During its annual Worldwide Developers Conference (WWDC) in June 2020, Apple released a bunch of changes to its devices and operating systems like it always does.
But nestled between the shiny UI upgrades and new Memoji stickers were a series of privacy updates to iOS that have more or less eliminated an important element of in-app mobile advertising and measurement — the Apple IDFA.
In this blog post, we’ll take a look at the changes and what they mean for in-app mobile advertising in iOS.
If you’re looking for a short summary of Apple’s changes to IDFA, then read our PDF.
What Is Apple’s IDFA?
Apple’s identifier for advertisers (IDFA) is a string of numbers and letters assigned to Apple devices like iPhones, iPad, and Apple TVs. Advertisers use the IDFA to identify iOS, iPadOS, and tvOS users across apps to deliver personalized and targeted advertising, run frequency capping, measure campaign performance, and attribute impressions and clicks to app installs.
Here’s an example of what an IDFA can look like:
Google’s Android also has a mobile ID called Android Advertising ID (AAID). This functions in the same way as Apple’s IDFA.
Note: Although the changes to the IDFA will be applicable to all devices powered by iOS (iPhones and iPads), iPadOS (iPads), and tvOS (Apple TVs), in this blog post we’ll just be referring to iOS as this is the most popular operating system among Apple devices.
Are Mobile IDs Used in Web Browsers on Mobile Devices?
It’s important to clarify that mobile IDs like IDFA and AAID are used to identify devices in mobile apps. If a user browsers the Safari browser on their iPhone, then web cookies would be used to identify them and used for advertising purposes.
Mobile IDs are also more persistent than web cookies, which can be easily blocked (e.g. by using an ad blocker) or deleted by users.
Both iOS and Android users can reset their mobile IDs, but this option is often buried inside the phone’s settings and many users don’t know what these IDs are, what they’re used for, and that the option to reset it even exists.
What Privacy Changes Has Apple Made to iOS Over the Years?
As part of Apple’s ongoing pledge to make their products more privacy friendly, it has introduced a number of changes over the years to help keep a user’s identity and data more secure.
Some of the changes related to advertising include:
Limit Ad Tracking (LAT)
Limit Ad Tracking (LAT) that allows iOS users to opt out of targeted advertising. When enabled, the user’s IDFA will be zeroed out (i.e. the random numbers and letters will be replaced with zeros) when accessed by apps and AdTech companies.
Prior to iOS 10, the IDFA was still passed even if a user had enabled LAT but was accompanied with a request not to use the IDFA. Many companies decided not to honor this request, so Apple decided to zero out the IDFA from iOS 10 onwards.
Singular, a mobile measurement platform (MMP), released some research on the ad opt-out rates for iOS and Android devices:
The above graph shows that more iOS users are opting out of personalized ad targeting (via Limit Ad Tracking) than Android users.
Opt Out of Location-Based Apple Ads
iOS and macOS users can opt out of location-based ads served by Apple.
Grant Or Deny Access to Location Data
The new release of iOS 13 brought with it an update to location data controls.
Firstly, users were periodically shown messages informing them of certain ads that were using their location data in the background (i.e. when not actually using the app in question).
Secondly, Apple presented users with a choice about whether an app could use their location data.
Prior to iOS 13, users were presented with a message asking them whether the app could access their location data. The three options were Always, Never, and While using.
But this was changed to Allow while using, Allow once, and Don’t allow in iOS 13.
If you’re wondering how many iOS users opted out of sharing their location data, some reports put the opt-out rate between 50% to 80%.
The History of Apple’s IDFA
When Did Apple Introduce Its IDFA?
Apple introduced its IDFA in 2012 as a replacement for the Unique Device Identifier (UDID) and Media Access Control (MAC) Address to give users more choice and control over their privacy. Both the UDID and MAC address are associated with the hardware of mobile devices and can’t be disabled or reset by users, which is no bueno from a privacy perspective.
