ICLE Comments to the CMA on Apple’s and Google’s App Store Rules
I. Introduction
The International Center for Law & Economics (ICLE) appreciates the opportunity to respond to the Competition and Markets Authority’s (CMA) call for evidence on recent developments relating to Apple’s and Google’s app-store rules.[1] ICLE is a non-profit, non-partisan global research and policy centre that advances evidence-based policy. Its scholars have written extensively on digital competition.
The call for evidence raises three related questions: (i) whether fees on steered transactions represent ‘a fair and reasonable charge for the services provided’; (ii) how the design of steering mechanisms—including side-by-side presentation of billing options, interstitial disclosures, parental gates, and attribution windows—affects user uptake; and (iii) whether the privacy, security, and fraud risks identified by Apple and Google have materialised where steering has been introduced.[2] These comments address each issue in turn.
A preliminary point frames our analysis. The CMA’s roadmaps rest on the view that Apple and Google operate an ‘effective duopoly’ subject to ‘limited competitive constraint’. ICLE has addressed that claim in prior submissions and does not repeat those arguments here.[3] The premise remains contested. Competition between iOS and Android, alongside growing pressure from AI-native firms and device manufacturers such as Samsung, materially shapes the effects of any intervention. Where competition is robust, the marginal benefits of regulation diminish, while the risks of error increase. The CMA should account for the possibility that intervention could leave UK consumers and developers worse off overall.
Our views are as follows.
On fees. The CMA asks whether steered-transaction fees are ‘fair and reasonable’. In practice, that inquiry risks sliding into cost-based rate-setting—a path with a poor track record. Pricing information goods presents well-known difficulties, as experience in the standard-essential patent (SEP) context shows. The analogy to FRAND pricing does not hold. FRAND commitments arise ex ante, before lock-in occurs. By contrast, Strategic Market Status (SMS) designation under the DMCC lacks any comparable anchor. Any cost-based approach would therefore operate ex post, inviting uncertainty and litigation. The European Commission’s ongoing dispute with Apple over alternative fee structures illustrates these risks. Even using a benchmarking approach, Apple’s and Google’s fees fall within the range charged by comparable online platforms. The CMA should avoid committing enforcement resources to rate-setting.
On design. Intervening in the design of steering mechanisms requires caution. Choice screens and mandated disclosures often fail to influence behaviour as regulators expect. Side-by-side displays, interstitial screens, parental gates, and attribution windows each serve identifiable informational, safety, or commercial functions. Removing or weakening these features to increase steering uptake risks displacing the preferences of users, developers, and platforms with those of the regulator.
On privacy, security, and fraud. The risks identified by platform operators are not hypothetical. Design mandates in curated ecosystems have, in other contexts, contributed to security failures—including the July 2024 Microsoft/CrowdStrike outage—and to unintended degradation of user experience. Steering moves transactions outside managed billing environments designed to detect fraud, resolve disputes, protect minors, and reduce exposure to social-engineering attacks. Limited evidence from jurisdictions where steering remains recent does not establish that these risks will not materialise.
A broader institutional point underlies these observations. The CMA indicates that it intends to introduce steering measures in the first half of 2026. Before doing so, it should assess experience elsewhere. Early evidence from the Digital Markets Act suggests rising compliance costs and protracted, adversarial enforcement, with limited demonstrable consumer benefit. The CMA is not obliged to replicate that approach.
II. The Limits of ‘Fair and Reasonable’ Fee Assessment
The call for evidence asks whether Apple’s and Google’s fees on steered transactions ‘reflect a fair and reasonable charge for the services provided’.[4] Framed this way, the inquiry invites a form of rate-setting, including benchmarking exercises of the kind endorsed by the 9th U.S. Circuit Court of Appeals in Epic Games v. Apple, which the CMA cites approvingly.[5] That path warrants caution.
Experience in analogous settings shows that rate-setting for information goods is difficult to administer and highly contestable. The underlying cost structures resist clean measurement, and attempts to derive a ‘correct’ price tend to devolve into discretionary judgments and protracted disputes. The CMA should consider that record before proceeding.
The analysis that follows makes three points. First, cost-based approaches cannot yield stable or non-arbitrary rates in this context. Second, analogies to FRAND rate-setting in the standard-essential patent space do not translate to the DMCC’s Strategic Market Status regime. Third, even on a conservative benchmarking approach, current fees fall within commercial norms, and the economic case for intervention is weak.
