Apple is arguably the most popular and innovative tech company in the world. Throughout its history, Apple has invented many revolutionary products, like the iPod, iPhone, iPad, and iWatch.
Over time, the company has created its own ecosystem that incorporates many areas, such as hardware, software, marketplaces, and services.
But over the past few years, Apple has become famous for another area; user privacy.
In this infographic, we’ll highlight the changes that Apple has made to its products and services to strengthen user privacy and explain what this means for the AdTech and MarTech industries.
An overview of Apple’s ecosystem
- Apple TV
Products and Services
- Safari web browser
- App Store
- Apple Pay
- Apple TV+
A Snapshot of the Privacy Settings in Apple Safari and iOS
Apple released its Safari web browser for Mac computers in 2003 and for iOS in 2007 with the release of the first iPhone. Safari is powered by the web browser engine Webkit.
Intelligent Tracking Prevention (ITP)
In September 2017, Webkit released version 1.0 of Intelligent Tracking Prevention (ITP), a feature that aims to strengthen user privacy by preventing cross-site tracking.
Since then, Webkit has released numerous updates that have shut down workarounds and made it harder for companies to identify and track users across different websites. In June 2021, Apple announced that ITP will add a new feature that will hide a user’s IP address from trackers.
ITP incorporates a machine-learning model, known as the Machine Learning Classifier, to assess which domains have the ability to track users across different websites. This model is based on statistics collected by the browser.
If a domain has been classed as a tracking domain, then any data it stores in the Safari browser will be restricted.
Below is an overview of how Safari’s ITP handles first-party cookies, third-party cookies, and other web browser storage methods.
- Third-party cookies are blocked by default.
- If a web visitor clicks on a link containing a query string or fragment identifier, then any data stored in LocalStorage in the web visitor’s browser will be set to expire in 7 days, provided the referring domain has been classified as being a tracking domain.
- All cookies created by a third-party CNAME-cloaked HTTP response will be set to expire in 7 days.
- In 2021, ITP will add a new feature that will hide a user’s IP address from trackers.
Privacy Preserving Ad Click Attribution
When ITP started blocking third-party cookies, it had an immediate and negative impact on behavioral ad targeting, frequency capping, measurement, and attribution.
Although Safari hasn’t provided any alternatives for ad targeting and frequency capping, it has proposed a solution that will allow advertisers to run limited attribution in a privacy-friendly way.
Safari’s proposal is called Privacy Preserving Ad Click Attribution.
Here’s a really simplified overview of how Webkit’s Privacy Preserving Ad Click Attribution would work:
- A user clicks on an ad on supershoes.com. Webkit’s Privacy Preserving Ad Click Attribution uses two new anchor elements: adDestination and adCampaignID. These elements will be included in the ad’s markup and passed to the advertiser’s landing page.
- The user is directed to the advertiser’s landing page (basketballshoes.com) and converts (e.g. buys the product). When a user converts on basketballshoes.com, a tracking pixel, like the ones used currently to track conversions, will be sent back to supershoes.com. The .well-known/ad-click-attribution/21/25 path will be passed to Safari and register that a conversion has taken place.
- Somewhere between 24-48 hours after the recorded conversion, Safari will send the conversion data to supershoes.com and basetballshoes.com via a stateless POST request, with a header referer (i.e. basketballshoes.com) being sent to supershoes.com so that both sites know that a conversion for that ad click has occurred.
This is similar to how Google Chrome’s Privacy Sandbox measurement and attribution standard could work — i.e. attribution would be done by the browser instead of by a third-party company via cookies and won’t rely on identifying individuals — and again, AdTech and MarTech companies will be at the mercy of Safari for measurement and attribution.
For AdTech and MarTech companies, it means that there’ll be less attribution data available, but they’ll still be able to tell which ad resulted in a conversion and know which publisher delivered that ad click, provided the conversion took place between the 24-48 delay.
If the user converted outside of that delay, then they won’t have attribution data for that conversion.
Safari’s Privacy Preserving Ad Click Attribution solution is still being discussed and worked on in the W3C privacy group. There’s no word yet if and when this will become a published standard and whether other browsers will also adopt it.
Apple released its mobile operating system iOS in 2007 with the release of the first iPhone. iOS also powers many earlier versions of other Apple devices like the iPad and Apple TV.
