AXEL.org

privacy law

Convenient or Monopolistic? Epic’s Challenge to Apple’s “Walled Garden”

On August 13, 2020, Epic Games, the developer and publisher of the massively popular online game Fortnite, tried something that most companies would be too scared to do. They picked a fight with Apple. On that day, Epic announced a 20% discount on “V-Bucks,” Fortnite’s in-game currency, but only if they purchase it directly from Epic, rather than through Apple’s App Store.

This was an intentional violation of Apple’s terms of service, as Apple takes a 30% commission of all in-app purchases, and Epic wanted that extra money for itself. Within hours, Apple took Fortnite off the App Store for violating its terms of service, with a lawsuit by Epic quickly following [1].

On September 10, 2021, that lawsuit received a ruling. The judge sided with Apple on nine of ten counts, but ordered Apple to loosen restrictions on alternative payment options [2]. However, Apple CEO Tim Cook still stated that, even if an app uses a non-Apple payment option, Apple would still invoice the 30% commission [3]. So, what’s next? Epic appealed the ruling, but for now, Apple still maintains tight control over the apps on its App Store. Ultimately, this case highlights the uniqueness of Apple’s software philosophy, and how its relationships with third-party developers frequently draw ire.

A Walled Garden

For years, Apple’s software philosophy has been described as a “walled garden.” This means that Apple’s software is simple, secure, and easy to use for the consumer. However, Apple also strongly dissuades or even forbids users and developers from leaving their walled garden. Apple states that this approach is necessary to protect its users, and also to differentiate itself from Android, a competitor with a more open ecosystem [4]. Ultimately, this leads to increased simplicity for the user, along with increased dependence on Apple software. So while this approach does protect users from dubious third parties, it also entraps users into Apple’s ecosystem as well.

While Apple claims that its walled garden approach is to offer increased security and simplicity for its users, there are other reasons why Apple uses this philosophy. Because Apple has full control of its ecosystem, it can enforce practically any rule it wants. This includes a 30% commission on in-app purchases. Unfortunately, for third-party developers, this means putting up with Apple’s demands or risk getting kicked out of the garden. And that’s exactly what happened with Epic Games.

The Legal Argument

The main conflict of Epic Games vs. Apple focused on whether Apple’s walled garden approach violates antitrust law. Specifically, Apple’s requirement to force users to only purchase in-game items through the App Store, rather than through another party, was used as evidence of monopolistic behavior [2]. On the other hand, Apple argued that they are free to do business (or not do business) with any other company, and that their restriction of third-party payment services was within their rights as a business. Simply put, this case pitted first-party hardware and third-party software developers against one another.

Ultimately, the court ruled with Apple on nine of ten counts, with Epic stating their intention to appeal their decision [2]. In the one ruling against Apple, Judge Yvonne Gonzalez Rogers stated that “Apple created a new and innovative platform which was also a black box. It enforced silence to control information and actively impede users from obtaining the knowledge to obtain digital goods on other platforms. Apple has used this lack of knowledge to exploit its position [2].” However, because the judge ruled in favor of Apple in the other nine counts, few changes are likely to occur.

While there was potential for a landmark ruling that would shake Apple to its core, the actual ruling that was handed down will likely not have a massive effect on either company. The only change Apple must make is to allow developers to use third-party payment services. However, nothing is stopping Apple from collecting the 30% commission from those third-party developers. Ultimately, while this court ruling had the potential for massive change, the judge’s ruling ensured that Apple’s walled garden philosophy will continue.

Security and Your Rights

While Apple argued that its App Store policies were there to protect users, we know that isn’t the main reason for those restrictive rules. Simply put, the purpose of Apple’s walled garden approach is to keep users locked into the Apple ecosystem. While some users do prefer this method, and it can protect users from unsavory third-party developers, it still infringes upon the rights of consumers.

Unfortunately, this philosophy is all too common with Big Tech companies. Sacrificing privacy is a big win for Big Tech, but a huge loss for privacy rights. Corporations continue to collect hoards of personal data to sell to advertisers, while your privacy is violated. With Amazon, Google, and others offering endless new ways to collect your data, it’s fair to ask: Are you the customer, or the product?  

