Apple’s IDFA privacy update: How to optimize user opt-in on iOS 14.5 and beyond
July 7, 2021
Apple first announced in September 2020 that as part of the new AppTrackingTransparency (ATT) Framework, app developers will be required to ask users for consent before accessing their IDFA (Identifier for Advertisers) for tracking and personalization. As of December 8, developers also needed to submit privacy info to be displayed in the App Store for consumers to view prior to download. The highly anticipated privacy changes finally arrived in April with the iOS 14.5 update, requiring all apps to use the ATT to collect user consent.
Now it’s official: Apple’s mobile ID for third parties is opt-in.
This change has been controversial in the industry so far. Facebook warned its partners that given Audience Network’s dependence on app advertising, the incoming privacy requirements would hinder advertisers’ abilities to target campaigns and consequently, impact publisher monetization efforts. Apple’s subsequent decision to delay implementation provided a much-needed adjustment period.
While the move towards privacy is welcome, publishers and developers have been scrambling to protect monetization on an important advertising channel. We’ll go over a few key considerations for optimizing consent rates, including the importance of communicating value exchange, designing for user experience, and the continued importance of regulatory compliance.
From opt-out to opt-in: changes to IDFA access
Up until now, Apple users could turn on “Limit Ad Tracking” in settings to opt out of IDFA, but not other cross-contextual identifiers.
With iOS 14.5 comes a new setting, “Allow Apps to Request to Track,” which enables apps to surface iOS permission dialogues and collect consent to access the IDFA. If a user wishes to opt out of all tracking, they can toggle “Allow Apps to Request to Track” off in their settings and will no longer receive in-app consent messaging.
Until the new privacy features go into effect, the IDFA of a user remains available for tracking purposes by default. When enforcement begins in full force, developers will no longer be able to access the IDFA unless they have obtained opt-in consent.
As for those considering alternative solutions to the IDFA, there’s already evidence that Apple is serious about rejecting apps from the App Store if they are found to be using other methods of pseudonymous mobile identification or fingerprinting without having obtained opt-in consent.
Establishing a transparent value exchange
According to a 2019 study by Harvard researchers, increasingly privacy-conscious consumers are evaluating their interest in personalization against their concern for privacy. Ad platforms can only grow trust among consumers when they are both transparent and deemed to be adhering to acceptable privacy procedures and regulations. It then follows that consumers are not inherently opposed to sharing their data for personalization so long as the publisher or advertiser builds trust through transparent conversations.
Unfortunately, the permissions message in iOS that asks users to allow apps to track them presents little room for publishers to engage in a transparent conversation with their users regarding their use of data. There’s only room to customize one to two sentences on the permissions message. To bridge this gap, developers can try surfacing primers before the iOS message, explaining how personalized advertising supports the free content or utility the app provides. And if a user declines tracking, developers may try to surface reminders and help easily navigate a user to their settings if they change their mind.
At the end of the day, the trust that publishers build with their consumers is the most important factor in encouraging opt-in. An AppsFlyer study found that apps with higher consumer affinity saw higher opt-in rates, hovering around 40% compared to the median opt-out rate of 32%. Optimizing your opt-in rates will require building trust with your consumers through a transparent dialogue on what tracking means for them.
Leveraging analytics for optimal user experience
Our research has found that consumers are more likely to opt in to a company’s privacy policies if they have a good user experience. User experience is influenced by the content or utility your app provides as well as the ease with which a user interacts with the app. Given that opt-in will be requested via both iOS messaging and CMP messaging–both of which are some of the first few touchpoints users have with an app–developers will need to be extra careful to streamline the consent experience while ensuring compliance with multiple frameworks.
To optimize consent rates, A/B testing for message flow and timing will be a crucial capability of CMPs on apps. The ability to capture consent rates and analyze where in the user journey consent action is taken can help developers best determine the timing to present opt-in messaging before and/or after the native iOS privacy message.
Regulatory compliance and monetization on iOS 14.5
One thing that doesn’t change is the need for a CMP to ensure regulatory compliance and monetization. It’s important to know that the consent given in Apple’s native messaging can not be used to qualify as consent for GDPR purposes because the iOS native message does not meet GDPR requirements for consent notices on several dimensions:
Informed consent: The iOS dialogue window does not provide enough information on what a user is consenting to, including the purposes for which their data is collected and which parties access that data.
Ease of withdrawing consent: It’s harder for an iOS user to withdraw consent once they’ve given it, since they would have to navigate to a specific place in settings to do so. This violates the GDPR principle that consent must be as easy to withdraw as it is to give.
Opt-in consent for third-party processing: GDPR requires that publishers inform consumers of which vendors or third parties they have shared data with. Yet iOS 14 provides no visibility into which downstream entities would have access to their IDFA, or for which purposes.
Though the consent framework for IDFA (AppTrackingTransparency) relies on explicit consent from the user for “tracking” purposes, how that choice maps to GDPR definitions or what happens when choices across frameworks don’t totally align is up for interpretation. For example, if a user declines tracking on iOS but consents to all purposes on the CMP, the publisher could choose to remove vendors from the consent string to match the user’s request to deny tracking. However, they may still want to enable service providers or data processors to process data in ways they believe aren’t prohibited by Apple’s definition of tracking, like anti-fraud detection.
CMPs can help publishers develop workflows that compile consent signals while incorporating choices made on iOS and while providing unified reporting on consent rates. They also continue to be important because their ability to transmit privacy preferences in a standardized format across devices facilitates consistency of user choice as well as monetization with a high degree of functionality, which is lacking in Apple’s native solution.
Digital advertising stakeholders, represented by associations such as the IAB, have voiced their concerns regarding the disproportionate threat to advertising revenues that the update presents. In an open letter to Apple, the IAB highlighted that the unilateral changes from Apple create redundancy in consent experiences while carrying a high risk of user refusal. Urging interoperability, they also emphasized that Apple’s privacy feature does not syndicate consent signals to other vendors, thus leaving a gap in monetization efforts for publishers and developers while strengthening Apple’s competitive advantage. With roll-out expected with the iOS 14.5 launch but an exact timeline remaining undetermined, the industry has been trying to get ahead of impending changes: in February, Facebook began testing in-app messages prompting users to allow tracking.
The value of dialogue
From Google Chrome’s announced limitations to the third-party cookie to Apple’s restrictions on cross-contextual personalization, the past year alone has proven that Big Tech influences privacy standards just as much as regulations. As the ecosystem evolves to strengthen data privacy rights, media sellers are being pushed to think beyond compliance and towards optimization. More than ever, app developers and publishers need to engage in transparent dialogue and deliver optimal user experiences if they want to maximize opt-in.
To learn about how Sourcepoint can help you integrate Apple’s ATT framework into consent messaging, contact us.
Latest Blog Posts
The Federal Trade Commission sent warning letters to five...
Delaware HB 154, implementing the Delaware Personal Data Privacy Act,...
How do different U.S. state laws define and protect...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.