iOS: IDFA/ Tracking Opt-In: What You Should Know

By March 11, 2021Insights

It looks like a date has been set for iOS 14’s required opt-in for “tracking” through Apple’s AppTrackingTransparency Framework, which includes opt-in for the IDFA … kind of? According to Apple, “[t]his requirement will roll out broadly in early spring…” (see Data Privacy Day at Apple).

The NT Analyzer Take

Although Apple has trumpeted this as a victory for end-user choice, iOS, has actually already provided users the ability to reset and even block their IDFA for years (blocking IDFA became possible in iOS version 10). As a result, the recent change in the default tracking state on iOS (to be opted out by default) has more to do with which company has power over end-user data than it does with providing end-users with technical capabilities that they didn’t already possess.

For app publishers, however, the change couldn’t be more real. The change in iOS to an opted-out status by default has a significant impact not only on their ability to monetize their apps, but also on what must be done to re-architect the “opted out” tracking state as newly defined by Apple.

For example, the very recently published iOS FAQ states that in the default state—i.e. opted-out of targeted advertising and ad measurement—other types of information must also not be used for “tracking,” such as precise location, email address, and “hashed” email address. These goal posts haven’t been moved, they are simply brand new.

App publishers are now put in the awkward position of having to reinvent how they propagate the “no-tracking” signal from an iOS user to the publisher’s backend in a way that the publisher can ensure the other data elements being collected from iOS apps are now used in a manner that comports with the new iOS regulatory scheme.

Based on what we routinely observe using NT Analyzer, there is a lot more data collection by most apps than companies realize, including data transmissions to third parties. A good chunk of these data transmissions will likely be considered “tracking” under Apple’s definition and include lots of things other than IDFA collection. The challenge for companies trying to achieve compliance with Apple’s demands will be to identify those myriad instances of data collection and then ensure they are handled in a tracking “off” state when received by backend systems or third parties. It’s like data “whack-a-mole,” but if you lose, you either have your app pulled from the App Store by Apple or a regulator asking questions about the accuracy of your representations to consumers.

Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa