Apple go BOOM on IDFA

As of Monday, June 22, Apple has asserted full control over IDFA and signaled to the marketing tech community that IDFA will no longer be…

Apple go BOOM on IDFA

As of Monday, June 22, Apple has asserted full control over IDFA and signaled to the marketing tech community that IDFA will no longer be a steady pulse. For many years, IDFA has served the role of cookies in a desktop environment, providing device level identification for all manner of ad delivery, user profiling, measurement and attribution tracking for mobile Apple devices. Apple announced that iOS 14, which is slated for release in the fall, will begin requiring an opt-in on a per app basis for any use or sharing of the ID across apps.

Apple is taking an approach that is roughly analogous to the ePrivacy Directive in the EU, going much further than FTC and self-regulatory guidelines in the US, which have historically focused on cross-site/app behavioral advertising. Apple is focused on anything related to device level advertising across apps, including measurement and attribution. It all needs an opt-in on a per app basis. Without the opt-in, you get a zeroed out ID every time.

From a user standpoint, iOS is setting itself up to present a solid privacy experience. The interface will be contextual and just in time, and far simpler than the ePrivacy and GDPR multi-dimensional menus, with their endless processing activities and long lists of 3rd party companies. Further, the data collection is off by default every time.

The application requesting permission has an opportunity to custom craft a message describing the data use. The format will facilitate a single blurb of text that is succinct and punchy (the NSUserTrackingUsageDescription). What the interface gains in elegance, will be a loss for completeness and granularity. GDPR clearly requires detailed information about precise processing activities and a discoverable list of all of the individual 3rd parties that might process data behind the app, none of which seem to fit within the iOS model.

So IDFA will be unavailable to the 3rd party ad ecosystem unless the user opts in on each app. And further, iOS intends for no company to leverage state management work arounds (statistical IDs or alternative storage mechanisms that might ‘fingerprint’).

From the current developer page write up:

Unless you receive permission from the user to enable tracking, the device’s advertising identifier value will be all zeros and you may not track them as described above.

We’ll see how this ends up being reflected in iOS developer terms, but if the past is an indicator, they will add language to this effect. Further, while in the past, Apple’s enforcement against workarounds has been … generous … Apple is taking a significant stand against ad tracking with this release, and work arounds, especially for targeted advertising, would completely undermine the value proposition of the announcement. So one would expect actual enforcement this time around.

So if you need consent on each app, and you can’t (safely) leverage work arounds, will consumers grant consent? And if they do, will they grant consent at a rate, and across multiple apps, to produce anything more than a broken, ineffective version of our current programatic ad buying ecosystem?

We don’t know, of course. In the EU, ePrivacy/GDPR consent UIs are regularly gathering consent in the 70%+ range. If that analogy applies here, IDFA might be very similar to cookies after they were killed by Safari and Firefox, but while Chrome was still an active supporter. That’s an outcome most in marketing tech would be extremely grateful for, at this stage.

More questions:

  • Will consent rates vary substantially depending on the app requesting the permission? Almost certainly. Consumers consent at much higher rates with brands they know and trust. Unfortunately, this serves to consolidate market power in legacy apps, making it harder for new brands to participate in the ad ecosystem.
  • Will consent occur at rates necessary to support effective behavioral profiling, cross device linking, and other data models? Almost certainly. Consent rates as low as 30% would likely provide a sufficient data stream to power these business models.
  • Will an application developer be able to condition consent for access? The implications here are significant and we don’t have any indication at this stage of an iOS position. Of course, in the EU, this would likely be unacceptable under the GDPR. But on its face, it certainly seems fair for an advertising supported app to decline servicing a consumer that does not provide the necessary data to generate advertising revenue. I might opt-out of paying for my latte at the local 3rd wave barista spot, if my true world OS provided the option. The barista might also decline to provide my latte. If this comes to pass, consent rates might be higher than we have seen in the EU.
  • How will all of this jockeying between commercial players (Apple, brands, developers, marketing tech), largely outside of the domain of data protection law and regulators, interface with legal regimes in the EU, California, and elsewhere around the world? While iOS is largely ignoring the specific and detailed requirements for consent in the EU, the EU as well as California, have long begged tech platforms to demonstrate that privacy decision making can be simple and effective. They have centered that conversation in the past largely on browsers and DNT, but they will likely be thrilled that iOS is coming to their rescue. Companies seeking to comply will also be bound by the OS constraints around notice provision. Expect regulators to push gently on evolutions towards granularity, while largely embracing these controls and allowing companies to surface granularity from more subtle locations.

While an opt-in model for IDFA and a crack down on work arounds might not be so bad for profiling companies, anything less than an 80% opt-in rate will be devastating, at least in the short term, for individual application owners. Lesser known applications would expect a lower opt-in rate, and a harder revenue hit. Further, any marketing tech companies that bill on media spend would expect to take a substantial hit. If the opt-in rate is substantially lower than these forecasts, the marketplace may collapse outside of the top 200 or so applications.

All of this needs to be taken in the context of a broader, cross-platform effort to drastically reduce device level fidelity. We may be rapidly coming to a stage in the marketing tech world where the only places where companies can individually track users is within the major walled gardens (Google, FaceBook, Amazon). It may even be impossible to transition data across these environments. These developments convey massive advantage to the platforms that were already the winners of the last decade. But it is also fair to wonder where marketing spend will go from here, especially on the rest of the open web. Water will find a path, even if the most convenient path is blocked. Marketers still spend to reach audience, even if the audience cannot be measured at the individual level. These drivers may be setting the stage for a new phase of innovation in marketing tech. More contextual. More first party.

In addition to the IDFA announcement, Apple also announced a new system within iOS to power non-device level attribution. SKAdNetwork will provide a method for embedding advertisements with information that will return a confirmation after install. The confirmation will provide for ad level attribution, without returning an IDFA or any other device level indicators. These efforts echo Google Chrome’s Privacy Sandbox initiatives, which collectively seek to provide for marketer’s most basic requirements, while ensuring that marketing tech companies are prevented from making their own inferences and building models at the device level.

Trailing notes:

  • Apple seems fine with device level IDs if they remain on the device. Again, more Chrome style localized modeling and cohort building. When user or device data from your app is linked to third-party data solely on the user’s device and is not sent off the device in a way that can identify the user or device.
  • Developers should not be concerned about first party analytics. The ID for Vendors (IDFV), may be used for analytics across apps from the same content provider. The IDFV may not be combined with other data to track a user across apps and websites owned by other companies unless you have been granted permission to track by the user.

If you found this piece valuable, please give us a few hearty claps and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!

The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at or visit us on the web or Twitter.