was able to return to growth in the second half of the year, it ended 2023 flat with no overall increase in its yearly revenues, a first in many years (Snap 2023c, 2). When discussing these financial “headwinds,” Snapchat’s chief executive officer emphasized the importance of their current work on improving “observability and measurability of conversion” and developing new machine-learning algorithms to increase value for advertisers in this new ecosystem (Snap 2023a, 7). Meanwhile, Meta showed a year-on-year 1% decrease in revenues compared to a 37% increase the year before. Despite not being as dire as originally expected, it represents close to $1.5 billion in revenue decline. In discussing these financial results, Meta’s executives repeatedly noted how Apple’s ATT privacy measure had made it harder for them to measure the effectiveness of advertising (Meta 2021, 2023). Like Snapchat, Meta emphasized its attempt to invest in artificial intelligence to mitigate Apple’s new privacy feature (Meta 2023, 11-12).
Similarly, Pinterest’s growth in revenue significantly slowed, going from revenue increases of around 50% year-on-year in 2020 and 2021 respectively, to 9% in 2022 (Pinterest 2023a). In its last mandatory filing to the Security and Exchange Commission for 2022, it specifically maintains that Apple’s new privacy feature, as well as those of other companies following suit, makes it “more difficult for [them] to provide the most relevant ads to [their] users, measure the effectiveness of, and to re-target and optimize, advertising on our platform” (Pinterest 2023b, 23). Pinterest also concluded that Apple’s policy might result in “advertisers spending less or not at all, on our platform and prefer larger platforms like Facebook and Google that have more capabilities to help advertisers measure their conversions” (Pinterest 2023b, 23, emphasis added). This might help explain why, while still incurring significant losses, Meta is doing slightly better than some competitors. Its access to a large pool of first-party data combined with its investment in developing new algorithms for advertising targeting can help it continue personalized advertising. Nevertheless, the economic consequences for Apple’s competitors stand in contrast to the expectations associated with the conventional functionalist account.
A Boon for Apple’s Advertising Revenue
Apple’s privacy changes not only re-balanced the relationship between advertisers and users but improved its own advertising business. Apple can still directly access individual data to send advertisements to iPhone users through its App Store or News and Stocks applications. While advertisers placing advertisements through Apple can technically only target groups of 5,000 users sharing similar characteristics, these groups are created using iPhone users’ account information, Apple Store data, app transaction data (including in-app transactions), and contextual information (day, time, device location, etc.). Apple can use the large pool of information at its disposal to target individuals quite precisely. The chief marketing officer of the popular parking app SpotHero was “jarred” by the precision offered by Apple advertising services and pointed out the possibility for marketers to use a “retargeting tool” to re-engage with iPhone users receiving their ads (McGee Reference McGee2022).
Unlike third-party developers who must wait before having any feedback on reactions to their advertising placement, there is no indication that advertisers using Apple services face a similar delay. Yet even more significant, Apple does not maintain the same choice architecture for it to obtain users’ consent to tracking. Whereas third-party developers must explain their tracking practices to iPhone users in a prompt before being able to collect and share their information, Apple presents users launching its applications with a prompt merely asking if they want to enable personalized advertising. This prompt further states that Apple does not “track users,” which may create confusion over how it uses personal information for advertising purposes (CMA 2021, 325).
In combination with the additional costs imposed on its direct competition, Apple’s advantageous position at the middle of the two-sided market helped it grow its advertising revenues in recent years. As other tech companies saw their revenues drop, Apple’s own services revenue grew and reached an all-time high in the first quarter of 2023 (Apple 2023c). Every other part of its business experienced a decline in revenues for the first time in 14 quarters in part due to supply-chain issues (McGee Reference McGee2023b). More specifically, Apple’s advertising revenues tripled the year Apple adopted its new privacy policy (Statista 2021b). Other reports indicate that the number of applications downloaded from the App Store attributed to advertising delivered by Apple grew exponentially in 2021 and is now more important than any other third-party applications available on iPhones, raising competitiveness concerns (McGee Reference McGee2022). Collectively, this offers important evidence for the distributional consequences of Apple’s actions, which are in line with a business power perspective.
