Apple’s iOS 14 Privacy Changes: Five Practical Tips for App Developers

When Apple announced that one of the major focuses of iOS 14 would be enhancing user privacy, many in the tech community had questions. How would these changes be rolled out? How would they affect not only the mobile advertising industry, but also the developers who rely on ad revenue and tracking to run their business? Although iOS 14 was released in September 2020, Apple has indicated that the privacy changes will not be mandatory until 2021. That gives developers some time to think through their approach.

What You Need to Know

Apple’s announcement describing the big iOS 14 privacy changes can be found here. To summarize, here are the key takeaways:

  • New disclosures. Apple plans to require an additional privacy-related notice for each app that will appear on the App Store download page and describe what data the app collects, uses and shares. The notice will be automatically generated by Apple based on the developers’ answers to a series of prompts on the App Store Connect page. The full list of prompts is available here.
  • IDFA usage switched from device-level opt-out to app-level opt-in. Developers will need to ask for a user’s permission before collecting the user’s ID for Advertisers (IDFA). The IDFA has traditionally been used for a variety of purposes, from ad attribution and targeting to enabling promotions that span multiple apps. In past versions of iOS, developers could collect a user’s IDFA unless the user had enabled the “Limit Ad Tracking” feature in his or her iOS settings. However, iOS 14 will change this setting from a device-level opt-out to an opt-in that must be obtained for each app. This change is expected to result in a substantial decline in the number of users who share their IDFAs with developers.  

Five Practical Tips

Here are five practical tips to handle the new Apple requirements based on how our clients are preparing for the changes and attempting to offset any potential impact on revenue.

1.  Ensure Privacy Disclosures Are Current and Consistent

While Apple requires all developers to provide users with new App Store privacy disclosures, developers are not required to rewrite or edit their existing privacy policies. Developers are still required to link to their full privacy policy—both on the App Store download page and within the app itself—to ensure their users are fully informed of their data practices.

However, now is a great opportunity for developers to review their existing privacy policies and ensure that these policies are accurate and consistent with the Apple-required disclosures. Material inconsistencies between these disclosures could be perceived as a deceptive trade practice and give rise to liability under Section 5 of the Federal Trade Commission Act or similar laws at the state level. To the extent developers need to make material changes to their privacy policies, they may need to notify all existing users and obtain new consent where legally required.

2. Explain the Value to Users of Sharing Their IDFA

Developers should try to communicate to users the value of sharing their IDFA (e.g., how custom, personalized ad experiences benefit users). Apple has provided a sample consent pop-up for the AppTrackingTransparency (ATT) framework, which is similar to the consent pop-up that appears when an app requests access to sensitive information, such as a user’s precise geolocation or contacts.

While this prompt satisfies Apple’s requirements, it does not do a great job of explaining the benefits of giving consent, or in other words, why the user should provide this permission. Moreover, to the extent that developers would use Apple’s prompt to double as a consent mechanism for the purposes of the European e-Privacy Directive, it may not be sufficient, because the language may not cover all the activities for which a developer might use the IDFA (e.g., measuring ad conversions, creating lookalike campaigns to attract other users, preventing fraud, etc.)

Fortunately, Apple allows some flexibility in the text that appears in this pop-up. Apple also allows developers to generate a separate pop-up that provides a more detailed explanation directly before Apple’s pop-up appears, so long as the developer’s explanation is not misleading. Fenwick can help you craft a message that explains the benefits of a personalized experience while maintaining legal compliance.

3. Consider the Optimal Time to Seek Consent

Apple’s rules do not prescribe when in the user flow the ATT pop-up must be surfaced. The developer must obtain consent before it can collect the user’s IDFA, but this consent does not necessarily need to be obtained immediately on app launch. Some developers may choose to surface the ATT pop-up early in the user experience to maximize the amount of data they can track, while others may choose to wait until users have had some time to use the app and serve the pop-up when users are more likely to consent to IDFA tracking. For example, in games, players may be more receptive to ads or offers that appear while celebrating an accomplishment, such as beating a difficult level or achieving a certain milestone.

Developers may need to experiment with different approaches (such as via A/B testing) to find the one that best accomplishes their objectives. This experimentation can include, for example, showing non-targeted ads (or no ads) until a certain level, and then giving the user an opportunity to opt-in to a personalized ad experience via the ATT pop-up.

