A federal judge dismissed key claims in a class action alleging Apple violated California privacy laws by collecting user data from its own apps despite users activating privacy settings they believed would prevent such tracking.
A California federal court has partially dismissed a class action lawsuit against Apple that accused the company of violating state privacy laws through systematic data collection from its proprietary apps, even when users believed they had opted out of tracking. The ruling, detailed in a January 20, 2026 order, narrows the scope of litigation that could have carried significant financial and reputational repercussions for the tech giant.
What Was Claimed
Plaintiffs alleged Apple violated the California Invasion of Privacy Act (CIPA) and California's Constitutional right to privacy by harvesting user activity data—including browsing history, location information, and app usage metrics—from built-in iOS applications like Safari, Messages, and Apple Maps. According to the complaint, this occurred despite users enabling privacy controls such as Settings > Privacy > Tracking > 'Ask Apps Not to Track' and Settings > Privacy > Location Services with granular permissions. The suit argued Apple's systems continued transmitting identifiers like IDFA (Identifier for Advertisers) and device analytics to its servers, circumventing user consent.
Technical filings cited Apple's proprietary frameworks like SKAdNetwork (for attribution) and Private Relay (VPN service) as potential vectors for data leakage. Plaintiffs pointed to network traffic analyses showing encrypted pings to Apple endpoints (metrics.icloud.com, gsa.apple.com) even when privacy modes were active.
What the Court Actually Decided
U.S. District Judge Edward Davila dismissed the CIPA claims, ruling that Apple's data collection for "service improvement and security purposes" fell under statutory exceptions for communications directly related to app functionality. The court noted Apple's privacy disclosures—though criticized for complexity—technically disclosed data usage for diagnostics and personalization, negating claims of covert harvesting.
However, the judge allowed constitutional privacy claims to proceed, finding plaintiffs plausibly alleged Apple's practices violated reasonable expectations of privacy. Specifically, the court highlighted discrepancies between user-facing settings labels (e.g., "Protect Mail Activity") and backend data flows, suggesting potential deception. Discovery will focus on whether Apple's internal data-handling protocols, documented in technical white papers like its Differential Privacy Overview, align with its public representations.
Limitations and Unresolved Risks
While Apple avoided the most damaging statutory claims, the surviving allegations expose it to discovery demands for internal technical documents and source code audits. Key questions remain unresolved:
- Technical Nuance: Did Apple's systems truly anonymize data via differential privacy techniques, or did identifiers persist? Forensic experts will scrutinize whether hashed device fingerprints could be reassociated with users.
- Platform Control: The case tests whether preinstalled apps operate under different privacy rules than third-party software. Apple argues its apps require data for core functionality; plaintiffs counter this creates an unfair double standard.
- Industry Implications: A ruling against Apple could force redesigns of opt-out mechanisms industry-wide. Competitors like Google face similar lawsuits, making this a bellwether for app ecosystem governance.
The partial dismissal offers Apple tactical relief but leaves intact core questions about the transparency of its privacy engineering. As litigation advances, expect scrutiny of Apple's server-side processing logic and whether its privacy claims withstand technical verification. For users, the case underscores the importance of auditing network traffic—tools like Wireshark or Lockdown Privacy—to validate actual data flows against stated policies.
Meanwhile, Apple continues refining its privacy architecture, recently expanding App Tracking Transparency (ATT) to cover first-party apps in iOS 18 betas. Whether these changes preempt future legal challenges remains an open technical and legal question.
Case reference: In re Apple Inc. Device Performance Litigation, N.D. Cal. Case No. 5:26-cv-00067
Comments
Please log in or register to join the discussion