Industry prepares for Apple Tracking restrictions

Apple later decided to delay implementation of the feature until early 2021 to give app developers time to make the necessary changes.

Although there’s no confirmed release date for the next version of Apple’s operating system (iOS 14.5), which will be used to implement the change, the update is being beta tested and it’s expected to be released in March. Here we explore the potential impact of this change for advertisers and publishers, and how advertisers might react.

Small business and advertising budgets to be squeezed

Facebook say that the move will limit the ability of advertisers to deliver targeted ads on iOS 14, leading to lower ad spend on Audience Network (Facebook’s platform allowing advertisers to extend their Facebook ad campaigns to a network of third party apps) and a more than 50% drop in Audience Network publisher revenue. At the other end of the ecosystem, Facebook anticipate that small businesses will suffer the most as they are most reliant on the inexpensive ad campaigns that are made available by platforms such as Facebook’s Audience Network.

This notion that small businesses are likely to be disproportionately affected is supported by a 2019 report by the IAB, which stated that tracking is “pro-competitive” because it “gives small marketers and publishers the same access to data as large publishers”, which have “many sources of consumer data and a variety of ways to match that data to consumers across sites and devices within walled gardens”.

If third party tracking were completely lost, in 2019 the IAB estimated that USD 24 to USD 29 billion in annual publisher revenues would shift to walled gardens (Google, Facebook and Amazon and others that hold vast stores of first-party data) and USD 8 to USD 10 billion revenue would be lost by reliant companies such as adtech vendors and advertising agencies. iOS devices of course only form part of the ecosystem, but the figures are indicative of the potential disruption of Apple’s decision.

How the industry might respond

Most obviously, app developers will need to display Apple’s tracking prompt if they want to track users for advertising purposes. It’s important to note that Apple’s definition of ‘tracking’ is extremely wide – it “refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes”, including “sharing a list of emails… with a third party advertising network that uses that information to retarget those users in other developers’ apps”. Therefore, for the purposes of Apple’s terms, ‘tracking’ will extend beyond the use of app-based tracking technologies (i.e. SDKs) and includes the use of ‘customer match’ tools such as Facebook Custom Audiences.  

Verizon Media point out that app developers will have some control over the wording of their prompt, so key will be to use language that encourages the user to grant permission by ensuring that the message is “clear, easy to understand, and highlight[s] that opting in is beneficial to the user or their experience in-app”.

The latter point – that targeted advertising is beneficial – should not be understated. Regulators are increasingly enforcing consent requirements that are enshrined in UK privacy laws, in particular the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003. Those that embrace, rather than seek to circumvent, consent models and work to win the trust of their audience, and educate users on the benefits of targeted advertising, are those that are likely to be best positioned to deliver targeted advertising.

Some may have pinned their hope on using identifiers other than the IDFA to track users, but Apple’s tracking policy applies to any data collected via the app, so it includes other identifiers, such as phone numbers and email addresses and any resultant ‘tracking’ using those identifiers. On the other hand, Apple’s developer page makes clear that “data collected separately, outside of the app and not related to the app is not in scope”. As such, app developers can track users across apps and websites using their own first party data (collected outside of the relevant app), provided of course that the collection of the data and the tracking complies with privacy laws.

Some marketers may look to play ignorant to Apple’s wide definition of “tracking”, especially when it comes to data that is not collected via tracking technologies (for example, email addresses that are collected during the checkout process) and the use of it to build segments that are targeted on third party platforms. Ultimately, however this may prove to be a risky strategy as it could lead to removal from the App Store, although it remains to be seen how Apple will police and enforce the new requirement. Such an approach may also put the marketer in breach of privacy law, as well as Apple’s terms, because a user’s refusing to allow tracking through Apple’s framework may undermine the marketer’s argument that it has a lawful basis to use the underlying data.

So what’s next?

Despite this new technology only affecting data collected from apps, as a result of this move from Apple and other similar moves from other big players in the market (e.g. Google restricting use of third party cookies on its browser), organisations will need to think about how they can effectively collect behavioural data compliantly or consider other solutions that have similar results but don’t involve the use of online behaviour data.  As a result, we expect to see the growth of  contextual advertising solutions or more innovative “walled garden” solutions based on first-party data (principally hashed email addresses) as a means to legitimately overcome these restrictions. As such, The Trade Desk is partnering with various ad-tech vendors (including Criteo and LiveRamp) and publishers to create Unified ID 2.0, an email based identifier, and LiveRamp’s Authenticated Traffic Solution allows publishers to match their consented data with LiveRamp’s ‘IdentiyLink’ dataset.

However, while these solutions seem a good way forward, there are questions as to the scalability of such solutions and, in many cases, privacy laws issues will still exist around how those large data sets will be collected and processed.  For example it is likely that in a number of cases the collection of such data to be used for advertising purposes will require that an informed, opt-in consent is obtained from the individual which is not easy to achieve.

Finally, it’s also being reported that some (less scrupulous) app developers will move to device fingerprinting – whereby certain attributes of a device, such as the operating system and browser being used, are combined and recorded to uniquely identify a device – but it’s worthwhile noting that Apple expressly prohibit this (though it can be difficult to identify and it remains to be seen whether we’ll see more cases of Apple enforcing this by removing apps from the App Store). In addition, fingerprinting is a technique that’s specifically referenced in the latest ICO guidance on the use of cookies and similar technologies, so again an informed opt-in consent is required in order to lawfully deploy this technique.