A. Cost-Based Rate-Setting for App Stores Is Indeterminate
App stores, like standard-essential patents (SEPs), are paradigmatic information goods. They involve high fixed costs of development and maintenance, near-zero marginal costs of distribution, and extensive shared inputs—security infrastructure, developer tools, payment processing, review and curation, anti-fraud systems, spam detection, accessibility APIs, and other platform-wide services. These inputs support thousands of downstream services and cannot be allocated cleanly across them.[6]
This cost structure defeats any attempt to identify a single ‘correct’ rate through cost-based analysis. Regulators face three options, none satisfactory. They can allocate shared fixed costs across services, but any allocation will be arbitrary. They can focus on narrowly defined marginal or incremental costs, but that approach systematically undercompensates investment in platform-wide goods. Or they can add a return on capital to a chosen cost base, which reintroduces discretion and judgment. None of these approaches yields a stable or principled result.
The same problem has long plagued FRAND rate-setting in the SEP context.[7] Courts and arbitrators have relied on a mix of heuristics—comparable-licence benchmarks, top-down and bottom-up methods, and hypothetical-negotiation frameworks. These approaches have not scaled well. In practice, disputes often collapse into competing expert valuations.
The 9th U.S. Circuit Court of Appeals’ suggestion in Epic that Apple could justify a steered-transaction commission based on ‘costs genuinely and reasonably necessary for its coordination of external links’[8] imports these difficulties into app-store regulation. The resulting administrative and litigation burdens are not speculative; they mirror the experience of SEP enforcement.
B. FRAND Analogies Do Not Translate to App-Store Regulation
The SEP experience may appear to offer a roadmap, but the analogy breaks down at a structural level. FRAND obligations arise as the price of inclusion in a technical standard. They reflect an ex ante commitment by a patent holder to a standard-setting organisation, made before lock-in, in exchange for the commercial benefits of standardisation. That commitment provides a conceptual baseline: a ‘fair and reasonable’ rate reflects the outcome of a hypothetical negotiation among willing parties before market power attaches.[9]
The DMCC SMS regime rests on a different foundation. Apple and Google did not seek SMS designation, nor did they make ex ante commitments to a regulatory framework. They did not voluntarily submit to any licensing regime. Instead, the CMA identified market characteristics it considered problematic and imposed conduct requirements unilaterally. There is no equivalent to the FRAND ‘hypothetical negotiation before lock-in’. The CMA would need to reconstruct, after the fact, a counterfactual rate that never existed.[10]
That difference matters. Any cost-based or benchmarking approach in this context operates ex post. It inherits the weaknesses of FRAND rate-setting—discretion, contestability, and reliance on expert judgment—without its central discipline: the ex ante anchor. Unsurprisingly, rate-setting exercises in similar contexts have proven persistently contentious.
The European Commission’s experience under the Digital Markets Act illustrates the point. After questioning Apple’s 30 per cent commission in its non-compliance findings,[11] the Commission turned to Apple’s revised fee structure, including the Core Technology Commission, the initial acquisition fee, and the tiered Store Services fee.[12] That process remains ongoing. It has absorbed significant enforcement resources without yielding a stable outcome for developers, consumers, or platforms. Instead, each revised fee structure has triggered further rounds of scrutiny and dispute.
C. Benchmarking and Evidence Do Not Support Fee Intervention
Even setting aside these threshold concerns, the case for intervening on fee levels is weaker than the call for evidence suggests. A proper benchmarking exercise indicates that current steered-transaction fees sit within—and often below—the range charged by comparable digital platforms. That undermines any inference that prevailing rates are unreasonably high. Developer dissatisfaction, standing alone, does not establish a competitive failure. Nor do claims about the benefits of lower fees rest on a sound economic foundation. They assume complete cost pass-through, which theory and evidence both reject, particularly in multi-sided markets where platforms adjust along non-price margins. Fee intervention therefore risks delivering concentrated gains to a narrow set of large developers while imposing diffuse costs across the UK app economy.
If the CMA proceeds to assess whether fees are ‘fair and reasonable’, the least-worst approach is benchmarking against comparable services. Applied conservatively, that exercise does not support intervention.
Comparable platforms typically charge commissions that overlap with, and often exceed, the 10–20 per cent range applied to steered transactions. Gaming console storefronts (PlayStation, Xbox, Nintendo eShop) charge 30 per cent. Steam charges 30 per cent, falling to 20–25 per cent at higher volumes. Amazon Marketplace referral fees range from 8 per cent to 45 per cent. Food-delivery and online-travel platforms routinely charge 15–30 per cent.[13]
By contrast, steered-transaction fees—15 per cent and 10 per cent in Japan, 10–20 per cent in Google’s global rollout, and the EU’s alternative-business-terms structure—are not outliers. In several cases, they are materially lower than comparable commissions.
