Home Mobile 6 Burning Questions About Apple’s ATT Privacy Framework

6 Burning Questions About Apple’s ATT Privacy Framework

Comic: Pivotal Moments In History

AppTrackingTransparency enforcement officially began in late April.

But advertisers, publishers and mobile ad tech vendors are still grappling with a lot of head scratchers – and the dust is far from settled.

Until the release of iOS 14.5 last month, among the biggest unknowns consuming the mobile ad ecosystem was the agita-inducing question of timing for Apple’s new privacy framework.

That was only the beginning.

Here are the top unanswered questions that developers and ad tech companies still have about ATT opt-in rates, SKAdNetwork, how ATT functions (or doesn’t) and the impact that Apple’s policies will have on ad targeting and measurement.

1. Will Apple give advertisers more transparency into SKAdNetwork?

SKAdNetwork is Apple’s homegrown attribution API for iOS 14. Tracking is limited to the campaign level so that advertisers and publishers only can see aggregated user insights.

This limitation is in place by design as a privacy-preserving mechanism. If a user installs an advertised app within a certain attribution window, the user’s device sends a postback directly to the ad network that deserves the credit. The ad network then shares that information with the advertiser.

But that process introduces opacity, said Alasdair Pressney, director of product strategy at AdColony, and there’s no reason for the extra step.

“In order to increase transparency across the industry, it would be a logical evolution for the postback to be delivered directly to both the advertiser and the network simultaneously by Apple, Pressney said.

2. Will Apple address the issue validation to ensure that all of the information in a SKAdNetwork postback is authorized and unaltered?


AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

In order to prevent fraud, a cryptographic signature is added to postbacks. Third parties are able to validate that signature through the use of a public decryption key supplied by Apple.

Mobile measurement partners (MMPs) have been positioning themselves as one-stop-shops to verify and aggregate SKAdNetwork postbacks on behalf of advertisers working with multiple ad networks.

But SKAdNetwork postbacks aren’t impervious to meddling. As it stands, conversion values – the six bits of data that developers can use to map to different conversion events or revenue information – are not verified using the cryptographic install signature, Pressney said.

Because conversion values aren’t part of the cryptographic signature, MMPs could “obfuscate and therefore devalue SKAdNetwork signals in favor of their own products,” he said. “And this makes it harder for everybody to build products that support SKAdNetwork properly.”

Comic: "Sir, the people need more time!"3. When will web-to-app campaigns be supported by SKAdNetwork if a user doesn’t opt in?

SKAdNetwork exists to help advertisers and publishers with their app-based attribution. Apple also built an attribution tool called Private Click Measurement (PCM) to help track app-to-web campaigns as well as purely web-based customer journeys.

For now, PCM app-to-web is only supported for Safari, iOS and iPadOS, although Apple is eventually planning to enable other default browsers down the line.

But there is currently no attribution solution on iOS for web-to-app user flows, such as when a user is directed to the App Store after clicking on a mobile web display ad.

“If the user does not opt in,” said Paul Müller, CEO and co-founder of AppLovin-owned Adjust, “iOS 14 does not offer any solution to get campaign performance.”

4. How long will it take for ad targeting performance to diminish in apps and will opt-in rates improve?

Depending on whom you ask, ATT opt-in rates aren’t too bad, all things considered … or they’re in the toilet.

“There is an impending sense of dread creeping into the targeted ad ecosystem,” said Mike Shaughnessy, COO of Kargo, pointing to The Trade Desk’s stock, which fell by 25% last week in part due to the uncertain future of targetability.

One of the reasons why the ATT opt-in numbers are all over the map is because people are using very different methodologies to calculate the rates.

But math aside, there’s no disputing the fact that developers will need to do a lot of testing to figure out the best practices for their ATT prompts and pre-prompts if they want to secure opt-ins.

For example, “is there a specific step or moment in the user’s journey that generates the highest opt-in rates, especially in the gaming vertical?” said Moshe Vaknin, CEO and founder of mobile monetization company YouAppi.

According to Adjust’s internal research, the size of the pre-permission prompt, when it’s displayed, and the placement and copy used in the call-to-action button, can all have a direct impact on whether a user chooses to opt in.

5. Will publishers change the way they evaluate their SDK partners now that Apple is enforcing ATT?

Developers should always be careful about who they work with, but vetting third-party partners is even more important now.

If an app includes third-party code that combines user data with other developer data to target or measure ads, Apple considers that to be a violation of its ATT policy – even if the app doesn’t use the SDK in question for those purposes.

Apps that use SDKs that engage in fingerprinting could be rejected from the App Store.

In other words, and in Apple’s own, “developers are responsible for all code included in their apps.”

The question now is whether app developers will start to increase their vigilance about which SDKs they use since the stakes are so high, said Paulina Klimenko, chief growth officer at PubMatic.

In April, a little less than three weeks before iOS 14.5 was released, Apple started flagging apps that had the Adjust SDK integrated for allegedly fingerprinting users. Adjust quickly updated its source code.

6. Will Apple be able to enforce ATT consistently?

Apple has publicly denounced the use of alternative universal identifiers, such as hashed email, as a replacement solution for IDFA, said Charles Mi, CTO of data company Adara.

That’s the case even if the data was collected with consent elsewhere. Apple requires that any data used in its app ecosystem be collected via the ATT framework.

But it’s unclear exactly how Apple will effectively enforce its own policies. As Craig Federighi, Apple’s SVP of software engineering, told The Wall Street Journal last month, “We can’t ensure at the system level that [developers] are not tracking. We can do so at the policy level.”

So, watch this space. In the meantime, it’s messy out there.

Must Read


Perion Shutters Content IQ, Its Made-For-Advertising Division

Laptop fans can rest a little easier. A network of well-known MFA sites operated by Perion-owned Content IQ have been taken offline.

‘Incrementality’ Is The Buzzword That Stole Prog IO

Well, that’s a wrap on Programmatic IO Las Vegas 2024! The AdExchanger editorial hopped on stage for a live recording of The Big Story to round up all the moments that made us go “a-ha” this week, including observations on commerce media, CTV and generative AI.

Paramount And Shopsense Add Programmatic Demand To Their Shoppable Ad Network

What if the new storefront is a person sitting on their couch and scrolling their phone?

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Scott’s Miracle-Gro Is Seeing Green With Retail Media

It’s lawn season – and you know what that means. Scott’s Miracle-Gro commercials, of course. Except this time, spots for Scott’s will be brought to you by The Home Depot’s retail media network.

Walled Garden Platforms Are Drowning Marketers In Self-Attributed Sales

Sales are way up; ROAS is through the roof across search, social and ecommerce. At least, that’s what the ad platforms say.

Comic: Working Hard or Hardly Working?

Shadier Than Forbes? Premium Publishers Are Partnering With Content Farms To Make A Quick Programmatic Buck

The practice involves monetizing resold subdomains jammed with recycled MFA articles produced by notorious content farms.