Apple’s Delay to IDFA Opt-In and What Should Publishers Do Before it Is Enforced
Note: This post originally appeared on the SpotX website.
In July, we covered Apple’s announcement that with iOS 14, Apple will disable the IDFA by default and users must actively opt-in to share it with each app. We discussed how Apple got here and what publishers should start doing to prepare.
Apple has since delayed the requirement until “early next year” and it is widely expected to be required in iOS 14.3, likely launching in March 2021. The industry hasn’t been idle, however. Since the delay, the IAB has created a communication specification to help ad tech vendors navigate these new requirements, and French data authorities have sued to stop Apple from enforcing their new, unilateral requirement.
A quick recap of the challenge iOS 14 creates
As a reminder, Apple’s announcement stated that:
“With iOS 14, iPadOS 14, and tvOS 14, you will need to receive the user’s permission through the AppTrackingTransparency framework to track them or access their device’s advertising identifier. Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.” – Apple developer pages
A lack of IDFA on the bulk of ad opportunities will cause a major disruption in the current mobile ad ecosystem. The IDFA is used for ad measurement, attribution, and fraud prevention. Additionally, it is used by DMPs to build their identity graphs for audience targeting and by DSPs to determine the value of an ad opportunity. Finally, it is used for operational tracking, including user experience improvements like frequency capping. Removing the IDFA makes all parties in the ad transaction blind to the device on a given ad request and makes all of these activities impossible in their current form.
Apple’s added guidance closes some loopholes
One of the initial “workarounds” that was discussed in reaction to Apple’s news was to rely on publishers’ existing relationship with consumers to follow data protection law, and to use that direct relationship to generate a tracking ID in lieu of the IDFA. From a technical perspective, this is possible as Apple’s requirements simply zero out the IDFA. However, Apple nixed this idea quite clearly in their guidance. Of course, Apple’s guidance is not law, but it is possible they would remove you from the Apple Store if you willfully violate it. Here it is spelled out:
Can I gate functionality on agreeing to allow tracking, or incentivize users to agree to allow tracking in the app tracking transparency prompt?
No, per the App Store Review Guidelines: 3.2.2 (vi).
If I have not received permission from a user via the tracking permission prompt, can I use an identifier other than the IDFA (for example, a hashed email address or hashed phone number) to track that user?
No. You will need to receive the user’s permission through the AppTrackingTransparency framework to track that user.
If a user provides permission for tracking via a separate process on our website, but declines permission in the app tracking transparency prompt, can I track that user across apps and websites owned by other companies?
Developers must get permission via the app tracking transparency prompt for data collected in the app and used for tracking. Data collected separately, outside of the app and not related to the app is not in scope.
There goes that idea for now.
What can be done? Spotlight on technology
It is important to separate attribution (knowing that a user who clicked an ad downloaded the app, a common need in mobile), operational tracking (such as frequency capping and fraud detection), and targeting/retargeting (using information collected from the device to target it with an ad, such as advertising to an app user after three months of inactivity to encourage them to sign back in). We won’t address targeting and retargeting here, since there isn’t a great solution today and the ramifications have been discussed ad nauseam.
However, there is some reason for optimism that Apple’s change won’t upset the entire ecosystem. Attribution and operational tracking are now possible using Apple’s SKAdnetwork, its new-ish method for measuring attribution without access to user-level data, and a set of additional Open RTB extensions introduced in the IAB specification.
Since operational tracking is an almost universal requirement, we’ll dive into more detail on what the IAB spec proposes here, though attribution is possible using the spec as well.
How to conduct operational tracking without the IDFA
Using new attributes in the device BidRequest.device.ext of an Open RTB bid request, we’ll be able to use Apple’s IDFV to facilitate frequency capping as well as to signal to downstream vendors more information about a user’s interaction with Apple’s pop-up.
Apple’s descriptions of their tracking authorization status are as follows, and are replicated in the IAB suggested attributes:
case authorized – IAB atts = 3
The value returned if the user authorizes access to app-related data that can be used for tracking the user or the device.
case denied – IAB atts = 2
The value returned if the user denies authorization to access app-related data that can be used for tracking the user or the device.
case notDetermined – IAB atts = 0
The value returned if a user has not yet received an authorization request to authorize access to app-related data that can be used for tracking the user or the device.
case restricted – IAB atts = 1
The value returned if authorization to access app-related data that can be used for tracking the user or the device is restricted.