Apple started rejecting apps that required access to the UDID in 2013 with the release of iOS 6 and stopped passing the MAC address to apps from iOS 11 onwards — both for privacy reasons. The IDFA is the only persistent ID app developers can access for advertising purposes.
How Do AdTech Companies Use Apple’s IDFA Currently?
AdTech companies like SSPs, DSPs, and ad networks and mobile measurement platforms (MMPs) use the IDFA to identify users, which is needed to power the following:
- Ad targeting and retargeting.
- Frequency capping.
- Campaign measurement.
- Ad fraud detection.
The IDFA is passed from the user’s device to AdTech platforms and MMPs. It can also be passed in bid requests during real-time bidding (RTB) auctions.
What Changes Will Apple’s iOS 14 Bring to The IDFA?
The release of iOS 14 will bring with it a number of new changes that will strengthen user privacy and security:
The one that will have the biggest impact on AdTech and MPPs will be the AppTrackingTransparency framework, which is referenced in the App tracking controls and transparency section above.
In short, before the IDFA can be accessed by an app and passed to AdTech companies, users will have to opt in.
They’ll be presented with a message like this:
App developers will have to use the AppTrackingTransparency framework to access the IDFA.
Here’s an overview of the changes:
So in order to access a device’s IDFA, app developers will first have to ask users whether the app can track them across apps and websites owned by other companies. Scary stuff!
If a user allows tracking, then the IDFA will be available to the app and can be passed to AdTech vendors and MMPs.
If they decline, then the IDFA will be zeroed out, rendering it useless for any kind of advertising process.
How Many iOS Users Will Opt In?
Nobody knows for sure but most estimates put the opt-in rate between 1% to 20%.
However, it’s still early days and the opt-in rates will depend on a number of factors, such as the vertical (gaming vs dating) and whether app developers have displayed their own message to users before showing them the ATT message (more on this below).
How Will Ad Targeting Work Without the IDFA?
Currently, AdTech platforms use a device’s IDFA to help them identify users across different apps. Mobile IDs are also used to run cross-device targeting and attribution by creating user profiles containing data collected from smartphones and laptops.
In devices running iOS 14, AdTech companies won’t be able to collect the IDFA and use it to identify users, unless of course they opt in.
If iOS 14 users opt out, they will still be shown ads, but they’ll be based on other methods like contextual targeting rather than based on their IDFA.
How Will Measurement and Attribution Work Without the IDFA?
Although Apple has essentially killed off IDFA-based ad targeting and decided not to provide a viable alternative, it has offered up a replacement for ad measurement and attribution via its SKAdNetwork.
What Is Apple’s SKAdNetwork?
Apple’s SKAdNetwork aims to provide conversion data to advertisers but without revealing any user-level or device-level data. It’s Apple’s version of a privacy-friendly way to attribute app installs.
Here’s how Apple’s SKAdNetwork will work:
A couple of points about the SKAdNetwork:
- The IDFA won’t be passed to AdTech platforms or MMPs, even if the user has opted in.
- All attribution data will pass through SKAdNetwork and then onto the AdTech platform or MMP. In iOS 15 and iPadOS 15 onwards, advertisers will also be able to receive the postback information.
- SKAdNetwork will only attribute app installs (via the last-click model) and not view-through conversions.
- Campaign IDs are limited to 100 per AdTech platform (e.g. ad network or MMP).
FAQs about Apple’s Changes to IDFA
When will iOS 14 and the AppTrackingTransparency framework be released
iOS 14 was released in September 2020, and although these changes to IDFA were supposed to be released with iOS 14, Apple decided to delay the release of these changes until early 2021.
In January 2021, Apple announced that these changes to IDFA will be released in early spring.
On April 20, 2021, Apple announced that it would be releasing its AppTrackingTransparency framework with the release of iOS 14.5, iPadOS 14.5 and tvOS 14.5 on April 26, 2021.