Treating developer dissatisfaction as evidence of a ‘failure of competition’ conflates preference with market failure. Firms naturally prefer lower input costs. That preference does not show that prevailing rates depart from competitive benchmarks.
The call for evidence also asserts that lower fees would produce substantial benefits for UK users and developers, including ‘lower prices for digital content and services’ and ‘a wider choice of higher quality innovative goods and services’.[14] Those claims are overstated.
Cost pass-through is rarely complete. When input costs fall, firms share the resulting surplus among themselves, their customers, other complementors, and—in multi-sided markets—the other side of the platform. The outcome depends on demand elasticities, market structure, and competitive constraints, none of which the call for evidence models. In multi-sided markets with differentiated products, pass-through can be well below complete and may even be negative on one side as platforms rebalance pricing.
Empirical evidence supports this view. A 2020 study commissioned by the European Commission found that caps on payment-card interchange fees only partially translated into lower consumer prices.[15] More directly, a recent study of U.S. cities that capped delivery-platform commissions at 15 per cent found that platforms responded by reducing the visibility of independent restaurants and shifting promotion toward chain restaurants not subject to the caps. Consumers did not clearly benefit, and smaller restaurants—the intended beneficiaries—were worse off.[16]
These findings are directly relevant. Platforms respond to fee interventions through non-price adjustments, including ranking changes, advertising monetisation, service bundling, and quality reductions. Those responses can offset or reverse the intended benefits.
Fee interventions also tend to produce concentrated benefits and diffuse costs. Large developers—with scale, brand recognition, and in-house payment systems—are best positioned to exploit lower steering fees. Smaller developers, whom the CMA acknowledges ‘often do not pay the highest commission rates’,[17] gain little. They may instead face degraded distribution, new compliance costs, or reduced platform investment in shared services.
In short, the case for rate-setting is weak. Experience in the SEP context shows the difficulty of pricing information goods, and the FRAND analogy does not resolve those challenges. The European Commission’s ongoing engagement with Apple’s fee structure illustrates the institutional burden. Benchmarking does not indicate that current fees fall outside commercial norms. Pass-through assumptions lack empirical support. And the distributional effects of intervention favour a narrow group of large developers at the expense of smaller firms and consumers. The CMA should avoid drifting into rate-setting and direct its enforcement resources elsewhere.
III. Assessing Steering Design Interventions
The call for evidence identifies several design features that affect steering uptake: side-by-side presentation of native billing options, interstitial disclosures that payments occur off-platform, parental gates for users aged 13–18, attribution windows (such as the seven-day window in Japan), and scope carve-outs (such as Apple’s exclusion of apps in the ‘Kids’ category).[18] The CMA should approach any intervention in these features with caution.
These design elements fall into three broad categories. Some serve clear informational or safety functions and should be preserved, including disclosures and child-protection measures. Others reflect standard commercial terms, such as attribution windows, which do not lend themselves to regulatory calibration. Still others—such as choice architecture interventions—have an uncertain and often limited effect on user behaviour, while imposing real compliance and usability costs.
These design elements fall into three broad categories. Some serve clear informational or safety functions and should be preserved, including disclosures and child-protection measures. Others reflect standard commercial terms, such as attribution windows, which do not lend themselves to regulatory calibration. Still others—such as choice architecture interventions—have an uncertain and often limited effect on user behaviour, while imposing real compliance and usability costs.
A. Choice Screens and Disclosures Rarely Shift Behaviour
The empirical record on choice screens and mandated disclosures is not encouraging.[19] Browser and search-engine choice screens introduced on Android in Europe after the 2018 Google Android decision did not materially shift market shares over several years. As Geoffrey Manne observes in the context of the U.S. Google Search case:
In Europe, where Google has since 2020 implemented a search engine choice screen on Android following the EU’s 2018 antitrust decision against it, Google’s share of the search engine market has barely budged.[20]
Evidence from default-switching experiments points in the same direction. When Mozilla changed Firefox’s default search engine from Google to Bing in 2016, Bing retained only 42 per cent of search volume by day 12. That figure later fell to between 20 per cent and 35 per cent.[21] Users quickly revert to preferred options when defaults change.
These findings undermine the assumption that presenting alternatives at the point of purchase will meaningfully alter behaviour.[22] Similar design mandates in app-store purchase flows are likely to produce similar results. They will impose compliance costs, increase interface complexity, and risk user frustration with additional disclosures, while delivering at most modest behavioural change. The return on regulatory intervention is therefore uncertain at best.
B. Core Design Safeguards Are Legitimate
Requirements that steering links appear alongside Apple’s In-App Purchase and Google Play Billing, and that users see a disclosure explaining that the transaction is with the developer, are often framed as friction designed to deter steering. That characterisation is incomplete. These features also serve straightforward consumer-protection functions.
