I don't think those things are mutually exclusive— lots of policies are affected by technical requirements and lots of technical design and development is affected by policy. CAN-SPAM did a great job of keeping legal businesses with aggressive marketing (within the reach of American law) from trapping people in email subscriptions, and technology has done a great job of tamping down the rest. Neither is perfect but they're both effective at the level they need to be. If a software company requires signing in without needing it for their core service, or requires you to link a social media account even though it's entirely unnecessary (e.g. Kinja,) I'd argue that those are more policy than technical, and a technical solution would probably struggle with them.
And sure, what's "necessary" for the app is nebulous, but the law has tests for differentiating between two nebulous states. Even a policy that had way too much grey area, like fair use, would still protect users more than "app developers can do whatever they want as long as it's in the privacy policy."
And sure, what's "necessary" for the app is nebulous, but the law has tests for differentiating between two nebulous states. Even a policy that had way too much grey area, like fair use, would still protect users more than "app developers can do whatever they want as long as it's in the privacy policy."