Apple's New Opt-In Consent for Advertising Identifiers

Last updated on 24 December 2020 by Robert Bateman (TermsFeed Privacy and Data Protection Research Writer)

Apple's New Opt-In Consent for Advertising Identifiers

Apple's iOS 14 will require developers to request opt-in consent before tracking users with Apple's ID for Advertisers (IDFA). Failing to abide by the new rules will be a serious violation of Apple's App Store Review Guidelines that could lead to the removal of your app.

The new rule was first announced in June 2020, but its implementation has been pushed back until sometime in 2021. The changes may require you to reconsider your approach to monetizing your app.

This article will help you understand whether Apple's new rules apply to you, and, if so, what you need to do to comply. We'll also be looking at some less intrusive alternative means of monetizing an app that do not require opt-in consent under Apple's new rules.


What are Apple's New Privacy Rules?

Apple has two main new rules relating to user privacy:

  • Apps must seek opt-in consent before "tracking" users
  • App developers must submit detailed information about how their app processes user data

This article is about the first of these two new rules: seeking consent for tracking.

If you want to know more about the second rule, submitting app privacy information, see our article Complying with Apple's App Privacy Details.

Why is Apple Making These Changes?

Consumers are taking more and more notice of how tech companies and marketers are using their data. Privacy laws are getting stricter. Apple wants to show that it respects its users' privacy and will not share their data without consent.

Apple may also be attempting to bring its practices in-line with privacy laws such as the EU General Data Protection Regulation (GDPR) and ePrivacy Directive, which require consent for the use of tracking technologies such as Apple's IDFA.

Privacy matters to all businesses operating online. You need to ensure you're privacy-compliant in all areas of your business. Alongside complying with Apple's requirements, this also includes maintaining an up-to-date Privacy Policy and ensuring your website uses a valid cookie consent solution.

Check out our tools for website owners:

Generate legal agreements for your website or app in minutes with TermsFeed: Privacy Policy, Terms & Conditions, Cookies Policy and more.


What Does the Tracking Consent Requirement Involve?

Developers wishing to track users must seek opt-in consent using Apple's App Tracking Transparency framework. This involves presenting the user with a pop-up notification before you begin tracking them. This pop-up will explain your intentions and ask for their consent.

Here's an example of what this pop-up will look like, taken from Apple's website:

Screenshot of Apple User Privacy and Data's permission to track notification

If a user consents to tracking, you can use their IDFA to deliver targeted advertising and measure ad engagement. If the user does not consent then you must not track them.

Won't This Hurt My Bottom Line?

Many app developers are concerned about Apple's decision to enforce consent requirements. Although users have always been able to opt out of tracking, it is likely that requiring them to opt in will reduce the number of users who receive targeted ads.

As such, you may wish to consider alternative ways to monetize your app, such as contextual ads, affiliate ads, or subscriptions.

Apple is well aware that its changes have caused controversy among developers and competitors. As a result, Apple:

  • Delayed the implementation of the tracking consent requirement (which was initially due to take effect in September 2020)
  • Announced that smaller businesses earning up to $1 million per year will pay a reduced commission on app store sales (from 30 percent down to 15 percent)

What is "Tracking?"

What is

How do you know if you are tracking users? Apple provides two definitions and a set of examples of what constitutes "tracking." Let's take a look.

Apple's Definition of "Tracking"

Apple defines two types of "tracking":

  • "Linking user or device data collected from your app with user or device data collected from other companies' apps, websites, or offline properties for targeted advertising or advertising measurement purposes."
  • "Sharing user or device data with data brokers."

Apple provides a non-exhaustive list of examples of "tracking." We've listed these in the table below, together with an explanation of each activity.

"Displaying targeted advertisements in your app based on user data collected from apps and websites owned by other companies."

Apple's "targeted ads rule" includes displaying targeted ads using a third-party SDK, such as Google AdMob or Amazon Mobile Ads.

Targeted ads don't include "contextual ads" or "affiliate ads" that do not process user data.

"Sharing device location data or email lists with a data broker."

Apple specifies that sharing device location or email lists with a data broker will constitute tracking. It is reasonable to assume that sharing other types of user data with a data broker would also constitute tracking.

Apple defines a "data broker" as "a company that regularly collects and sells, licenses, or otherwise discloses to third parties the personal information of particular end-users with whom the business does not have a direct relationship."

Note that some jurisdictions have a legal definition of "data broker" that may differ from Apple's. In this case, you'll need to meet both the legal definition and Apple's definition.

There's an exception to Apple's "data broker rule," detailed below.

"Sharing a list of emails, advertising IDs, or other IDs with a third-party advertising network that uses that information to retarget those users in other developers' apps or to find similar users."

Along with displaying targeted ads within an app, another way to monetize an app is to share user data with third parties, so that they can use it to target ads on other apps or websites.

If you share any emails or identifiers with third parties for this purpose, Apple's "identifier sharing rule" means you'll need to get a user's consent before doing so.

"Placing a third-party SDK in your app that combines user data from your app with user data from other developers' apps to target advertising or measure advertising efficiency, even if you don't use the SDK for these purposes. For example, using an analytics SDK that repurposes the data it collects from your app to enable targeted advertising in other developers' apps."