When users transact off-platform, they lose access to centralised billing, subscription management, refunds, and dispute-resolution mechanisms. They assume counterparty risk with developers they may not know. Many users will not realise that refunds, chargebacks, or family-sharing features no longer apply. Clear, point-of-decision disclosures enable informed choice. Removing them to increase steering uptake would prioritise developer interests over user protection.
Child-safety measures reinforce this point. Apple’s rules in Japan exclude apps in the ‘Kids’ category, prohibit steering for users under 13, and require parental gates for users aged 13–18.[23] These safeguards respond to well-established concerns about minors’ in-app purchases, exposure to fraud, and compliance with child-protection laws in the UK and elsewhere.[24]
Treating parental gates as anticompetitive—or as design friction to be removed—would invert the policy balance. The CMA should recognise that child-safety protections are core platform functions. Any intervention should preserve parental gates, age-based restrictions, and category carve-outs for services aimed at minors.
Attribution windows raise a similar issue. Apple’s seven-day window—under which reduced commissions apply only to transactions completed within seven days of a steering link—reflects a standard commercial practice.[25] It limits commission liability to transactions plausibly facilitated by the platform, while preventing arbitrage through a single steering event.
Time-limited attribution is common across affiliate marketing, referral agreements, advertising networks, and other commercial arrangements. There is no economic basis to treat a seven-day window, or any particular duration, as inherently unreasonable. The CMA should not treat attribution windows as design features requiring adjustment. Doing so would draw the authority into setting commercial terms, beyond the scope contemplated by the DMCC.
C. Design Mandates Risk Obsolescence and Harm
The CMA should approach design mandates with caution. Each feature identified for potential removal—side-by-side presentation, disclosure screens, parental gates, and attribution windows—serves legitimate user, safety, or commercial purposes. Mandated removal would likely produce modest behavioural change while imposing real costs on informed consent, child safety, and product development. Parental gates and related child-safety measures should remain outside the scope of any conduct requirements.
Design mandates also risk becoming obsolete as mobile ecosystems evolve. As ICLE has previously noted, rapid integration of artificial intelligence is reshaping how users discover and transact with apps.[26] Samsung’s AI-driven features, Apple’s on-device intelligence, Google’s Gemini integration, and the rise of third-party AI assistants are already shifting interaction models toward assistant-driven, recommendation-based, and voice-first interfaces. Mandates tied to current user-interface patterns may soon apply to design surfaces that no longer exist.
The call for evidence underestimates the risk that regulatory mandates will ossify platform design at a moment of rapid technological change. The CMA should build flexibility into any intervention it adopts—or, preferably, avoid prescriptive design mandates and allow platforms, developers, and users to iterate through standard product-development processes.
IV. Steering Introduces Real Privacy, Security, and Fraud Risks
The call for evidence asks for ‘the effect, or otherwise, of these developments on users’ privacy and security or prevalence of fraud’, and seeks ‘any examples or evidence relating to the extent to which any privacy, security or fraud risks have materialised as a result of the introduction of steered transactions’.[27] This framing is welcome. The CMA is right to insist on concrete evidence, rather than purely theoretical concerns. ICLE has likewise emphasised in prior comments that design-mandate interventions in curated digital ecosystems create concrete—not merely theoretical—risks.[28]
At the same time, the evidentiary record remains limited. In jurisdictions where steering has been introduced—Japan (since Dec. 2025), the EU (2024–2025), and the United States (since 2024)—the regimes are recent, and their effects on fraud, privacy, and security are still emerging. This makes systematic harm difficult to measure at this stage, even where the underlying risk mechanisms are well understood. The absence of large-scale, attributable failures in this short period does not establish that risks are absent. Many relevant harms—subscription traps, phishing at the point of redirect, post-transaction data exfiltration, fraudulent refund disputes, and exploitation of vulnerable users—are diffuse, underreported, and slow to surface.
App-store billing systems are not mere payment processors. They are integrated fraud-detection, subscription-management, and dispute-resolution infrastructures operating at scale. Apple reports blocking more than $9 billion in fraudulent transactions over five years, including $2 billion in 2024, terminating 146,000 developer accounts for fraud, and identifying 4.7 million stolen credit cards.[29] Google’s Play Protect performs a comparable function. Android-team analysis indicates that apps obtained outside curated stores are more than 50 times as likely to contain malware.[30] These figures illustrate the scope of the infrastructure that steering bypasses.
