Marrian Zhou, CNet:
Apple’s iOS system encrypts location information and doesn’t associate that information with any name or Apple ID. The iOS operating system also permanently deletes data from an iPhone if the phone doesn’t connect to Wi-Fi or power for seven days.
iPhones without SIM cards will send a limited amount of information about cellular towers and Wi-Fi hotspots to Apple if the user has enabled location services. The information will be encrypted and isn’t used for targeting advertising. If location services are turned off, the iPhone won’t send any data to Apple.
And from Apple’s response itself:
However, as Sarah Frier points out at Bloomberg, Apple has no control over data use after a user has agreed to share their data with a third-party developer:
Apple has built in two direct consumer controls: one, when you agree to share your contact information with the developer; and the other, when you toggle the switch in your settings to deny that permission. But neither is as simple as it seems. The first gives developers access to everything you’ve stored about everyone you know, more than just their phone numbers, and without their permission. The second is deceptive. Turning off sharing only blocks the developer from continued access — it doesn’t delete data already collected.
Notwithstanding that users can, of course, also deny permission when first prompted, there is no mechanism for them to pull their data completely using a simple toggle switch or similar. It’s more likely that they will need to ask the company specifically to remove their historical data, and they will only have legal standing to demand it in Europe — thanks to GDPR — and other companies with strong privacy protections.
Apple probably can’t — and, arguably, should not — police user data in the hands of third-party developers when permission has been granted for its use. They would end up having to regulate any number of companies that are notoriously bad stewards of user data, like Facebook and Google. Users shouldn’t be required to read the excessive and overly-permissive contracts in every app. That’s something governments ought to regulate instead, and we should be expecting them to do a better job.