<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=654132&amp;fmt=gif">

Amazon’s Record-Setting Privacy Fine: What You Need to Know

Last month Amazon was hit with the highest personal data fine to date. A whopping $886.6 million (746 million euros) fine was levied against the corporation by the European Union fine for processing personal data in violation of the bloc's GDPR rules. This action foreshadows a privacy climate in which enforcement will be the norm, trending away from the spotty enforcement of the past.

All Posts

What’s wrong with Apple’s privacy portal?

On May 25th, Apple released a privacy portal to support their obligations under the GDPR. Just a few weeks ago, they released that portal to US users, ostensibly because it was just the right thing to do. Apple makes a point that it does not drive its business with user data, and this move is a direct response to that claim.


So what’s wrong with Apple’s privacy portal? Nothing. At least, not right now. In fact, Apple has set the standard for privacy: transparency, simplicity, self-service. If every company could deploy such a portal, we would be far ahead of GDPR, CCPA, and all of the other “GDPR clones” coming online around the US and around the world.


So let’s deconstruct the Apple Privacy Portal to see what we can learn from the most iconic technology brand and the most valuable company in the world.


Five things Apple did right:

  1. User identity validation. Integrated to Apple’s authentication system, every user must pass an authentication and security question test. If two-factor authentication is turned on for a user, that’s even more powerful.
  2. Simple language. Most users are not lawyers, and Apple clearly spent time humanizing a user’s rights and making it clear how they can exercise those rights.
  3. Offer account suspension (instead of deletion). One of the rights under the GDPR and the CCPA is the right to erasure: to delete all record of a user’s data (with some exceptions) which may have further reaching consequences than a user may intend. Interesting, Apple offered up an alternative to complete erasure, by offering instead an account suspension option. The user’s data is frozen from all use, but it’s retained and secured in case the user needs to access it again in the future.
  4. Fast, secure data transfer. When the user’s data is ready to download, Apple sends an email with a secure link to download from an encrypted website. They are not sending all of that sensitive data over email, which is just not secure. Bonus: Getting your data is a very fast process. It took five days to get my data, and that time was, according to Apple, used to further validate my identity. Clearly, Apple is centralizing and automating much of their data collection processes on the back-end in order to turn around such vast amounts of data very quickly.
  5. Good user experience. Privacy is a trust thing. Users interested in their data rights are often angry, apprehensive, or in a general state of mistrust. Apple has made a peaceful, transparent privacy experience for their users. It’s the little things, like including helpful links to their data use policies from every page. Or making the data categories clear and selectable. Or giving the user the option to designate the maximum file size they can download. That’s just plain thoughtful.


Four things Apple could improve:

  1. Display data better. The experience of downloading a large .zip file and manually opening up a bunch of .csv files is not great. It’s actually kind of exhausting. Yes, I might want to see all of this info, but why not put some of the main data elements right there in the browser? Give users the basics up front, and then give them the ability to download the details separately. A good example of this is Garmin’s privacy portal. At the very least, just include in the .zip archive a helpful .txt file that explains what is in the rest of the files in the directory.
  2. Support for non-Apple users. Presumably, Apple has information on users who are not yet Apple customers. This info may be used for marketing purposes, for example. The CCPA actually requires that companies allow for subject access requests without having to create an account first. Apple may need to add this capability for non-Apple ID users to request data if they intend to follow the CCPA regulations.
  3. Support Selective data deletion. Not all users want to delete ALL data. Sometimes they are looking to delete only certain pieces of data, like a particular transaction or record of a visit. This does not appear to be an option within the portal, but probably should be.
  4. Add consent management. A privacy portal is a natural place to also put your users’ history of consent, including agreements they have accepted or marketing channels from which they have opted in or out. As a user coming in to exercise my privacy rights, this is a very common use case that could be accomplished here too.
Jerrod Bailey
About Jerrod Bailey
Chief Strategy Officer at Truyo
Recent Posts

Amazon’s Record-Setting Privacy Fine: What You Need to Know

Last month Amazon was hit with the highest personal data fine to date. A whopping $886.6 million (746 million euros) fine was levied against the corpo...

Say Hello to House Bill 376, the Proposed Ohio Personal Privacy Act

Ohio is joining the likes of Massachusetts, New York, and Texas by introducing a privacy bill. The Ohio Personal Privacy Act (House Bill 376) would ap...

The Colorado Privacy Act Has Passed, What's Next?

It is official - Governor Jared Polis has signed the bill making the Colorado Privacy Act the latest enacted state legislation, joining California and...

Colorado House Votes on SB190, Senate Reconciliation is Next

Updated 6/9/21 @ 11am: The Colorado Senate unanimously voted 34-0 on concurrence and final passage of SB190. It now heads to Gov. Polis, who will have...