Apple’s iOS 14.5 update: the impact of tracking-related changes

On 26 April 2021 in its iOS 14.5 update, Apple released both a fresh set of updates for iPhone users and also one of the most significant and controversial changes to user privacy settings that Apple – and the industry - has ever seen. Alongside new emojis and more sophisticated face ID unlocking when wearing a mask, Apple launched App Tracking Transparency (ATT), which requires those offering apps on the App Store to request consent before tracking user activity across other companies' apps and websites. In other words, Apple has now placed strict controls on the tracking activities that companies have been undertaking extensively, lucratively and invisibly for nearly a decade, giving users unprecedented control over how their data is tracked and used.


The ecosystem prior to iOS 14.5

One of the many tracking tools that app developers have historically had at their disposal is the Identifier for Advertisers (IDFA). This is a unique code attached to each Apple device which can be used to aggregate user data from across all apps and services on that device, creating a comprehensive profile of a user’s habits and interests. When a user uses an app, this IDFA data (as well as other device information) is purchased by advertisers – via the ad supply chain of data brokers, servers, networks, and exchanges – to effectively target users with in-app adverts relevant to their behaviour. An additional, specific use case for this device information is  ‘attribution’, the process by which advertisers can track the origin of user clicks, purchases and downloads, which in turn is used to assess the effectiveness of their ad spend, campaign performance and ultimately, return on investment.

ATT in detail

At a first glance, ATT seems to rain on advertisers’ sunny and largely unrestricted parade. Although iPhone users have been able to opt-out of IDFA based tracking for some time (via Settings > Privacy), ATT shifts the burden onto app developers to give users an active choice via an Apple standardised in-app pop-up; the process no longer relies on users being data security aware or savvy. Users now must be asked whether to “Ask App not to Track”, and if selected, apps may not track or target behaviour across other apps installed on that user’s device.

Apple defines ‘tracking’ broadly; it includes accessing the IDFA as well as any other device identification techniques, meaning that app developers cannot circumvent ATT by tracking users via alternative identifiers (such as device fingerprinting). Whilst there are some narrow exceptions – for example, to prevent fraud or to allow companies that own multiple apps to track users across those different apps (for example, Facebook can use data obtained from Instagram) – most activity is subject to ATT. ATT also imposes new disclosure obligations onto apps; they must be more transparent as to what data they collect and share.

Impact and challenges

Whilst it’s still early days, and comprehensive industry-wide reports are limited, there have been initial reports indicating up to 90 % user opt-out rates, which is undoubtedly cause for concern for stakeholders in the ad-tech ecosystem. With user device identifiers off limits, app publishers reliant upon an advertising-supported model and advertisers reliant on targeting users with personalised ads, face significant revenue decline as their reachable iOS audiences may dramatically decrease overnight.

No industry stakeholder has been more opposed to ATT than Facebook, which has stated that Apple’s new system “will make it much harder for small businesses to reach their target audience, which will limit their growth and their ability to compete with big companies”. Mark Zuckerberg (Facebook CEO) is reported to have stated that ATT is clearly in Apple’s “competitive interests” and Dan Levy (Facebook Vice President, Ads & Business Platform) labels the changes as being about “control of the entire internet”.

Regulatory action

Facebook does not seem to be alone in its concerns. Competition law based regulatory action in response to ATT is already in full swing across Europe, as organisations have been keen to challenge Apple’s approach – most of these actions focus on the fact that Apple does not apply these rules to its own apps and access to IDFA; in fact, Apple has subsequently launched a number of new ad units within the App Store offering exactly this functionality. Various French stakeholders, including the Interactive Advertising Bureau and the Mobile Marketing Association, complained to the French competition authority (CMA) in October 2020. In March 2021, the French CMA denied a request for provisional measures seeking to block to roll out of ATT and parties are now working on their main arguments ahead of the CMA’s final decision which is expected in two years. Similarly, nine industry associations representing companies including Facebook, Axel Springer, Die Welt and Insider, complained to the German CMA in April 2021.

Whilst regulatory challenges take some time to conclude, it is clear that CMAs are carefully considering the issue and are making sure to consider and balance both data privacy rights and competition concerns in tandem. In a joint statement, the UK CMA and the Information Commissioner’s Office stated that “neither competition nor data protection regulation allows for a ‘rule of thumb’ approach”; they will not permit the use of data protection based arguments as justification for anti-competitive behaviour.

With change comes innovation

As with any industry shockwave, stakeholders are currently struggling to adapt. However, given the glacial time periods associated with regulatory investigations, the market will need to adjust to the new world of ATT as it is here to stay for the foreseeable future.  Advertisers may turn to contextual advertising, which is advertising based on app content, rather than a specific user profile. For example, receiving a targeted with an ad for running trainers when using your exercise tracking app. Further, Apple has been clear that its ATT framework relates only to on-device and in-app provision and use of user data. As such, apps that require login or registration (which necessitates obtaining consent for the provision and use of data, outside of the device) are likely to see a significant benefit.

In addition, Apple does not stipulate at which point in the user experience apps must show the required in-app pop-up. As such, app developers have the discretion – and the opportunity – to explain to users via their own messaging in pre-consent screens, the purpose and value of tracking and why a user may want to be tracked.

Controversial as it may be, ATT appears to represent a wider industry shift by the very large platform providers to give users greater control over their data and more informed choices about how it is used. Although the motives behind such a move may be questionable given the significant commercial gain for these large platform providers resulting from such a move, the public narrative is very much one of privacy-first. In this context, it will be interesting to see how CMAs across Europe will respond to complaints and how app developers and advertisers will seek to innovate in the face of this significant overhaul to user tracking.

For further information, see Bird & Bird’s recent Adtech Webinar ‘The impact of tracking-related changes to iOS 14.5 and other key challenges on the horizon’.

Leave a Reply