Apple Rolls Out GDPR-like Features for U.S. Users

New privacy rules allow U.S. customers to download all information Apple has on them, plus it adopts new transparency practices, essentially mirroring practices in the EU.


When Europe’s General Data Privacy Regulation took effect in May, Apple promised its users in other areas, notably the United States, that it would provide similar services this year. That time has come. As of Oct. 17, Apple customers can download the data that Apple has on them simply by asking, just like Apple customers in Europe have been able to do since May.

Apple also has been tightening its privacy restrictions in other areas, such as by requiring all its developers to have a privacy policy that can be shared with customers. The company is tightening restrictions on the information developers can obtain from devices, and the company has tightened the rules under which it will share data after receiving a government request or a court order.

In conjunction with the new GDPR-like practices, Apple has announced a new privacy policy that provides great detail about how the company uses customer data and the limitations the company will place on efforts to gain access to customer data. Apple makes very clear in its new privacy policy a key point: “Your personal data belongs to you, not others.” Apple said that it does not gather personal information to sell to advertisers or other organizations.

This policy stands in sharp contrast to the practices of Google and Facebook, which gather vast stores of user data, then provide it to others—either by selling it or by making it available through targeted ad placements. Facebook recently made its user data available on request. Now Apple is doing the same.

New 'Privacy Portal'

To accomplish this, Apple has created a privacy portal where you’ll be asked to enter your Apple ID and password. If you have two-factor authentication set up, then you’ll be asked to respond to the 2FA prompt. Once you do that, you’ll be presented with a menu titled “Manage your data” that has four choices, including deactivating and deleting your account. You can also get a copy of your data or ask Apple to correct errors.

Once you’ve told Apple that you want a copy of your data, you’ll be presented with a menu listing all of the types of data that Apple has available for you to download. One of the choices is “Select all,” which gives you everything. You may see a warning that it may take a long time to download your photos and other large files. Apple says it will take up to seven days to provide the data, with a portion of that time being verification that it’s you who is asking for it. There’s a support page explaining all of this in detail.

Unlike other tech companies, Apple goes to great length to explain what it does with your data and how it protects it. This includes a detailed description of how Apple manages your privacy, its approach to protecting your privacy and its approach to government requests for your personal information.

Apple also provides transparency reports that describe in as much detail as possible the requests by various governments for personal data. A check of the actual reports reveals that Apple honors such requests in the U.S. about 80 percent of the time.

Meeting All the Requirements of GDPR

It appears that Apple is meeting most, if not all, of the privacy requirements of the GDPR, where they’re applicable. This includes the somewhat contentious “right to be forgotten,” which it satisfies with its ability to delete your accounts and remove all information related to them.

Of course, Apple is making sure it complies with the GDPR requirements in Europe, where the penalties for non-compliance are substantial. But what’s unusual is that it appears to be adopting one privacy system for Europe and the rest of the world over time. Now that it’s complied with Europe’s requirements, the new privacy features and protections have come to the United States as well as Canada, Australia and New Zealand. Apple has said that it plans to roll out its privacy protections worldwide, but how soon that will take place isn’t clear.

While Apple is at the forefront of privacy protections, it’s unlikely to be the only company adopting a single set of privacy standards for all its customers. The company is clearly getting a favorable reaction to its actions, and this will be seen by other companies.

Different Sets of Privacy Standards Can Be Problematic

On a more practical basis, maintaining different sets of privacy standards for each location where a company operates is complex and expensive, and it increases the chances for errors in which a company might not meet the requirements of some locations due to that complexity.

However, by simply adopting the tightest requirements, in this case the GDPR, then a company only has to administer its compliance in one way. The fact that it might exceed the requirements in some places isn’t going to be a problem, and it will save the company the costs associated with managing complexity.

Apple’s approach makes a lot of sense, it’s good for its customers, and there’s only one set of rules with which to comply. I think you’ll start seeing more companies following Apple’s lead in the privacy arena, if only because it’s easier and, in the long run, less expensive.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...