Steering moves transactions from this environment into developer-specific systems of widely varying quality. Most developers cannot replicate platform-scale protections. Centralised billing delivers at least three advantages. First, platform-scale fraud detection: Apple and Google rely on cross-platform signals—device anomalies, known-bad merchant identifiers, and transaction-velocity checks across millions of users—that smaller providers cannot match. Second, unified subscription management: users can manage and cancel subscriptions in one place, rather than tracking multiple external providers. Third, centralised dispute resolution: platforms offer standardised refund processes, while off-platform disputes depend on bilateral negotiations with developers. These differences matter for user protection.
Evidence from adjacent contexts underscores the risks. The July 2024 Microsoft/CrowdStrike outage—affecting airlines, hospitals, and banks—appears to have resulted, in part, from an interoperability mandate.[31] It imposed widespread disruption and economic harm far beyond its regulatory target.[32]
Closer to the present context, the Dutch Authority for Consumers and Markets required Apple to permit alternative payments for dating apps.[33] Following that change, Dutch banks reported a sharp rise in dating-app fraud. More than 160 victims came forward in 2024—a nearly 25 per cent increase on the prior year—with average losses of €25,000.[34] While causation is not conclusive, the timing is notable, particularly as transactions shifted outside the systems designed to detect such fraud.
Early evidence under the Digital Markets Act points in a similar direction. A Netcraft analysis of apps distributed through grey-market iOS sideloading sites found that around 5 per cent of a 350-app sample appeared malicious—orders of magnitude above rates observed on the official App Store.[35] These outcomes follow from the logic of the intervention: opening curated ecosystems expands the attack surface.
From a security-engineering perspective, each redirect from a trusted environment to an external site introduces new vulnerabilities. Users who follow steering links assume legitimacy, making them more susceptible to phishing, typosquatting, and look-alike payment pages. Historical patterns reinforce this dynamic. The expansion of online banking coincided with increased phishing. The growth of mobile apps brought fake app stores. Subscription commerce has seen the spread of manipulative cancellation practices. These developments reflect predictable responses to new opportunities for exploitation. Research shows that SMS and phishing vectors account for roughly 70 per cent of mobile-payment fraud—the very channels that steering amplifies.[36]
Even sceptical scholarship recognises that some interoperability measures create genuine security challenges. Daji Landis, Elettra Bietti, and Sunoo Park distinguish among ‘security engineering concerns’, ‘security vetting concerns’, and ‘hybrid concerns’.[37] Their framework shows that some risks arise from system design, not strategic behaviour.[38] The CMA should adopt a similarly granular approach. It should neither dismiss platform concerns as pretextual nor accept them uncritically. The relevant question is whether the mechanisms through which steering weakens protections—centralised fraud detection, subscription management, and dispute resolution—are substantive. The evidence indicates that they are.
The promise of ex ante regulation was clarity and predictability. Early experience under the Digital Markets Act points in the opposite direction: increased complexity, prolonged disputes, and unintended consequences.[39] Measures that appeared narrow have, in practice, expanded attack surfaces, degraded user experience, and shifted fraud losses from platforms to users without clear offsetting benefits.[40] Steering mandates risk producing similar effects. The CMA should focus not on whether these harms are possible—they are—but on whether the benefits of intervention outweigh the predictable security and fraud costs. That assessment should rest on evidence, not assumption.
Security and competition also interact through product differentiation. Many users choose iOS—and many Android users remain within Google Play Billing—because of the security, privacy, and curation these systems provide. As Randal Picker observes, the contrast between Apple’s integrated model and Google’s more open architecture reflects competition between business models, not its absence.[41] Platform-economics scholarship reaches the same conclusion. David Evans and Richard Schmalensee explain:
The full gamut of bad behavior that we encounter in society, as citizens, consumers and merchants, can happen on multisided platforms. Participants engage on offensive behavior (…). There is fraud and misrepresentation (…). Interactions become risky when platforms participants aren’t trustworthy (…). Platforms can deal with this problem by preventing low-quality entrants from joining. Steve Jobs was worried that the iPhone would attract low-quality apps that would decrease the value of the platform. Apple solved this by imposing quality control on the apps it would make available on its AppStore. This sort of quality control requires platforms to invest significant efforts into investigating participants and kicking out bad ones.[42]
Interventions that weaken these controls in the name of increasing steering uptake risk undermining a dimension of competition that users value. In a differentiated ecosystem, the objective should be to preserve user choice, not to homogenise platform design.
The empirical record on whether harms have ‘materialised’ remains limited because the relevant regimes are new. The mechanisms that generate those harms are well understood. Evidence from adjacent interventions, early DMA experience, and the literature on fraud and consumer protection all point in the same direction. The CMA should require clear, quantifiable evidence that the benefits of any steering intervention exceed its privacy, security, and fraud costs. It should not invert that burden by treating the absence of fully realised harms as evidence that risks do not exist.
