‘There are significant grey areas’: The biggest unanswered questions around Apple’s upcoming privacy update

Apple last month announced two important privacy changes that have rattled the mobile advertising industry.

Later this year, developers will be required to include information in a so-called “nutrition label” about how their apps collect data on their app description page. Those developers are also required to ask permission from users to track them across third-party websites and other apps, using its identifier for advertisers, known as the IDFA. Experts expect opt-in rates to be low, hampering audience targeting and measurement.

The changes will come into effect when iOS 14 is released, which is expected in mid-September. Yet there are still many questions left unanswered about how the IDFA changes will work in practice.

“There are significant grey areas that are open to interpretation and require clarification from Apple,” said Matt Barash, svp of strategy and business development at mobile advertising company AdColony. 

Below are six questions that remain unclear for advertisers. Apple declined to comment on the record.

How is Apple going to police and enforce these rules if developers or ad tech vendors attempt to circumvent them?

It’s not yet entirely clear how Apple will detect and clamp down on companies attempting to create workarounds once iOS 14 comes into play.

Eric Seufert, strategy consultant at Heracles Media, said Apple “floated a test balloon” last year when it announced kids apps should no longer use third-party advertising and analytics software — apart from in some limited cases, so long as personally identifiable information (including the IDFA) wasn’t sent to third-parties. The rules came into force earlier this year.

Apple started “carte blanche” rejection app updates for those developers found in violation, Seufert said.

How far can contextual targeting go?

Some mobile ad tech companies have posited that the IDFA changes could mark a shift from audience targeting based on user data to more contextual targeting.

“This is not like the type of contextual targeting people think about from desktop in 2014,” said Offer Yehudai, president of app monetization platform Fyber. Rather it’s about, “what can we tell in a privacy aware manner about the [app session] in real-time to then pass information for the [demand-side platform] to use.”

Examples include how long the user has been using the app, whether the device has enough battery to download an app and whether the audio is on or off, Yehudai said.

Yet it’s unclear whether any contextual parameters will be allowed in the bid stream — even if they don’t present any immediate details about the specific user.

Contextual information could still be considered as having the potential for device “fingerprinting,” which is unlikely to pass muster with Apple. The company cracked down on browser fingerprinting in Safari in 2018.

Will the SKAdnetwork be expanded over time?

Apple’s proprietary SKAdnetwork is a basic application programming interface that let’s an ad network know whether their ad campaigns lead to an app install or other limited “postback” events after the app was installed. The reports are aggregated and not delivered in real-time.

Paul H. Müller, CTO and co-founder of mobile measurement company Adjust, describes the SKAdnetwork as “complete garbage.”

“It focuses on metrics not worth anything to people — like downloads — and does not offer granularity even remotely to run campaigns,” said Müller. The data  “campaign ID” is also limited to 100 values, which doesn’t account for optimization: A typical campaign tends to run thousands of different creatives, Müller added, tailored for different geolocations and A/B testing, for example.

Some industry experts aren’t convinced there’ll be much of a SKAdnetwork 2.0.

“Put down your ambitions for precise attribution,” said Kevin Joyner, director of planning and insight at digital marketing agency Croud. “It’s time to move on, it’s not going to get any better. We should look in other places.”

What’s an ‘ad network’ anyway?

Ad network has become a much-maligned term in the ad tech industry, so there’s a whiff of irony that access to the SKAdnetwork is limited to ad networks, source apps and advertised apps.

Anyone working in digital advertising knows there’s usually more than three participants: A DSP, advertiser ad server, publisher ad server and supply-side platform are usually added to that list at the very least. The documentation suggests developers can only list each “ad network” with which they work.

Apple defines ad networks as entities that “that sign ads and receive install notifications when ads result in conversions,” according to its developer documentation.

“The definition oversimplifies the industry in such a way that it has the potential to create winners and losers just by ignoring the way the ecosystem works,” said Alex Cone, senior director of product management at IAB Tech Lab.

Wording on Apple’s developer site says if users opt out of tracking, developers can’t place a third-party software development kit in their app that combines their app’s user data with data from other developers’ apps to “target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes.”

Is retargeting possible? 

If users decide not to share their IDFA with third-party providers, retargeting becomes an issue — and also techniques like frequency capping and controls around recency. 

Per Apple’s developer site if a user opts out from tracking, developers can’t share a list of emails, advertising IDs, or other IDs with a third-party that uses that information to retarget those users in other developers’ apps.

One possible alternative could be if a user has provided login information, such as their email address, and agreed it can be used for advertising purposes. But it’s not entirely clear whether that’ll come up to scratch with Apple either if the user has opted out from sharing their IDFA and then is clearly being targeted on their phone using some form of personal identifier.

Are the changes compliant with GDPR?

On July 2, 16 advertising and publishing trade associations co-signed a letter to Apple CEO Tim Cook in which they asserted that the IDFA pop-up doesn’t comply with GDPR. The trade groups said the pop-up isn’t (at this stage at least) “widely customizable by the app developer and is not interoperable with digital advertising market standards,” such as the IAB Europe’s Transparency and Consent Framework.

A spokesperson for IAB Europe, on behalf of the signatories, said Apple hasn’t responded or acknowledged their letter.

“The silence can be perceived as a signal and an example of how Apple has unilaterally taken a decision without any respect for their partners and ecosystems,” the spokesperson said. “If we still have no answer, next week we will be looking into escalating it to local and European authorities.”

(Digiday previously reported that one privacy law expert — Wayne Matus, co-founder and general counsel at SafeGuard Privacy — found Apple’s decision to create a uniform consumer experience not to be in violation of the GDPR.)

Update: This article has been updated to clarify wording in Apple’s developer documentation, which notes that developers must state which ad networks they work with. A previous version of this article incorrectly stated that there was only one ID available to whichever ad network a developer is using.

https://digiday.com/?p=373520
Digiday Top Stories