In April 2020, Apple rolled out an update for its iOS operating system that included new privacy measures (“App Tracking Transparency” or “ATT”) to limit advertisers’ tracking of iPhone users. iPhone users were relieved by their newfound control over which, if any, of their information is tracked. However, this feature has the potential to harm small businesses that use highly targeted advertising campaigns to drive sales.
Prior to Apple’s release of iOS 14.5, developers could use a variety of tools to track iPhone users’ data from within an app, such as Facebook or Instagram. This cross-application tracking created enormous amounts of data on consumers, allowing businesses to individually target consumers with relevant ads. Often, these advertising opportunities have been purchased by small businesses that wish to target a specific audience typically drawn to larger and more well-known sites with their own goods or services. To track user data, developers generally used an Apple-controlled system called Identifier for Advertisers (“IDFA”) or other third-party tools.
The significant change introduced by ATT is that users are now notified of app tracking and are given the choice to opt out. While users were able to opt out of Apple’s IDFA-based tracking before the iOS 14.5 update, ATT requires developers to provide users with a choice by presenting a standardized prompt created by Apple. This type of permission is not new to Apple, as it already requires apps to ask for permission to access a user’s microphone, camera or location. If a user chooses to “allow” tracking, tracking and targeted advertisements work as they did before; however, if a user asks the app “not to track,” the developer will not be allowed to track or sell the user’s data using Apple’s IDFA or any other system on that application.
A limitation to ATT is that it does not limit the ability of apps to track user data itself (“first-party” tracking); it just limits tracking that will subsequently be sold or provided to third parties. It allows consumers to take more control over who profits from their data. However, first-party tracking is significantly less valuable than other tracking mechanisms, which monitor consumer behavior across a wide range of apps and websites. To counteract the limitations in third-party data caused by ATT, Apple has introduced SKAdNetwork (“SKAN”). SKAN offers performance data on a campaign level but limits how many data events can be observed per campaign. This type of marketing prevents the disclosure of individual user behavior while still analyzing data patterns within a group – a concept called “differential privacy.”
Apple’s ATT presents a problem to businesses that rely on targeted advertisements because the recent changes will make it more difficult to link consumer behavior across apps and mobile websites. Tracking opt-in rates are low, with only four percent of users in the United States allowing themselves to be tracked as of May, 2021, rising to approximately 21 percent of users as of September 2021. This presents a significant challenge to the advertising algorithms that previously performed well because they could observe what advertisements users selected and then adjust the advertisements to be targeted to each user. Users that opt out may soon notice that ads are much less relevant to their interests.
An outspoken critic of Apple’s ATT feature has been Facebook, a company that makes most of its revenue from advertising. Facebook began publicly objecting to Apple’s new feature in December, 2020, claiming that the changes would harm millions of small businesses that use its platform for advertisements. While Facebook is looking out for its own interest as a large advertising platform, there is truth in their claim that small businesses are bearing a burden. Many small businesses use data sharing and targeted advertisements on Facebook and Instagram, and any benefits they have gained from digital advertising on these platforms will decline as users opt out of being tracked. App developers have hoped for a loophole in Apple’s new rule, but Apple’s senior vice president of software engineering Craig Federighi said that the company will remove apps from its App Store that track users in ways that could be shared with other companies without user permission.
Since the launch of iOS 14.5, Apple announced that iOS 15.2 will introduce another feature called App Privacy Report (“APR”), which will provide an overview of what apps are tracking user information, what they use that information for and with whom those apps are sharing such information. The APR feature will collect this data directly from app behavior, meaning developers will not be self-reporting. This method of data collection will prevent bad actors from misleading users about what information they are collecting and where it is going. Specifically, the APR will show users when an app last accessed sensitive data and list domains with which the app has communicated over the past week. Prior to Apple’s beta launch, they allowed developers to preview what will be on their APR. Shortly after the preview was released, Chinese app WeChat was discovered to be accessing user’s photos every few hours – a behavior the app said it would remove in its future update.
The addition of the APR feature demonstrates the need for developers to monitor what they are tracking and ensure that it is necessary to improve the user experience. In preparation for the release of iOS 15.2, developers should perform a complete network test to ensure they are aware of all third-party communications. The new system launch is an opportunity for developers to build trust with users by confirming that their privacy policy matches their APR. The last thing a developer would want is for users to discover through the APR feature that their app’s privacy policy fails to mention they share sensitive information with specific third parties.
Lutzker & Lutzker is available to assist in navigating the compliance issues that follow new privacy features and will continue to provide updates as these features change.