To communicate this information, the IAB provided these two new attributes and possible values:

Example
{
“device”: {
“ext”: {
“atts”: 2,
“ifv”: “336F2BC0-245B-4242-8029-83762AB47B15”
}
}
}
How does the IAB suggest ad tech vendors react to these signals?
Depending on the signal, the IAB suggests using the Do Not Track (DNT) and Limit Ad Tracking (LMT) parameters. They don’t draw a distinction between not determined, restricted, and denied, and suggest flagging anything except authorized with a DNT or LMT flag. This seems to follow Apple’s very strict guidance requiring the AppTrackingTransparency Framework.
- “DNT” or “LMT” = 1 when “ATTS” = 0, 1, 2
- “LMT” or “DNT” = 0 when “ATTS” = 3
We encourage publishers to evaluate the IAB’s proposal as we believe buyers will expect this information to make appropriate purchasing decisions and to facilitate frequency capping using the IDFV.
Will this be implemented globally early next year? The French think not
A group of trade associations filed a complaint with France’s competition authority, suggesting Apple’s privacy move is anticompetitive. Their hope is that the French courts will issue an injunction of sorts to prevent Apple from instituting this requirement. There are a couple of reasons why the trade associations’ complaints may hold merit.
Apple holds significant market power
There are over one billion iPhone users in the world. It’s not reasonable to suggest that if a certain company is unhappy with Apple’s policy that it will simply not create an app in the iOS ecosystem. There is no real alternative if a business believes it needs a presence in mobile. The risk of being removed from the app store is too great, as is the pressure to comply.
Apple treats itself differently
As we’ve discussed before, Apple’s new pop up is heavily weighted toward the user saying “no” to tracking. What isn’t clearly noted, however, is that Apple uses a different process for its own tracking purposes, which has softer language and relies on an opt-out rather than an opt-in, making it more likely that Apple will be able to track its users than publishers on its platform. Apple’s ad business is growing substantially, and industry groups believe this will give an unfair advantage to Apple. Moreover, this move allows Apple to “double dip.” If more publishers move to a subscription model because a tracking-free, ad-supported model is no longer profitable, Apple will take a 30% cut of the subscription revenue generated from apps in its store.

It’s not GDPR compliant, and unilateral decisions are not law
Another reason Apple’s requirement may not go into effect in Europe is that it is likely not GDPR or ePrivacy compliant. The pop-up does not provide enough information for a user to provide informed consent. IAB Europe went through painstaking discussions with the various European data authorities to create the Transparency and Consent Framework, which has multiple layers of information for users and includes details about the purposes for which the data might be used to enable them to make an informed choice. None of this is present in Apple’s pop-up.
Additionally, the IDFV is personal data under GDPR, so the fact that Apple says vendors are permitted to use it even if the user says “no” to its pop-up is likely not compliant with the ePrivacy Directive. This means that to achieve compliance, publishers likely still need to utilize a TCF approved consent management platform (CMP) in addition to Apple’s pop up. What happens if a user approves tracking for advertising purposes via a GDPR compliant CMP but not through Apple’s pop-up within the same app? It simply doesn’t make sense, and creates more confusion for everyone involved, including the end user we are intending to protect.
Apple is not a data authority or a representative of the people. Elected officials created data protection laws like GDPR, and having an individual company like Apple make decisions that override those rules makes consumers and government officials uncomfortable, even if done with the best intentions. Do we as consumers want an independent company to create and regulate its own rules or do we want it to help us enforce the laws of the land in which it operates?
Finally, GDPR suggests that consent should be collected by the entity running the service and directly interacting with the user. Apple could claim that the “service” is iOS, but certainly the publisher can suggest that the “service” is the app itself. Who wins that debate and is it fair for Apple to assert itself in this form?
It’s difficult to say whether the injunction in France will be successful. Even if it is held up in Europe, we don’t know if Apple will enforce this requirement outside of the EU or if they’d opt to take a global approach.
Hope for the future
The silver lining in this debate is that user privacy and identity are front and center in the discourse of the big advertising and technology companies. All over the world, governments are passing laws to enshrine the belief that privacy is a fundamental right, which we agree with. While it may seem frustrating that Apple is forcing its hand, it is promising that tools are being created to give consumers more control over their privacy, while still enabling marketers and advertisers to promote their products and services. It remains to be seen if, or when, Apple will institute its opt-in requirement, so it makes good business sense to prepare now.