V. Conclusion
The CMA considers steering interventions at a critical juncture. Its roadmaps commit the authority to ‘taking action’ in the first half of 2026, and the call for evidence seeks to build the record for that step. That decision should reflect caution, not momentum.
Three points follow.
First, the CMA should avoid rate-setting. As Section II shows, pricing information goods resists principled, administrable solutions. The SEP/FRAND analogy does not translate to the DMCC context. Experience in the EU illustrates the institutional costs of sustained rate disputes, and benchmarking does not indicate that current fees fall outside commercial norms. Moving into rate-setting would commit the CMA to a resource-intensive exercise with no clear endpoint.
Second, the CMA should approach design mandates with restraint. Section III shows that choice screens and disclosure requirements rarely shift behaviour in meaningful ways. The design features under review—side-by-side presentation, disclosure screens, parental gates, and attribution windows—serve legitimate informational, safety, and commercial functions. Removing or weakening them risks degrading informed consent, undermining child safety, and constraining product development. Static mandates also risk rapid obsolescence as AI-driven interfaces reshape how users discover and transact with apps. At a minimum, parental gates and related child-safety measures should remain outside the scope of any conduct requirements.
Third, the CMA should require clear evidence that steering does not impose privacy, security, and fraud costs. Section IV shows that the relevant regimes are new, but the mechanisms of harm are well understood. Steering shifts transactions out of platform infrastructures that provide fraud detection, subscription management, and dispute resolution at scale. Evidence from adjacent interventions—from interoperability mandates to early Digital Markets Act experience—shows that well-intentioned design changes can expand attack surfaces and shift risk onto users. The burden should rest on proponents of intervention to show that the benefits outweigh these costs.
A broader theme runs through these points. Competition in mobile ecosystems reflects differentiation as well as rivalry. Apple’s integrated model and Google’s more open architecture offer distinct trade-offs that users actively choose between. Regulatory interventions that push toward uniformity risk weakening that dimension of competition.
The intensity of rivalry between iOS and Android—now joined by AI-driven entrants—further narrows the case for intervention. Where competitive constraints are strong, the marginal benefits of regulation fall, while the risks of error rise. The DMCC grants the CMA substantial authority, but it also requires disciplined use of that authority. Decisions should rest on evidence, reflect institutional limits, and account for both intended and unintended effects.
The CMA should proceed accordingly.
[1] Competition & Mkts. Auth., Views Sought: Recent Developments in Relation to Apple’s and Google’s App Store Rules (Mar. 2026), https://assets.publishing.service.gov.uk/media/69cce7e0eafd66b876458b25/Call_for_evidence_.pdf [hereinafter Call for Evidence].
[2] Id. ¶ 22(a).
[3] See Geoffrey A. Manne, Dirk Auer & Mario A. Zúñiga, ICLE Comments to UK CMA on Competition in Mobile Ecosystems, Int’l Ctr. for L. & Econ. (12 Feb. 2025), https://laweconcenter.org/resources/icle-comments-to-uk-cma-on-competition-in-mobile-ecosystems; Geoffrey A. Manne, Dirk Auer & Mario A. Zúñiga, Comments of the International Center for Law & Economics on CMA’s Proposal to Designate Apple and Google with Strategic Market Status, Int’l Ctr. for L. & Econ. (20 Aug. 2025), https://laweconcenter.org/wp-content/uploads/2025/08/ICLE-CMA-Apple-Google-Designation-comments.pdf.
[4] Call for Evidence, supra note 1, ¶ 22(a)(i).
[5] See Call for Evidence, supra note 1, ¶ 15; Epic Games, Inc. v. Apple, Inc., No. 23-16234 (9th Cir. 11 Dec. 2025), at 41 (discussing a cost-based measure for commissions).
[6] Carl Shapiro & Hal R. Varian, Information Rules: A Strategic Guide to the Network Economy 3 (Harv. Bus. Sch. Press 1999) (‘Information is costly to produce but cheap to reproduce … cost-based pricing does not work: a 10 or 20 per cent markup on unit cost makes no sense when unit cost is zero.’).
[7] See, e.g., Jonathan M. Barnett, Has the Academy Led Patent Law Astray?, 32 Berkeley Tech. L.J. 1313 (2017); Anne Layne-Farrar, Moving Past the SEP RAND Obsession: Some Thoughts on the Economic Implications of Unilateral Commitments and the Complexities of Patent Licensing, 21 Geo. Mason L. Rev. 1093 (2014); Daniel F. Spulber, Patent Licensing and Bargaining with Innovative Complements and Substitutes, 70 Res. Econ. 693 (2016).
