What the new Apple privacy rules mean for iOS products

May 13th, 2021 Written by Gabrielle Earnshaw

How will iOS 14.5 will impact apps that use analytics, advertising, or tracking?

As a consultant working with customers to develop mobile strategies and build apps, I’ve been watching the new Apple Privacy rules closely. They have been popular with users so far, so they look like they’re here to stay. If your business is built on tracking data, trading tracked data or serving targeted ads, you probably know already that you’re going to be heavily impacted. But what about other app businesses? Most commercial (and many non-commercial) apps use some kind of analytics, advertising, or another tracking. Although more subtle, these apps will also be impacted by the changes.

Overview

The new Apple Privacy rules came into force with iOS 14.5, released on 26th April 2021. They require that you need the user’s permission to track them, or to access their device’s advertising identifier (IDFA). From Apple’s documentation:

Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.

Tracked data is valuable to companies because it allows them to build up a fine-grained profile of a person’s interests and spending habits. This makes it easier to advertise at them in a targeted way. These rules will make it harder to collect this data, the result being a fall in revenue from tracked data for these companies.

What do the rules mean?

The rules mean that if you don’t have user consent, you can’t do anything within your iOS app that constitutes tracking. You are responsible for any third-party libraries included in your app code, so if they break the rules, your app is seen to break the rules.

If you don’t comply with the new guidelines, you could be stopped from releasing updates to your app until issues are resolved, or in the worst case, your app could be removed from the App Store. I would advise staying as far inside the rules as your business model allows because Apple could reject a future update for breaking these rules, even if it had previously been accepted and the update is completely unrelated.

Apple’s documentation provides a comprehensive overview with good examples of what is and isn’t allowed, and it’s worth reading if you’re concerned. Some of my takeaways of how this applies to the products I work with are as follows.

Without consent, you can’t:

  • Serve targeted ads to users.
  • Get access to the advertising identifier.
  • Use any method of tracking or digital fingerprinting, even if it doesn’t include the advertising identifier.
  • Share email address, advertising identifiers, location data or other user identifiable data collected in your app with third parties.
  • Use a third-party library in your app that tracks users, even if you don’t use the library for tracking purposes.
  • Use tracking data measure advertising efficiency (but can use other methods to measure advertising efficiency).

You can:

  • Collect general analytics about your app usage, as long as it doesn’t rely on user identifiable data.
  • Measure advertising efficiency, as long as the method you use doesn’t break the tracking rules.
  • Track and collect user data on other platforms, such as your website or Android app.
  • Store user data needed for use of your products and services, as long as you don’t use it in a way that breaks the tracking rule.

When do the rules apply?

The rules apply to iOS devices — Android and web are unaffected. They only apply to cases where tracking data is collected and sent off the device. Apps can still collect and use this data where it isn’t sent off device.

The rules don’t apply to devices that haven’t yet updated to iOS 14.5, since it relies on software changes in that version of iOS. However, this data from Flurry, charting adoption rates of recent iOS releases, suggests that the majority of users will have updated within a few weeks.

The restrictions don’t apply to users who consent to tracking. This data from Flurry suggests that only around 12% of worldwide users are consenting. In my opinion, there is likely to be a large variation in consent across different apps. For example, several apps that I work with include prominent ads and cross-sell links to other products. So far, these are obtaining much higher consent rates of around 40–50%. I believe this is because the audience has already self-selected based on their tolerance to advertising, i.e. if they didn’t like advertising, they wouldn’t be using the product.

How do users feel about the new rules?

Privacy is a hot topic. Awareness is growing about the way data is tracked, and how it can be used to manipulate behaviour to generate revenue. Broadly speaking, Apple’s approach is that users own their data, and they protect it from being taken or shared without consent. Because it doesn’t monetise user data, its products and services are more expensive to the end user. On the other hand, Google, which owns the Android platform, collects data from users to generate revenue (and lots of it). Because it makes money from user data, many of its products and services are less expensive, or even free.

Users are reacting positively to the new rules. As seen already, this data from Flurry suggests that only 12% of iOS users are opting in to tracking. At the same time, this survey from Android Authority found that 86% of Android users who responded favoured having a similar feature on Android. This survey from SellCell found that 14% of Samsung users intended to switch to an iPhone next time they upgraded. 31.5% of those (4% of all the Samsung users who responded) cited privacy concerns as the main reason for wanting to switch. Conversely, the same survey found that 92% of iPhone users expected to stay with Apple next time they upgraded.