The Legitimacy Bounce
Apple’s privacy policy does not end online marketing. Most iPhone users will still receive personalized advertising from both third-party developers and Apple. Apple’s measure does not prohibit applications from collecting personal information for their own purposes. And companies operating multiple applications (e.g., Meta with Facebook, Instagram, WhatsApp, etc.) can share data internally among their different business entities and information collected across them. Moreover, these large companies are also best positioned to develop new tools, such as artificial intelligence as noted earlier, to make this new infrastructure work to their advantage. Despite claiming to prohibit any practices that could allow advertisers to individually identify iPhone users, there are inherent limits to what Apple can technically do. As explained, Apple also itself contributes to online tracking by developing its own personalized advertising business.
That said, Apple’s policy has significantly curtailed the use of a core element of surveillance capitalism—third-party cookies—which allow for a particularly nefarious form of tracking. Moreover, privacy claims made by Apple play an essential role in ensuring that its regulatory actions remain legitimate in the public eye and avoid contestation. It is not the first time that Apple used its position in the two-sided-market to regulate the behavior of other firms. As previously noted, Apple strictly controls access to its App Store and shapes what developers can build and the type of activities that can be conducted through its infrastructure. In one of its latest revisions of its guidelines (Apple 2022), Apple, for example, imposed additional limits to the sale and use of non-fungible tokensFootnote 5 and added a requirement that advertisements bought in an application to display in the same application must use the in-app purchases feature, which technically means that they will now have to pay a commission to Apple.
By shrouding its transformation of the market environment in public-policy efforts to combat surveillance, Apple has potentially diffused resistance to its effort to further concentrate the market. Apple has long been at the center of government investigations concerning anti-trust (Sisco Reference Sisco2022). Since 2021, Apple has been locked in a legal battle over its commission practices with EPIC, the company behind the popular game Fortnite. After two years of investigation, the European Commission also decided to bring antitrust charges against Apple in 2022 (Satariano Reference Satariano2022). By claiming to be protecting the privacy of its users, Apple can hope to avoid facing similar lawsuits for how it now controls its data infrastructure. While warning Apple to treat equally its applications, Margrethe Vestager, the European Union’s competition commissioner and leading voice on digital issues, indeed praised its measure: “It is a very good thing to have a clear opt-out option. If you look at the Digital Services Act, the Digital Markets Act, these are some of the solutions we are looking at there” (Yun Chee Reference Yun Chee2022). Such statements made by public authorities play an important role in elevating Apple’s trustworthiness among users.
At the same time, Apple’s actions contribute to its attempt at delegitimizing its competitors. In an interview following Apple’s announcement of its new privacy policy, Tim Cook criticized “an interconnected ecosystem of companies and data brokers, of purveyors of fake news and peddlers of division, of trackers and hucksters just looking to make a quick buck, is more present in our lives than it has ever been” (Edelman Reference Edelman2021). In another, he called out by name and criticized Meta stating its “business model is all about tracking – they are not a social media company, they are an advertising company and if they can track you they can make more money” (Taylor Reference Taylor2021).
For average consumers, initial evidence suggests that Apple’s efforts seem to resonate. In a 2023 nationally representative sample of over 16,000 Americans surveyed on their views of corporate reputations, Axios Harris Poll (Reference Axios2023) found that Apple ranked in the top 10 of 100 so-called “most visible companies.” When respondents were asked which company “securely protects its customer’s personal information and data,” Apple placed second. Equally important, the survey showed a trend, whereby Apple’s composite trust score rose from very good in 2019 to excellent in 2023 during the same period that it rolled out its new privacy policy. At the very least, protecting privacy has become part of Apple’s brand campaign and an integral part of Apple’s business strategy, as highlighted in the quote in the epigraph to this article.
