Broken model
This is where the problem lies:
"...users could stop companies tracking their online activity in apps by changing their privacy settings."
versus:
"however ... Apple's privacy policies did not extend to its own apps and services ... the iGiant tracks its own users without their explicit consent and doesn't give them the choice to opt-out."
The model for opting out of being tracked is broken. Because it uses a bottom-up approach where you essentially have to say "no" to multiple apps/services, multiple times. How about we just implement a top-level "do not fucking track me" option and anything running on the device has to inherit those settings? Of course that will never happen but this is the loop hole that Apple can use to get away with it. Even if they had something and knew it violated the law they could reasonably claim due to this technical constraint they were looking to address it in a forthcoming version of iOS since the law has to allow companies time to implement such changes.
The current model for this is totally broken.
It's the same with bullshit privacy / cookie policies on multiple websites. Generally speaking my opinion doesn't change depending on the site. So why not let me set this globally, once, and apply it to all sites via browser settings rather than having to configure it per domain/app/service?