What will happen to apps running in iOS 14 that haven’t implemented the AppTrackingTransparency framework?
Apps will need to release an update once these changes are released to include the AppTrackingTransparency API.
If an app running on iOS 14 doesn’t have this API, then they won’t have access to the IDFA (it will be zeroed out) and won’t be able to ask users to opt in via the pop-up message.
When will users see the opt-in message and how often?
Only once, unless the user deletes the app and then reinstalls it.
It looks like app developers can choose when to show the message to users, but they won’t have access to the IDFA until they opt in.
Can the opt-in message be customized?
Some parts of the message can be customized.
The part in bold is set by the system (i.e. Apple) and can’t be changed. However, the text in the red box can be modified using the NSUserTrackingUsageDescription key.
This doesn’t leave much room for app developers to explain the value users will get by allowing tracking (i.e. free access to the app in exchange for targeted ads).
How many iOS users will opt in?
There’s no way of knowing until iOS 14 is released, but most estimates put the opt-in rate between 1% to 20%.
What are some possible workarounds?
There isn’t a clear replacement for the IDFA, but some workarounds for identification, ad targeting, and attribution include:
- Device fingerprinting for identification: Not recommended due to privacy reasons and Apple will likely crack down on this.
- Contextual ad targeting: A suitable option for some advertisers, but it’s often considered not as effective as IDFA-based ad targeting.
- Using an email address or phone number as an identifier: This will likely be the go-to workaround for many app developers, but it’s limited in scale. Apple has also said that if a company wishes to use a person’s email address for identification and targeting, then they’ll have to obtain consent via the ATT framework.
- Showing a different message before the ATT one: Because most of the text in the ATT message can’t be changed, app developers can show their own message to users before showing them the ATT message. This will allow them to explain the value in sharing their IDFA, e.g. the user can access the app for free and in return will be shown ads, and persuade them to opt in.
But any workaround that aims to identify users likely won’t meet Apple’s privacy guidelines and will probably be squashed:
What is CAID?
You may have seen some news about something called CAID.
CAID stands for China Advertising ID and it’s a workaround to the IDFA changes developed by the China Advertising Association (CAA), which is a state-backed advertising trade group in China.
The CAID is essentially a probabilistic ID created via device fingerprinting. Participating companies can access and use CAIDs in the same way they use Apple’s IDFA, i.e. for ad targeting, measurement, and attribution.
Apple has said it will block companies using the CAID, which include some of China’s largest tech companies such as ByteDance, Tencent, and Baidu.
Is this opt-in mechanism GDPR compliant?
We’re not lawyers, but in our view it’s not GDPR compliant.
Although this message might look like a consent form, it doesn’t tick all of the boxes needed for it to be considered lawful consent:
While Apple’s AppTrackingTransparency message does give users a choice (i.e. can be freely given), it isn’t specific nor informed enough.
If app developers want to comply with the GDPR, then they should consider using a consent management platform (CMP) to obtain user consent for data collection as the AppTrackingTransparency framework isn’t integrated with any CMPs or the IAB’s Transparency and Consent Framework (TCF).
What does the future hold for mobile measurement platforms (MMPs) and AdTech companies?
With the main advertising processes (identification, targeting, measurement, and attribution) being taken away from independent AdTech companies, it will be harder for MMPs and AdTech companies (e.g. ad networks, DSPs, SSPs, etc.) to operate the way they do currently.
It just means they’ll have to come up with innovative solutions to tackle these challenges.
Expect to see some short-term workarounds while they consider long-term solutions.
Why have Apple introduced these changes?
While the true intentions of Apple’s privacy moves can only be known by those inside its boardroom, Apple has publicly stated that it wants to strengthen the privacy and security for its users across Apple devices and services.
And preventing companies from tracking users and collecting user-level and device-level data from them is one big way Apple can achieve that.
Another reason behind these changes could be that Apple wants to strengthen its position as a walled garden by limiting access to data, which is akin to what Google and Facebook do.