Alternative Arguments: Shadow of Hierarchy and Functionalism
Neither the shadow of hierarchy nor the functionalist explanations can otherwise successfully explain Apple’s decision to adopt its new privacy policy.
Limited Government Threat
The prospect of a legal ban of third-party cookies seemed bleak in Europe and the United States at the time of Apple’s decision and remained so at the time of writing. In Europe, the ePrivacy Directive adopted in 2009, now commonly known as the Cookie Directive, requires companies to obtain their users’ consent before storing cookies on their devices. It supposedly operates as an opt-in mechanism where individuals must consent before companies can use cookies to track them. In practice, though, many webpages simply maintain a banner at the top or bottom of a webpage asking people if they agree to the use of cookies. A refusal may impede some functionality or even block access to a webpage (Kosta Reference Kosta2013, 395). In contrast to Apple’s measure, cookies are not blocked before users even accede to an application or website. A European privacy rights NGO, None of Your Business (noyb), has decried the legislation and firm compliance strategies as the “cookie banner terror” producing a “frustrating experience for users all over Europe” (EURACTIV 2021). In combination with banner designs nudging users to give their consent (Waldman Reference Waldman2020), cookies remained widely used in the years after the adoption of the ePrivacy Directive.
The General Data Protection Regulation adopted in 2016 reflects the same notice and consent approach that forms the bedrock of today’s liberal privacy paradigm (Bennett and Raab Reference Bennett and Raab2006, 14). While championing privacy rules for private companies, the European regulation still fundamentally allows private companies to collect and use personal data. In some ways, it even reversed the burden for controlling the collection and use of personal data from companies to users. In addition to leaving lawful grounds for data collection without the need for users’ explicit consent, such as so-called legitimate interests,Footnote 6 it added the possibility for users to object to and restrict private companies’ data collection practices. As a result, many social media platforms now operate according to an opt-out model in Europe where they collect their users’ personal information except if the latter takes explicit steps to prohibit it. This preference to put limits on rather than outright banning the use of third-party cookies was again evident in the recently adopted Digital Services Act. Instead of prohibiting the surveillance practices of private companies, it added new restrictions like the prohibition of using dark patternsFootnote 7 to entice users to agree to third-party cookies.
In the United States, the American federal government has failed to adopt similar legislation. Every bill introduced on this topic has died in Congress (McGeveran Reference McGeveran2016). In line with the broader approach to the regulation of privacy in the United States (Newman Reference Newman2008), the use of cookies was left up to industry. Most recently, the Obama administration abandoned its privacy bill of rights due to a lack of support (Sasso Reference Sasso2015). Between then and the adoption of Apple’s privacy policy, no other piece of legislation ever appeared close to being adopted at the federal level. Despite renewed interest under the Biden administration for a federal privacy law (Kerry Reference Kerry2023), the likelihood of advertising companies facing new regulatory hurdles remain more of a distant possibility than a concrete reality. While representing a significant step in the regulation of privacy in the United States, the California Consumer Privacy Act also did not fundamentally challenge the behavioral advertising business. In similar fashion to the GDPR, it imposed some additional restrictions, but it did not impede the use of third-party cookies. As such, Apple did not face a realistic threat of action in either Europe or in the United States and thus the timing of Apple’s actions cannot be explained by a shadow of hierarchy account.
Failed Industry Initiatives
Not only did a wide array of firms criticize Apple’s new privacy policy but previous industry initiatives largely failed to put limits on the use of cookies.Footnote 8 The Digital Advertising Alliance in the United States and its sister organization in Europe the European Digital Advertising Alliance recommended that companies educate users about their practices and suggested notification detailing the use of third-party cookies in or around online advertisements (DAA 2009; EDAA 2011). This “enhanced” form of notification generally takes the form of an icon providing information to users as to why they see a particular advertisement and detailing some of their choices. Cookies could still be used except if users explicitly requested not. Industry associations never considered blocking the use of third-party cookies as the costs of doing so largely exceeded any efficiency or reputational gains. Again, the lack of government efforts also limited any interest in adopting private actor governance initiatives to pre-empt public ones.