[8] Epic Games, Inc. v. Apple, Inc., No. 23-16234 (9th Cir. 11 Dec. 2025), at 41.
[9] Daniel G. Swanson & William J. Baumol, Reasonable and Nondiscriminatory (RAND) Royalties, Standards Selection, and Control of Market Power, 73 Antitrust L.J. 1 (2005).
[10] Joseph Farrell, John Hayes, Carl Shapiro & Theresa Sullivan, Standard Setting, Patents, and Hold-Up, 74 Antitrust L.J. 603 (2007).
[11] Press Release, Eur. Comm’n, Commission Finds Apple’s App Store Rules Breach Digital Markets Act (23 Apr. 2025), https://ec.europa.eu/commission/presscorner/detail/en/ip_25_1085.
[12] See Apple, Communication and Promotion of Offers on the App Store in the EU (last visited 21 Apr. 2026), https://developer.apple.com/news/?id=communication-and-promotion-of-offers-on-the-app-store-in-the-eu.
[13] See 1D3, Platform Fees in the Videogame Industry (13 Nov. 2024), https://1d3.com/platform-fees; see also Press Release, Steam, New Revenue Share Tiers and Other Updates to the Steam Distribution Agreement (30 Nov. 2018), https://steamcommunity.com/games/593110/announcements/detail/1697191267930157838 (30 per cent commission on gross revenue, falling to 25 per cent after $10 million and 20 per cent after $50 million per title); Amazon, Selling on Amazon Fee Schedule (last visited 21 Apr. 2026), https://sell.amazon.com/pricing (referral fees range from 8 per cent to 45 per cent, with most digital-adjacent categories at 15 per cent); Scott Sage, How Much Does Booking.com Charge Hosts?, AirDNA (4 Aug. 2024), https://www.airdna.co/blog/bookingcom-charges-for-owners (typical hotel commissions of 10 per cent to 25 per cent). These negotiated fee structures among sophisticated parties provide a conservative benchmark for assessing whether app-store commissions fall outside ordinary commercial norms.
[14] Call for Evidence, supra note 1, ¶¶ 5–7.
[15] Ernst & Young & Copenhagen Econ., Study on the Application of the Interchange Fee Regulation (2020), https://www.copenhageneconomics.com/dyn/resources/Publication/publicationPDF/9/559/1583763875/copenhagen-economics_march_ifr-report.pdf.
[16] Li Zhuoxin & Wang Gang, Regulating Powerful Platform: Evidence From Commission Cap Fees, 36 Info. Sys. Res. 126 (2025), https://pubsonline.informs.org/doi/10.1287/isre.2022.0191 (finding that, in regulated cities, consumers face higher delivery fees and longer wait times as platforms recoup lost commission revenue through other channels).
[17] Call for Evidence, supra note 1, ¶ 21 (acknowledging that ‘smaller developers, which often do not pay the highest commission rates, make up a large proportion of the UK developer base’).
[18] Call for Evidence, supra note 1, ¶¶ 13–18.
[19] See ICLE Mobile Ecosystems Comments, supra note 3, at 10–12 (documenting that browser and search-engine choice screens in the EU failed to shift user behaviour).
[20] Geoffrey A. Manne, A Critical Analysis of the Google Search Antitrust Decision, Int’l Ctr. for L. & Econ. (14 Aug. 2024), at 16–17, https://laweconcenter.org/wp-content/uploads/2024/08/Manne-Google-Search-Decision-Analysis-2024-08-14.pdf (references omitted).
[21] Id. at 16–17.
[22] Id. at 17.
[23] Call for Evidence, supra note 1, ¶ 13(a).
[24] See Online Safety Act 2023, c. 50 (UK); Information Comm’r’s Off., Age-Appropriate Design Code (2020); see also Org. for Econ. Co-operation & Dev., Children in the Digital Environment: Revised Typology of Risks (2021) (documenting harms from unsupervised digital transactions by minors).
[25] Call for Evidence, supra note 1, ¶ 13(b).
[26] See ICLE Designation Comments, supra note 3, at 13–15 (discussing AI integration and the risk that static regulatory mandates ossify platform design amid rapid technological change).
[27] Call for Evidence, supra note 1, ¶ 22(a)(iii).
[28] See, e.g., ICLE Mobile Ecosystems Comments, supra note 3; ICLE Designation Comments, supra note 3.
[29] See Apple, App Store Prevented More than $9 Billion in Fraudulent Transactions (May 2025), https://www.apple.com/newsroom/2025/05/the-app-store-prevented-more-than-9-billion-usd-in-fraudulent-transactions (reporting $2 billion in blocked fraudulent transactions in 2024, termination of 146,000 developer accounts for fraud, and identification of 4.7 million stolen credit cards).