Apple's "third-party SDK rule" covers SDKs that allow data from other apps to be used to either target ads or measure ad engagement.

Note that Apple allows developers to use the ID for Vendors (IDFV) to continue to measure ad engagement across apps that they own, as detailed below.

Apple's Exceptions to Tracking

Apple's Exceptions to Tracking

Notwithstanding the definitions and examples of "tracking" provided above, Apple states that the following activities do not constitute "tracking":

"When user or device data from your app is linked to third-party data solely on the user's device and is not sent off the device in a way that can identify the user or device."

This "local processing exception" covers situations where user data is:

  • Not sent off the device, or
  • Not sent off the device "in a way that can identify the user or device"

Note that some "anonymization" techniques might not ensure that a user cannot be identified. Exercise caution when transferring a user's data off their device.

"When the data broker with whom you share data uses the data solely for fraud detection, fraud prevention, or security purposes, and solely on your behalf. For example, using a data broker solely to prevent credit card fraud." Note that this "data broker exception" only applies where data is shared with a broker for fraud prevention purposes - not for other purposes served by data brokers such as risk mitigation (or, of course, marketing).

Using the ID for Vendors

Apple presents its IDFV as an easier alternative to using the IDFA. This allows businesses operating more than one app to track analytics across their apps.

If you offer more than one app on the App Store, you can use the IDFV to track the referral or download sources of each of your apps sharing a bundle ID. You don't need to request user consent before doing this.

Apple's opt-in requirement for tracking should be familiar to EU users. Under EU law, a user must be asked for consent before tracking devices, such as the IDFA, are placed on their device.

As such, if you wish to ensure that your app is legally compliant, you should already be requesting consent before tracking EU users (and users based in the European Economic Area or the U.K.). This rule applies whether or not your business is based in the EU.

How to Implement Apple's New Requirements

How to Implement Apple's New Requirements

Implementing the App Tracking Transparency framework is a three-stage process:

  1. Set up an NSUserTrackingUsageDescription message. This informs the user that your app wishes to track their device and explains why.
  2. Call the requestTrackingAuthorization(completionHandler:) request. This presents the user with the tracking consent request.
  3. Use the trackingAuthorizationStatus to determine whether the user has consented. Its value will be either ATTrackingManager.AuthorizationStatus.authorized, or ATTrackingManager.AuthorizationStatus.denied.

Additional Information on Apple's Tracking Consent Rules

Here is some additional information regarding Apple's new tracking rules.

Don't deny non-consenting users access to your app

According to section 3.2.2 (vi) of Apple's App Store Review Guidelines:

"Apps should not require users to rate the app, review the app, watch videos, download other apps, tap on advertisements, enable tracking, or take other similar actions in order to access functionality, content, use the app, or receive monetary or other compensation, including but not limited to gift cards and codes."

Therefore, if a user chooses not to consent to tracking, you must not deny them access to any part of your app or diminish their experience of using the app in any way.

Explain why you want tracking permission

It's important to be transparent about how your app processes user data. Therefore, you should explain why you want to track your users when asking for their permission. Your explanation must be honest (e.g. "to target advertising based on your activity").

Don't manipulate your users into consenting

According to section 5.1.1 (iv) of Apple's App Store Review Guidelines:

"Apps must respect the user's permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access."

Therefore, you must be totally clear with your users when making the tracking consent request. Don't pretend that your tracking activity is for their benefit, or that refusing consent will diminish their experience of using your app.

Don't track users via means other than the IDFA

If a user refuses to consent to tracking using the IDFA, this doesn't mean that you can track them using other means, such as their hashed email address or phone number. If a user refuses consent for tracking, you must not track them in any way.

You must also not use device signals or fingerprinting to identify or track a user. Section 3.3.9 of the Apple Developer Program License Agreement states:

"...neither You nor Your Application will use any permanent, device-based identifier, or any data derived therefrom, for purposes of uniquely identifying a device."

If you earned your user's consent to tracking elsewhere, for example, via a cookie consent solution on your website, this consent doesn't extend to your app. You must still request permission for tracking within your app via the App Tracking Transparency framework.

Take care when using third-party SDKs

You are responsible for any third-party SDKs included in your app. This means that if a third-party SDK causes you to violate Apple's privacy rules, you risk your app being removed from the app store (or even facing legal action).

You must carefully vet your third-party partners and ensure they treat your users' data with care. If you have EU users, you may be entering into a controller/processor arrangement with third-party SDK providers and thus require a Data Processing Agreement.

Your responsibility for third-party code extends to single sign-on functionalities, for example using the Facebook Login for iOS SDK. If you want to see how problematic using single sign-on SDKs can be, see our article on Zoom's CCPA class action.

Summary

You must comply with Apple's opt-in consent rules if:

  • Your iOS app displays targeted advertising using data from other apps or websites
  • You share user data with a data broker
  • You engage in any other form of cross-device or cross-website tracking

Apple's rules mean that you must use the App Tracking Transparency framework to:

  • Explain why you wish to track your users
  • Request their permission for tracking
  • Enable them to opt out of tracking
Robert Bateman

Robert Bateman

TermsFeed Privacy and Data Protection Research Writer

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.