Similarly, the various attempts over the years at creating a worldwide Do Not Track standard never panned out. In the early 2010s, The World Wide Web Consortium (W3C) led a private governance initiative aimed at establishing a global standard Do Not Track protocol that would allow users to indicate their preferences for or against third-party cookies through their web browsers. Following the adoption of different protocols by Microsoft, Mozilla, Google, and Apple, the aim was to harmonize their practices and ensure individual webpage compliance. Some browser standards would, for example, leave the choice to webpages to honor tracking preferences, while others would block content connected to tracking devices. In the end, a lack of consensus among privacy advocates and industry representatives, including Apple, impeded the adoption of a standardized DNT protocol (McGeveran Reference McGeveran2016). One advocate taking part in the W3C-led efforts pointed out that many in the industry had no interest in seeing an actual standard emerge (Tene and Hughes Reference Tene and Hughes2014, 456). For them, delaying the adoption by more web browsers of individual Do Not Track policies was a success. At the same time, it limited attempts by web browsers to enforce their existing policies as they risked making their users’ experience worse as it often ended up limiting them from accessing websites using third-party cookies. The choice by some browsers to leave individual websites the choice to honor their users’ cookie preferences makes sense in this context. Following the W3C initiative failure, Apple preferred to simply scrap its original Do Not Track policy from Safari due to its lack of enforceability (Simon Reference Simon2019).
This stands in sharp contrast to Apple’s privacy change with its sweeping and enforceable nature. Due to its central position in the information infrastructure through the control of the iPhone operating system and App store, it could force application developers and advertising companies to play by its rules if they wanted to continue to reach its users. In other words, it was able to use one side of the market to pressure the other to its advantage, as summarized in table 2.
Conclusion
Following years of legislative failures and private inaction, Apple may have signed the end of third-party cookies for nearly a billion people worldwide. And Google is now looking to implement a similar policy in its own operating system, Android, which covers virtually all smartphone users together with Apple iOS. By putting pressure on the advertising side of the market, Apple cultivates its user base and simultaneously pushes other platforms to do the same.
Our argument, then, offers an important caveat to a recent description of digital platforms following an “enshitification cycle” (Doctorow Reference Doctorow2023), by which they move from improving the quality of their service for their users to extracting rents from them once they are locked in. In this case, the improvement of the service for the user is used to extract rents from the businesses on the other side of the market. It highlights the more complex and non-linear ways in which digital market governance evolves, particularly those characterized by two-sided markets. In effect, policies adopted to promote public interests can also create private gains.
Our evidence suggests that the timing of Apple’s move follows the logic of a business power approach predicated on the logic of the two-sided market. Apple was able to implement its new privacy policy once it had amassed a large base of iPhone users and app developers, and strong cross-network externalities existed between the two communities of actors. While consistently putting more restrictions on what app developers could do using its platform, it aimed to provide a friendly environment early on, notably to compete with Google. It imposed its new privacy restrictions only after iPhone users became too valuable for app developers to leave. By simultaneously increasing the commitment of its current user base and attracting new high-quality consumers, Apple reinforced these cross-network externalities and further entrenched its key intermediary position. This is akin to Amazon building its AmazonBasics product line to compete with sellers on its platforms using data about their business activities once it established itself as an inescapable intermediary for companies to sell their products online (Khan Reference Khan2017, 782-3). In line with other two-sided platforms, Apple also aims to use private actor governance to extract rents from advertisers, which have become dependent on the platform, while simultaneously deepening its pool of high-value consumers on the other side of the market. App developers and advertisers will follow users. In fact, the same applications can be simultaneously available in multiple smartphone marketplaces (e.g., AppleStore or Google Play). Attempts to extract rents from users would thus risk benefitting its competitor.