Thankfully, there are businesses that prioritize security and personal rights. That’s where AXEL comes in. AXEL believes that privacy is a human right. With this in mind, we created AXEL Go, a secure file-sharing and storage software. Offering industry-leading encryption and decentralized blockchain technology, AXEL Go is the best way to protect yourself or your business from unauthorized cybercriminals. With AXEL Go, there’s no compromise between security and privacy rights. After all, our business is protecting your data, not collecting it. If you’re ready to try the most secure file-sharing and storage software, get two free weeks of AXEL Go here

[1] Statt, Nick. “Apple Just Kicked Fortnite off the App Store.” The Verge. August 13, 2020. https://www.theverge.com/2020/8/13/21366438/apple-fortnite-ios-app-store-violations-epic-payments.

[2] Newman, Daniel. “Does The Epic Ruling Open The Door For Apple’s Competition?” Forbes. September 16, 2021. https://www.forbes.com/sites/danielnewman/2021/09/16/does-the-epic-ruling-open-the-door-for-apples-competition/.

[3] Adorno, José. “Apple Can Still Charge Its App Store 30% Fee Even after Epic Ruling, Analysts Say.” 9to5Mac. September 14, 2021. https://9to5mac.com/2021/09/14/apple-can-still-charge-its-app-store-30-fee-even-after-epic-ruling-analysts-say/.


[4] Beres, Damon. “All the New Ways Apple Is Trying to Take Over Your Life.” Slate Magazine. June 08, 2021. https://slate.com/technology/2021/06/apple-wwdc-ios15-new-features-walled-garden.html.

The State of Privacy Laws in the United States

In recent decades, privacy has become one of the most important issues on the minds of lawmakers. With the rise of digital devices that can track our every move, the desire for privacy is growing in an increasingly public society. And while many Americans have a general desire for “privacy,” the amount you receive is heavily dependent on where you live. While there are some federal privacy laws, most consumer privacy comes from state-level bills. And while some states have thorough, fair privacy laws on the books, the vast majority simply do not.

America’s focus on state-led privacy laws is in contrast to Europe’s lawmaking; the European Union’s main privacy law is the General Data Protection Regulation. Because of this, privacy in the E.U. is governed by this one law, and 92% of companies believe they can comply with every aspect of the law [1]. Because Europe has one overarching privacy law, it is much simpler to understand your privacy rights, whether as an individual or a business. Unfortunately, in the United States though, it is quite the opposite. Privacy laws in the country are currently a mishmash of federal and state laws that confuse and harm individuals simply trying to protect themselves.

A Barrage of State Bills

Simply put, U.S. privacy laws are so unorganized because there are so many of them. Even at the federal level, there isn’t an all-encompassing privacy law, but a collection of specialized laws. For example, the Health Insurance Portability and Accountability Act (HIPAA) protects medical privacy, and the Family Educational Rights and Privacy Act (FERPA) protects students, educators, and schools. When it comes to privacy rights, at least at the federal level, it really depends on your specific situation. Although laws such as HIPAA and FERPA do an adequate job of protecting privacy, they are far too specific to offer comprehensive privacy rights that extend to every facet of life.

While federal-level laws are specific to industries, some state-level laws provide all-encompassing privacy protections. Unfortunately, those state laws are few and far between. Only California, Colorado and Virginia have comprehensive data privacy laws [2]. These laws give consumers notice and choice regarding their data. For example, under these laws, a company must tell consumers if it is selling their data, and must allow consumers to access, move, or entirely delete that data. However, while these laws are certainly a good starting point for true consumer privacy, even these three bills are quite limited in effect.

Why are Privacy Protections so Poor?

While those three states have “all-encompassing” privacy laws, they still have glaring holes in protection. In every state except California, privacy laws specifically exclude a “private right of action,” or the ability to sue a business for privacy violations as an individual. Additionally, Virginia’s law has no civil rights protections and allows businesses to continue the status quo of collecting and selling consumer data [2]. It’s no wonder that Amazon lobbyists wrote the first draft of Virginia’s privacy bill [3].

For other states, the situation is even grimmer. States like Florida, Georgia, and others don’t allow consumers to opt out of data sharing. These two states also don’t even require government entities to ever dispose of your data [4]. Ultimately, most states have few genuine protections for consumers. For the most part, businesses can do whatever they please once they have your data. 