4. Tread Carefully with Incentives

Apple’s rules prohibit developers from conditioning access to an app’s functionality on a user’s consent to tracking. Likewise, the App Store Review Guidelines say that “Apps should not require users to … enable tracking, or take other similar actions in order to … receive monetary or other compensation.” While direct compensation is prohibited, non-monetary incentives may be permissible. Some developers have interpreted these rules to mean that small, non-monetary rewards such as in-game currency are still permitted, so long as the user can still obtain the reward without agreeing to tracking (i.e., tracking is not required to receive the reward). For example, all users can obtain coins in a game, but users who consent to the collection of their IDFA may receive bonus coins. Likewise, some could argue that showing fewer behavioral ads to those who agree to tracking (compared to more contextual ads for those who opt-out) would not fall within Apple’s definition of monetary or other compensation.

In any event, we advise caution when exploring these approaches, as Apple’s FAQs generally state that incentivizing tracking in any form is not allowed. Additionally, if a developer offers incentives in California, this could trigger the need for additional disclosures under the California Consumer Privacy Act’s “financial incentive” rules, meaning that the developer must be able to show that the value of the incentive is directly related to the value of the consumer’s data. Lastly, as a practical matter, many developers desire to have parity between the app experience on iOS and Android: offering incentives to iOS users but not Android users could create user confusion and dissatisfaction.

5. Explore Alternatives to IDFA Tracking

Companies should explore the growing number of alternative approaches for targeted advertising and ad attribution that do not rely on personal information. One recent study in 2020 showed that over 30% of iOS users in the U.S. have already disabled IDFA sharing via Limit Ad Tracking. Many developers fear this percentage will increase significantly under iOS 14, even if they take the steps described above. As a result, developers are already working on contingency plans for how to maintain their business. Here are some of the approaches we have seen:

  • Using Apple’s SKAdNetwork for ad attribution. Apple provides its own solution, SKAdNetwork, for tracking and attributing installation events even for users who don’t agree to IDFA sharing. SKAdNetwork also identifies redownloads, which helps advertising networks measure the success of reengagement campaigns. However, this technology will only be useful for tracking attribution (and not for targeting ads).
  • Non-individually identifiable IP address-based tracking. Developers in the child-directed market are accustomed to not being able to track children through the IDFA, which is considered a persistent identifier under laws like the Children’s Online Privacy Protection Act in the U.S. and thus may not be collected without verifiable parental consent. Some creative third-party vendors have found ways to still achieve their marketing goals without the need to identify any individual user, such as relying solely on the user’s truncated IP address for attribution and “advanced contextual targeting.”
  • Relying on affiliated consent. Companies may begin to explore innovative concepts such as affiliated consent, whereby an individual consumer approves a trusted party to curate experiences or make decisions for them, and the individual’s preferences and data are shared accordingly with other parties in the affiliate network. Through this approach, Company A might not need to track the individual user, since it could instead obtain the user’s preferences from Company B, which the user has authorized to share his/her preferences with other companies on a select basis.

Note that we do not recommend attempting to uniquely identify users via a combination of signals from their device—often referred to as “device fingerprinting.” In addition to violating Apple’s Developer Program License Agreement, this approach creates other privacy concerns, because device fingerprints are less transparent to users and harder for them to change, making it difficult for developers to honor users’ rights to opt-out.

The Future: No Need to Hyperventilate

Despite big changes on the horizon, there is no need to panic. The online ad industry is resilient and will find a way to adapt, such as through:

  • Adjusting the price or quantity of ads
  • Finding new options to intelligently place contextual ads so they better match the interests of an app’s aggregate userbase (resulting in higher click-through rates)
  • Creating curated, multi-partner experiences with multiple affiliates, to take advantage of a partner’s existing consent (see “Relying on affiliated consent” above) and
  • Finding new, improved methods that will efficiently monetize those users who do agree to be tracked

In times of major change, it’s critical for developers to strike the right balance that allows them to experiment and try new business models, while at the same time staying compliant with the law, following platform-issued guidelines and maintaining their users’ trust. Please reach out to us if you have any questions for how to navigate these changes.