iGDPR: Apple's New Privacy Rules

The $45BN In-App Ad Economy Just Got Regulated

Apple Opts-In for Tracking To Continue

At WWDC, Apple announced several major privacy changes coming to its software. Prior to WWDC, the ad-supported app ecosystem had braced itself for the possible elimination of Apple’s ID for Advertising (IDFA) which served as the universal ID for cross-app ad tracking and targeting. Instead, Apple announced it will continue supporting IDFA but will require users to opt-into IDFA in each app:

In effect, Apple now has enacted the core tenet of GDPR, explicit consent and data transparency, expanding the application from Europe’s 446M+ data subjects, to all 1BN Apple iOS users globally under its new AppTrackingTransparency framework. Let’s call this framework change “iGDPR.” 

Under iGDPR, Apple will not share the IDFA with apps and their partners until the user gives permission to each specific app that wants to share or receive data based on the IDFA. That means if a user does not opt-in for The New York Times app but then opts-in to Candy Crush’s gaming app, you won’t be able to link activity between the two apps. That means The New York Times won’t be able to re-target anonymized app users on other apps to encourage them to come back and subscribe. In essence, it becomes very hard to run a scaled, data-driven ad campaign across multiple apps.

Apple’s implementation does solve a complaint by privacy advocates about how much of modern digital advertising is incompatible with GDPR. Specifically, ad impressions are typically auctioned off the moment you reach a webpage or app before you’ve given any consent for personalization and tracking. Before consent is given or checked for, your user ID may be shared with all auction participants so they know who they are bidding on. Apple essentially now sandboxes apps off from getting the IDFA until permission is granted, so no auction can be run using a user ID until consent is given.

Going further than just the IDFA, Apple’s new AppTrackingTransparency framework sets the ground rules for data policies going forward. Specifically, it prohibits commingling of data across companies of iOS users without consent through iOS (without mention of how to handle conflicts of consent given elsewhere) — whether you’re using IDFA or some other ID. In theory, iOS apps now need Apple’s permission to enhance user profiles from activity outside of iOS, which while difficult to detect, could be enforced by Apple’s App Store review practice.

What GDPR Predicts About iGDPR

While a lot of websites worried that an opt-in mechanism would lead to low consent, the experience with GDPR so far has been relatively positive for publishers. Quantcast, a consent management platform, initially reported as much as 90% of users opted-in while other later published statistics suggest up to 70%

As with GDPR, Apple’s policy will allow individual publishers to decide the language in the prompt to elicit consent. That would suggest publishers should be able to replicate some of their success in collecting opt-ins, but web publishers had two additional design advantages that aren’t as clear in Apple’s redesign:

  1. Persistent obtrusive windows that go away when you consent

  2. Repeated asks that go away when you consent

Unlike on the web, Apple’s in-app environment will certainly force users to make a consent decision in order to remove the window. However, it’s less clear if Apple will place any limitations on how often you can repeat your request for authorization.

One other critical difference with GDPR is that Apple is not prohibiting a degraded experience for users who do not opt-in, so we may even see publishers experiment with “registration tiers” of “general advertisements” and “targeted advertisements” levels. Given these differences, it wouldn’t be surprising to see consent rates half that closer to 35% opt-in, depending on final implementation.

The other major impact of GDPR has been the increasing ad spend going to Google and Facebook among other major consumer Internet companies. These companies have strong first party data on users based on their usage of the respective services, enabling them to offer consented ad targeting at scale within their own media and ad network. Apple’s new policy won’t change that dynamic. 

In fact, with iGDPR, more publishers may find monetization easier and superior for content published within the walled gardens. Apps that leverage single sign-on or build mini-programs within apps from the major tech players may also monetize better through their respective ad networks that can leverage that identity regardless of IDFA. As small content producers and apps that operate outside the key tech players suffer monetarily, there will simply be fewer consumer options. 

Consequently, consumers in time will find it easier to manage privacy. Digital activities may increasingly consolidate under a few key aggregators, which makes privacy management easier for the average user. Expanding privacy means concentrating identity & activity.