IDFA Opt-in: Good for User Privacy or Not So Much?

By and July 21, 2020July 27th, 2020Insights

Big news recently surfaced in the data privacy world regarding the upcoming new iOS version, iOS 14, relating to the IDFA (“Identifier for Advertisers”). Users will soon need to grant an app permission in order for it to transmit the IDFA for their devices, meaning the IDFA will no longer be shared with third parties and advertisers without user opt-in. The announcement, which will likely come into effect in September, is a response to the growing privacy-conscious trend spreading throughout the United States (and the world) and will almost certainly disrupt  the AdTech industry.

The question is, however, will this news ultimately be a friend or foe to the privacy landscape?

Below we delve into what the IDFA is, how it’s used, and the role it plays in privacy. We also cover the huge impact this change will have on the AdTech industry, potential responses, and how we think those responses will impact privacy.

IDFA: what it is, how it’s used, and its role in privacy

The IDFA is a unique ID generated by the iOS operating system. Currently, advertising, analytics, and mobile measurement solutions rely on a user’s IDFA to target advertisements, measure campaign attribution, and tally app installs or conversions. In the current version of iOS, users must visit their device’s privacy settings to opt-out of default IDFA sharing by using the “Limit Ad Tracking” feature.

With laws like the CCPA and GDPR, there is a growing trend towards privacy-conscious data practices, and the more granular a company gets with its tracking and analytics practices, the greater the responsibility the company owes its consumers. For example, identifiers like the IDFA, in certain contexts, arguably fall under the CCPA’s broad definition of “personal information,” which means California consumers have certain rights with respect to a company’s use of their device’s IDFA. What’s interesting, however, is that the IDFA was developed initially as a privacy-conscious alternative to relying on permanent hardware and device identifiers.

Prior to the development of the IDFA, companies used permanent hardware identifiers like IMEI and MAC address. Unlike permanent hardware identifiers, the IDFA is a more privacy-friendly alternative due to the fact that: the user can “reset” it (i.e. cause the device to discard the old IDFA and generate a new one); the IDFA has pseudonymous characteristics (i.e., the IDFA is not derived from any data that, on its own, is intrinsic or inherent to the user, such as name, email address, or phone number), and a user has the ability to opt-out of sharing the IDFA with third parties. These attributes grant users a level of control over their privacy while simultaneously allowing companies to use the IDFA for tracking and analytical purposes.

The general thought is that turning IDFA sharing off by default and requiring an opt-in will provide users with a greater level of control over their privacy. However, the problem is that advertising industry, as a response, may be forced to inadvertently rely on other, not-so-privacy-conscious mechanisms as they compete in the marketplace.

Disruption to AdTech, potential industry responses, and impact on privacy

The vast majority of players in the advertising ecosystem will no longer have access to device IDFAs once iOS 14 is launched since most users will likely not take the steps needed to opt-in under the iOS 14 settings (as is the case currently with the steps needed to opt-out). Their power in the ecosystem, as a result, will likely decrease. Large tech companies however, that already have massive, proprietary databases with personally identifiable data will have increased power in the advertising realm because they can still target ads based using their own rich data sets.  Thus, there will likely be a shift in emphasis and prevalence from largely pseudonymous “tracking” (strong privacy attributes) to directly identifiable advertising (weaker privacy attributes).

There will also be an incentive for the myriad entities in the mobile ad ecosystem to continue to cultivate “fingerprinting” techniques for mobile devices. Since there is no mobile opt-out for fingerprinting, this brave new world without ready access to IDFAs may create more privacy issues than it solves.

Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa
Steven Roosa

Author Daniel Rosenzweig

Daniel B. Rosenzweig is a lawyer in Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group in the New York office. Daniel is part of the core team that oversees NT Analyzer to help clients navigate the complex data protection and privacy landscape.

More posts by Daniel Rosenzweig