There are initial indications that the interaction between two-sided markets and private actor governance is indeed not limited to Apple. In part a response to government surveillance scandals, for example, Google instituted new encryption standards, known as HTTPS. Companies failing to adopt the new encryption standard are automatically downgraded by the company’s algorithm (Google 2015). In this case, Google works to burnish its privacy credentials with its users while simultaneously passing compliance costs onto businesses looking to be found through its search platform and that have to abide by higher encryption standards. In doing so, it aims to enhance its reputation, grow the value of its consumer base and increase its revenues, while deferring the costs of compliance to suppliers. Future work is required to examine how business power varies across two-sided markets and how it in turn shapes private governance both in digital and non-digital sectors.
There are, however, inherent risks associated with private companies governing public policies like privacy or environmental sustainability. The alignment between private interests and public interest may not last. New ownership at Twitter and subsequent changes to its privacy and content moderation policies serve as an example of how private actors can offer new guarantees, only to later remove them. Apple’s commitment to privacy could similarly change if it does not prove valuable to its users or the company confronts an alternative competitive environment. It may also adopt a lenient approach in implementing its privacy rules. In the end, the iPhone’s value also comes from the applications available to its users and, as such, remains limited in how much rent it can extract from them without risking damaging its own business. Reports have already emerged of companies circumventing Apple’s privacy policy (McGee and Yang Reference McGee and Yang2021). In the end, platforms like Apple are bound by how the relative dependence or substitutability of the platform to the two sides of the market evolve over time. It is notably only when the app ecosystem was sufficiently developed and locked in on valuable iPhone users that Apple could implement its new privacy policy.
This emphasizes the complex nature of digital infrastructures, which operate as multiple interacting socio-technical systems that present various opportunities for policy adaptation and potential challenges. The impact of Apple’s privacy policy chiefly depends on how other public and private entities respond to it. Meta and Snap’s decision to invest in developing new algorithms to target users more effectively in the post-cookie era provides another illustration of this point. It simultaneously shows how Apple’s choice is impacting the development of new technologies and the potential limits for privacy protection in an ecosystem that still allows the collection of vast amounts of personal data through first-party interactions. Ultimately, our findings underscore the need for more political science research into how interactions between public and private infrastructures shape the regulation of important social values.
Significantly, and in line with the recent scholarship in political science using the concept of infrastructure, our findings demonstrate how key market arteries are not merely defined physically, but socially. In other words, key market arteries can change based on how public and private actors interact with each other. In our case, understanding what pushes or constrains app developers and users to connect with each other using Apple iPhones and its App Store is crucial to explaining how Apple can exert infrastructural power. Here, the concept of a two-sided market provides a useful analytical lens to explain this relation by highlighting how the value for each group of actors to connect with each other using iPhones varies based on what the other does, creating a situation that Apple can exploit to its advantage. This is to say that more than Apple’s current intermediary position, it is its continuous ability to influence the desire of app developers and users to connect through its platform (i.e., iPhones / AppStore) that matters.
The case of Apple’s new privacy policy is a stark reminder of the power private actors wield in shaping policy in the current digital age. While research has long focused on public sector efforts like privacy legislation and regulatory efforts, it is high time to shift focus and examine the defaults put in place by some of the largest and most powerful companies on the planet. Here, our evidence suggests that this is not done simply to delay government action or to reduce transaction costs for a group of businesses. Rather, private actor governance, in an effort to address a public-policy goal, may also further amplify the power of a few dominant firms.
Acknowledgments
The authors thank Eugenia da Conceição-Heldt, Janina Grabs, Fen Hampson, Jonas Heering, Nikhil Kalyanpur, and Kathleen Thelen, as well as participants in the Market Mechanisms of Global Governance Workshop at the Norwegian Institute of International Affairs (NUPI) in Oslo; the Digital Governance Workshop at the Ludwig-Maximilians-Universität (LMU), and the annual convention of the International Studies Association in Montreal for providing valuable feedback on earlier drafts of this paper. They also thank Perspective on Politics editors and three anonymous reviewers for their helpful comments throughout the revision process. Abraham Newman’s work on this article was supported by grants from the Open Society Foundation and the William and Flora Hewlett Foundation.