[30] Suzanne Frey, A New Layer of Security for Certified Android Devices, Android Devs. Blog (25 Aug. 2025), https://android-developers.googleblog.com/2025/08/elevating-android-security.html.
[31] Geoffrey A. Manne, Dirk Auer & Mario Zúñiga, Comments of ICLE to Commission Consultation on Proposed Measures for Interoperability Between Apple’s iOS Operating System and Connected Devices, Int’l Ctr. for L. & Econ. (8 Jan. 2025), at 8, https://laweconcenter.org/resources/comments-of-icle-to-commission-consultation-on-proposed-measures-for-interoperability-between-apples-ios-operating-system-and-connected-devices-dma-100203 [hereinafter ICLE Interoperability Comments] (citing Josephine Wolff, Software Crash Exposes Tensions Between Security and Competition, Fin. Times (28 Jul. 2024), https://www.ft.com/content/60dde560-194a-40d1-8c98-1d96d6d019a0). Both measures—interoperability mandates and requirements to allow sideloading or steering—require platforms to share information or open systems, thereby reducing platform control over security and system integrity.
[32] Adam Satariano et al., Outage for Microsoft Users Knocks Out Systems for Airlines and Hospitals in Chaotic Day, N.Y. Times (19 Jul. 2024), https://www.nytimes.com/live/2024/07/19/business/global-tech-outage.
[33] Auth. for Consumers & Mkts., ACM: Apple Changes Unfair Conditions, Allows Alternative Payment Methods in Dating Apps (11 Jun. 2022), https://www.acm.nl/en/publications/acm-apple-changes-unfair-conditions-allows-alternative-payments-methods-dating-apps.
[34] See NL Times, Dutch Banks Worried About Rise in Dating App Scams; Victims’ Average Loss €25,000 (25 Nov. 2024), https://nltimes.nl/2024/11/25/dutch-banks-worried-rise-dating-app-scams-victims-average-loss-eu25000 (reporting that, in 2024, more than 160 victims came forward—nearly a 25 per cent increase over 2023—with average losses of €25,000; noting also that, in Oct. 2025, authorities arrested two individuals in Utrecht for defrauding 26 victims of €550,000). The Dutch ACM’s alternative-payment mandate for dating apps preceded these developments; while causation is not established, the temporal correlation is notable.
[35] See Bilaal Rashid, What Apple Is Afraid of — Pre-DMA Alternative iOS App Stores Are Already Riddled with Malware, Netcraft (6 Mar. 2024), https://www.netcraft.com/blog/apple-dma-app-store-malware-review.
[36] See Umar Sayibu et al., Fraud Prediction and Prevention in Mobile Money Payment Systems: A Systematic Literature Review of Text-Based Detection Methods, Sec. & Commc’n Networks 1 (2025), https://onlinelibrary.wiley.com/doi/10.1155/sec/8913715 (finding that 70 per cent of mobile payment fraud follows SMS and phishing vectors).
[37] Daji Landis, Elettra Bietti & Sunoo Park, SoK: ‘Interoperability vs Security’ Arguments: A Technical Framework (2026) (unpublished manuscript), https://arxiv.org/abs/2502.04538.
[38] Id. at 8–12 (categorising security claims into ‘security engineering concerns’, ‘security vetting concerns’, and ‘hybrid concerns’, and noting that the framework aims to identify ‘where security and interoperability are and are not in tension’).
[39] See Satya Marar, Brightline Rules and Case-by-Case Courts: The DMA and Epic v Apple, Truth on the Mkt. (2 Feb. 2026), https://truthonthemarket.com/2026/02/02/brightline-rules-and-case-by-case-courts-the-dma-and-epic-v-apple; see also Dirk Auer, The Broken Promises of Europe’s Digital Regulation, Truth on the Mkt. (12 Mar. 2024), https://truthonthemarket.com/2024/03/12/the-broken-promises-of-europes-digital-regulation.
[40] See Selçukhan Ünekbas & Lazar Radic, Implementing the EU’s Digital Markets Act: The Seen and the Unseen, Truth on the Mkt. (25 June 2025), https://truthonthemarket.com/2025/06/25/implementing-the-eus-digital-markets-act-the-seen-and-the-unseen.
[41] Randal C. Picker, Security Competition and App Stores, Network L. Rev. (2024), https://www.networklawreview.org/picker-app-stores.
[42] David S. Evans & Richard Schmalensee, Matchmakers: The New Economics of Multisided Platforms 138–39 (2016).