What app businesses will be affected by the changes?

The app or technology companies most affected are in the following list. If you’re in this list and you haven’t already acted, you are likely to see a decline in revenues as a result of the changes.

  • Your business model relies on attracting users to your platform to serve targeted ads to them. You won’t be able to serve targeted ads unless the user explicitly consents within your app. Even if the user consents, they may not have consented within other apps, which could make targeting less effective.
  • Your business model relies on tracking user data to pass to third-parties. If users don’t consent to being tracked, you won’t be able to collect that data.
  • Your business model relies on brokering tracked user data, i.e., getting tracked data from one-third party and giving it to another. The amount of user data that you can obtain will decrease; the demand for targeted data will decrease; and the quality of data you collect and sell will decrease.

For other iOS app business models, the impacts will be more subtle, and might not be immediately apparent.

Many apps use third-party analytics providers. Some providers effectively offer free, or inexpensive, pricing tiers in return for the valuable data they can track whilst embedded in an app. Now Apple has reduced the scope for collecting that data, it might need to change its business model to charge you more for its service, or it might stop providing the service altogether, meaning you’ll need to switch. Similar will apply to advertising providers, or services that display ads inside your app in exchange for being free or low cost.

Another implication of using these third-party providers is that it isn’t guaranteed that they Apple will continue to allow its use with users who don’t consent to tracking. You are not allowed to share tracked data with data brokers, and some of the big analytics and backend-as-a-service providers are considered to be data brokers. For example, Google, a well-known data broker, owns the popular Firebase platform. So far, the Google app-integrations seem to be compliant with the rules and are being allowed, but it’s not clear if that will be the case forever, or for all providers. If you are using one of these third-parties, you might need to switch at short notice.

Measuring the effectiveness of advertising campaigns is another area that will be affected. If you use a provider that has relied on the advertising identifier, they will have to change to other methods. Many of the big players have started to do this, for example AppsFlyer, as they explain in this article. Depending on the provider you use, you might see this service becoming either more expensive, or less effective. My view on this is that other methods of measuring advertising campaigns, such as the one described by AppsFlyer, will be similarly effective, in which case the impact of this over time will be small.

Finally, you need to make any code changes that apply to your app. If you are using the advertising identifier, you should do this as soon as possible because you won’t have access to it until your iOS 14.5 users have consented. If you are doing custom tracking without using the advertising identifier, you will need to update your app urgently, as it will be in breach of the App Store rules, and it could be removed from the store.

What do I need to change in my app?

If you are tracking users directly, or if you use third-party libraries which require the advertising identifier, you need to obtain user consent via Apple’s App Tracking Transparency libraries. If the user gives consent, your app will get access to the advertising identifier.

The code change needed for this is small and simple. And you can’t accidentally access the advertising identifier if you don’t have user consent, so you don’t need to worry about a bug causing your app to be pulled from the store.

If you are doing any custom user tracking that doesn’t use the advertising identifier, you’ll have to make code changes to ensure that they only happen if the user consents.

You will need to check any third-party libraries used by your app. It is possible that they are tracking user data without you realising. Under Apple’s rules, you are responsible for everything that happens inside your app, so your app could be rejected or pulled from the store because of this.

If your business model relies on consent rates being as high as possible, you should consider change your app to inform users why they might benefit from consenting.

How do I get consent from users?

To ask for consent from users, use Apple’s App Tracking Transparency libraries. This will present a simple dialog to users asking them if they consent.

There are some points to bear in mind.

  • Users can deny consent to all apps at once in their device settings. If they have done this, you will never be able to ask them for consent in your app, and you can’t track the user or access their advertising identifier.
  • You can ask users for consent once and only once. If they decline tracking, you can’t ask them again later.

You might want to encourage your consent levels to be as high as possible. As mentioned above, you are allowed to inform users why they might benefit from consenting, for example by showing an information screen before you present the consent dialog.

However, you can’t leverage consent by blocking access to features for users who don’t consent because this would be in breach of Apple’s rules.

Conclusion

I hope you found this article useful. I’d like to thank my colleagues, Kieran Hall and Mark Houghton, for their work researching this topic, implementing the code changes in some of the apps we build, and exploring the wider implications with our customers.

Blog originally posted on Medium and can be found here.

Mobile

Learn more about how we use well-crafted design and engineering to build apps that are reliable, accessible, and engaging.