In June 2020 during its Worldwide Developers Conference (WWDC), Apple announced a series of privacy updates to iOS that have more or less eliminated an important element of in-app mobile advertising and measurement — the Apple IDFA.
What Is Apple’s IDFA?
Apple’s identifier for advertisers (IDFA) is a string of numbers and letters assigned to Apple devices like iPhones, iPad, and Apple TVs. Advertisers use the IDFA to identify iOS, iPadOS, and tvOS users across apps to deliver personalized and targeted advertising, run frequency capping, measure campaign performance, and attribute impressions and clicks to app installs.
Here’s an example of what an IDFA could look like:
How Do AdTech Companies Use Apple’s IDFA Currently?
App developers can access a device’s IDFA and pass it to their AdTech and measurement partners.
AdTech companies like SSPs, DSPs, and ad networks and mobile measurement platforms (MMPs) use the IDFA to identify users, which is needed to power the following:
- Ad targeting and retargeting
- Frequency capping
- Campaign measurement
- Ad fraud detection
What Changes Will Apple’s iOS 14 Bring to The IDFA?
Before a device’s IDFA can be accessed by a mobile app developer, they’ll first need to get consent from the user.
If the user allows the app developer to access their IDFA, then the IDFA will be passed as usual. If the user doesn’t allow the app developer to access their IDFA, then the IDFA will be zeroed out, making it useless from an identification point of view.
The mobile app developer will only be able to ask the user for access to their IDFA once per install.
Privacy Changes in iOS 15
In June 2021, Apple announced another new privacy change that will be released with iOS 15 and iPadOS 15.
App Privacy Report
Apple’s App Privacy Report aims to give users more insights into how apps use things like the user’s location, photos, camera, microphone, and contacts.
The report will show users how apps have accessed that information in the past 7 days and can deny access to that information by changing the settings.
The App Privacy Report will also show users which third-party domains the app has been contacting so that users can see which companies their data is potentially being shared with.
Apple’s SKAdNetwork aims to provide conversion data to advertisers but without revealing any user-level or device-level data. It is Apple’s version of a privacy-friendly way to attribute app installs.
A couple of points about the SKAdNetwork:
- The IDFA won’t be passed to AdTech platforms or MMPs, even if a user has opted in.
- All attribution data will pass through SKAdNetwork and then onto the AdTech platform or MMP. From iOS 14.6 onwards, advertisers (i.e. app developers running ad campaigns) will also be able receive winning postbacks, allowing them to be notified when their ads result in a conversion (e.g. an app install).
- SKAdNetwork will only attribute app installs (via the last-click model) and not view-through conversions.
- Campaign IDs are limited to 100 per AdTech platform (e.g. ad network or MMP).
ITP for All Browsers in iOS 14, iPad 14, and Safari 14
With the release of iOS 14, iPad 14, and Safari 14 on September 15, 2020, Apple included a couple of new privacy features:
- Privacy Report: Users will now be able to see how many trackers were blocked by Safari on a given page, as well as other information about trackers.
- ITP for all web browsers: For iOS 14 users, ITP will be applied to all web browsers, not only Safari.
This means that all web browsers, not just Safari, in iOS (v14 and above) will include the Intelligent Tracking Prevention feature.
In 2021, Apple will introduce new privacy features that will be available to iCloud+ subscribers, which will refer to paid iCloud subscriptions. The changes below won’t apply to the free subscription of iCloud.
Private Relay encrypts the traffic between the Safari browser and the website a user is visiting. This means that nobody, not even Apple or the network provider, will be able to read the information being passed.
Mail Privacy Protection
This feature will prevent email senders from using invisible pixels to identify when a user opens an email. It will also mask a user’s IP address so that it can’t be used to determine their location or linked with other online activity.
Hide My Mail
The Hide My Mail feature will allow users to use a unique and randomly generated email address instead of using their actual email address.
The newly generated email address will forward to the user’s personal email address and users can create and delete as many “hidden” email addresses as they like.
The Impact on Programmatic Advertising and AdTech
Just like pretty much every privacy change, these new privacy changes in iCloud+ will have a negative impact on programmatic advertising and AdTech.
Mail Privacy Protection will likely disrupt how email automation and MarTech tools work as they won’t be able to report on open rates.
The Hide My Mail feature will disrupt ID graphs and ID solutions built around email addresses.
It’s possible for these ID solutions to use and convert the “hidden” email address into an ID, but we’ll have to wait and see what this looks like in reality.