When Apple announced that one of the major focuses of iOS 14 would be enhancing user privacy, many in the tech community had questions. How would these changes be rolled out? How would they affect not only the mobile advertising industry, but also the developers who rely on ad revenue and tracking to run their business? Although iOS 14 was released in September 2020, Apple has indicated that the privacy changes will not be mandatory until 2021. That gives developers some time to think through their approach.
Apple’s announcement describing the big iOS 14 privacy changes can be found here. To summarize, here are the key takeaways:
Here are five practical tips to handle the new Apple requirements based on how our clients are preparing for the changes and attempting to offset any potential impact on revenue.
However, now is a great opportunity for developers to review their existing privacy policies and ensure that these policies are accurate and consistent with the Apple-required disclosures. Material inconsistencies between these disclosures could be perceived as a deceptive trade practice and give rise to liability under Section 5 of the Federal Trade Commission Act or similar laws at the state level. To the extent developers need to make material changes to their privacy policies, they may need to notify all existing users and obtain new consent where legally required.
Developers should try to communicate to users the value of sharing their IDFA (e.g., how custom, personalized ad experiences benefit users). Apple has provided a sample consent pop-up for the AppTrackingTransparency (ATT) framework, which is similar to the consent pop-up that appears when an app requests access to sensitive information, such as a user’s precise geolocation or contacts.
While this prompt satisfies Apple’s requirements, it does not do a great job of explaining the benefits of giving consent, or in other words, why the user should provide this permission. Moreover, to the extent that developers would use Apple’s prompt to double as a consent mechanism for the purposes of the European e-Privacy Directive, it may not be sufficient, because the language may not cover all the activities for which a developer might use the IDFA (e.g., measuring ad conversions, creating lookalike campaigns to attract other users, preventing fraud, etc.)
Fortunately, Apple allows some flexibility in the text that appears in this pop-up. Apple also allows developers to generate a separate pop-up that provides a more detailed explanation directly before Apple’s pop-up appears, so long as the developer’s explanation is not misleading. Fenwick can help you craft a message that explains the benefits of a personalized experience while maintaining legal compliance.
Apple’s rules do not prescribe when in the user flow the ATT pop-up must be surfaced. The developer must obtain consent before it can collect the user’s IDFA, but this consent does not necessarily need to be obtained immediately on app launch. Some developers may choose to surface the ATT pop-up early in the user experience to maximize the amount of data they can track, while others may choose to wait until users have had some time to use the app and serve the pop-up when users are more likely to consent to IDFA tracking. For example, in games, players may be more receptive to ads or offers that appear while celebrating an accomplishment, such as beating a difficult level or achieving a certain milestone.
Developers may need to experiment with different approaches (such as via A/B testing) to find the one that best accomplishes their objectives. This experimentation can include, for example, showing non-targeted ads (or no ads) until a certain level, and then giving the user an opportunity to opt-in to a personalized ad experience via the ATT pop-up.
Apple’s rules prohibit developers from conditioning access to an app’s functionality on a user’s consent to tracking. Likewise, the App Store Review Guidelines say that “Apps should not require users to … enable tracking, or take other similar actions in order to … receive monetary or other compensation.” While direct compensation is prohibited, non-monetary incentives may be permissible. Some developers have interpreted these rules to mean that small, non-monetary rewards such as in-game currency are still permitted, so long as the user can still obtain the reward without agreeing to tracking (i.e., tracking is not required to receive the reward). For example, all users can obtain coins in a game, but users who consent to the collection of their IDFA may receive bonus coins. Likewise, some could argue that showing fewer behavioral ads to those who agree to tracking (compared to more contextual ads for those who opt-out) would not fall within Apple’s definition of monetary or other compensation.
In any event, we advise caution when exploring these approaches, as Apple’s FAQs generally state that incentivizing tracking in any form is not allowed. Additionally, if a developer offers incentives in California, this could trigger the need for additional disclosures under the California Consumer Privacy Act’s “financial incentive” rules, meaning that the developer must be able to show that the value of the incentive is directly related to the value of the consumer’s data. Lastly, as a practical matter, many developers desire to have parity between the app experience on iOS and Android: offering incentives to iOS users but not Android users could create user confusion and dissatisfaction.
Companies should explore the growing number of alternative approaches for targeted advertising and ad attribution that do not rely on personal information. One recent study in 2020 showed that over 30% of iOS users in the U.S. have already disabled IDFA sharing via Limit Ad Tracking. Many developers fear this percentage will increase significantly under iOS 14, even if they take the steps described above. As a result, developers are already working on contingency plans for how to maintain their business. Here are some of the approaches we have seen:
Note that we do not recommend attempting to uniquely identify users via a combination of signals from their device—often referred to as “device fingerprinting.” In addition to violating Apple’s Developer Program License Agreement, this approach creates other privacy concerns, because device fingerprints are less transparent to users and harder for them to change, making it difficult for developers to honor users’ rights to opt-out.
Despite big changes on the horizon, there is no need to panic. The online ad industry is resilient and will find a way to adapt, such as through:
In times of major change, it’s critical for developers to strike the right balance that allows them to experiment and try new business models, while at the same time staying compliant with the law, following platform-issued guidelines and maintaining their users’ trust. Please reach out to us if you have any questions for how to navigate these changes.