And due to strong lobbying by tech companies, it will likely remain this way in many states [2]. Big Tech companies pay millions each year to lobby lawmakers to write and support laws favorable to them. For example, Facebook spent nearly USD $20 million in lobbying in 2020, while Amazon spent USD $18 million [5]. And while this lobbying doesn’t come cheap, it’s a lot cheaper than allowing consumers to opt out of data sales. Ultimately, the reason why so many states don’t offer comprehensive privacy laws is because Big Tech doesn’t want them. Put simply, Big Tech is willing to pay big money to keep strong privacy laws off the books. 

So, What Can We Do?

In most states, it’s now up to individual businesses and firms to protect consumer data. And while Big Tech is unlikely to change any time soon, other businesses can still fight for consumer privacy. Taking simple steps like encrypting documents and backing up your data offline can substantially better protect your clients’ data. After all, Americans want privacy. By taking steps to protect customers and their data, businesses and firms can offer what Big Tech can’t: True privacy protections for their customers.

At an individual level, supporting businesses and firms that prioritize privacy is the best way to show support for strong privacy laws. Additionally, simply supporting federal or state laws that give genuine privacy rights to consumers is another great way to stand up for privacy rights. Since Big Tech wants to continue the status quo of endless data collection and sales, it’s up to individuals to support businesses and firms that offer what Big Tech can’t.

AXEL Supports Your Privacy

At AXEL, we believe privacy is a right. And unlike the Big Tech companies, we’ll never sell your data to third parties, ensuring your data is only yours. Our file-sharing and storage application, AXEL Go, uses blockchain technology and AES 256-bit encryption to provide the most secure file-sharing system in the industry. Whether for business or personal use, AXEL Go helps protect your (and your clients’) most important files.

Sign up here to receive a free 14-day trial of AXEL Go Premium. After the trial period, you can choose to continue your Premium account for just $9.99/month or use our Basic service free of charge. After all, our business is protecting your data, not collecting it. Together, we can help prioritize privacy rights across the country.

[1] Gooch, Peter. “A New Era for Privacy GDPR Six Months on.” Deloitte. 2018. https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-risk-gdpr-six-months-on.pdf.

[2] Klosowski, Thorin. “The State of Consumer Data Privacy Laws in the US (And Why It Matters).” The New York Times. September 06, 2021. https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.

[3] Birnbaum, Emily. “From Washington to Florida, Here Are Big Tech’s Biggest Threats from States.” Protocol. February 19, 2021. https://www.protocol.com/policy/virginia-maryland-washington-big-tech.

[4] McNabb, Joanne, and Paul Bischoff. “Internet Privacy Laws by US State: Does Yours Protect Online Privacy?” Comparitech. July 29, 2021.  https://www.comparitech.com/blog/vpn-privacy/which-us-states-best-protect-online-privacy/.

[5] Tracy, Ryan, Chad Day, and Anthony DeBarros. “Facebook and Amazon Boosted Lobbying Spending in 2020.” The Wall Street Journal. January 24, 2021. https://www.wsj.com/articles/facebook-and-amazon-boosted-lobbying-spending-in-2020-11611500400.

A Breakdown of Virginia’s New Privacy Law

On March 2nd, Virginia Governor Ralph Northam signed a comprehensive data privacy bill into law, making it the second state behind California to enact formal privacy regulations[1]. While it’s difficult to argue this development is a bad thing, the fact that it had widespread approval from Big Tech opens it to scrutiny. Here, we look at the law’s provisions, compare it with California’s measures, and assess the areas where it’s lacking.

Who does this affect?

The Virginia Consumer Data Protection Act (VCDPA) will significantly affect entities known as ‘data brokers.’ A data broker can be one of the high-profile corporations from Big Tech (i.e., Google, Amazon, etc.) or the lesser-known companies operating in the shadows that gather, analyze, package, and sell consumers’ personal information. According to the VCDPA, data brokers must hit specific thresholds for the law to apply to them. These stipulations include:

  • “Persons” (remember folks, corporations are people too) must do business in Virginia or sell products and services that target Virginia residents.
  • The organizations have to control the data of at least 100,000 Virginia residents. (This number is decreased to 25,000 residents if the company receives half or more of its revenue from selling personal information)

There are several exemptions, however. For example, organizations do not have to abide by these regulations if:

  • The data they collect from individuals pertains to employment or other commercial information. This means employees aren’t protected from their company’s data collection, and business-to-business data is still a free-for-all.
  • They are in the financial services, research, credit reporting, healthcare, or educational industries.
  • They are a designated non-profit.

So, already there appear to be some loopholes.

What are the new privacy provisions?

The VCDPA outlines new expectations that applicable data brokers must follow.

  • Data brokers must gain explicit consent before processing “sensitive data.” This would include racial makeup, religious beliefs, health records, sexual orientation, genetic data, or a person’s precise geolocation.

It also grants consumers a variety of new data rights.

  • The right of access. Now, Virginians can request to know all the information a company collects on them.
  • The right of correction. Consumers can request a company correct wrong information, and they have to comply.
  • The right of deletion. Individuals can request the deletion of their data.
  • The right to opt-out of targeted advertising, data selling, and profiling.

Unfortunately, there are more exemptions for these too. Organizations can get out of many of these information requests if they feel it cause an “unreasonable burden.” They also do not need to comply if the data collected is pseudonymized (meaning they replaced identifying info with pseudonyms.)

Starting in 2023, any company found in non-compliance with the terms of the VCDPA will have 30 days to correct their course or be subject to a $7,500 fine for each violation.

Compared to the CPRA

California is the other state with data privacy laws on the books. The recently passed California Privacy Rights Act (CPRA) set the national standard. How does the VCDPA stack up? Overall, they’re very similar. There are a few key differences, though:

VCDPA is more limited in scope. It’s a bit semantic, but where the CPRA exempts specific personal data types, the VCDPA exempts entire industries like healthcare and education. This slightly shrinks the net of data protections.

VCDPA doesn’t apply to employees or commercial data. Under the CPRA, employees have the same protection as consumers. Unfortunately for Virginians, the VCDPA explicitly excludes employee or business-to-business data.

VCDPA has no private right of action. This means that residents aren’t allowed to sue offending companies for damages. California’s privacy law enables individuals the right to sue for up to $750 for violations.

Criticism

Privacy groups like the Electronic Frontier Foundation (EFF) levied scathing critiques of the bill[2]. Other than the lack of private right to action as mentioned above, it was also slammed for facilitating ‘pay-for-privacy’ programs, where businesses could charge consumers not to collect and sell their information.

Another complaint is that the law would force consumers to opt-out of collection rather than opt-in. Obviously, this creates an unnecessary barrier to privacy and makes the default invasive. Most people are too busy to go searching for opt-out links. It’s why some privacy advocates believe it protects the interests of companies more than consumers. The fact that Big Tech behemoths Amazon and Microsoft both offered support for the bill[3] backs up this assertion.

Regardless, it’s better than nothing. And, like the CPRA following up the CCPA after only a few years, it is possible to improve on privacy regulations in the future. Nothing is perfect, and in squabbling over the details, sometimes advocacy groups lose sight of the forest for the trees.

Any regulatory improvement is good, and the process is likely to be iterative over time. The VCDPA may not be a giant leap toward the end goal of robust data privacy laws, but it’s a healthy first step. One they can build upon and provide an example to the rest of the country. At some point, federal data privacy laws will be on the table, and having test programs like this will inform lawmakers about what works and what doesn’t.

Building solutions and bringing awareness to data custody

AXEL is committed to providing data custody to its users. We never sell your information to third parties or mine your account for data. Our developers design privacy-based software solutions that keep your content away from the greedy hands of data brokers and Big Tech. AXEL Go is a blockchain-backed file-sharing and storage platform with optional encryption features. You can share and store files online without the worry of who else can see them. Take data privacy into your own hands. Ditch Big Tech and try AXEL Go today.

 

[1] Cat Zakrzewski, “Virginia governor signs nation’s second state consumer privacy bill, The Washington Post, March 2, 2021, https://www.washingtonpost.com/technology/2021/03/02/privacy-tech-data-virgina/

[2] Hayley Tsukayama, “Virginians Deserve Better Than This Empty Privacy Law”, EFF.org, Feb. 12 , 2021, https://www.eff.org/deeplinks/2021/02/virginians-deserve-better-empty-privacy-law

[3] Cat Zakrzewski, “The Technology 202: Virginia is poised to pass a state privacy law”, The Washington Post, Feb. 11, 2021, https://www.washingtonpost.com/politics/2021/02/11/technology-202-virginia-is-poised-pass-state-privacy-law/