ATT vs LAT vs ITP: everything marketers need to know about Apple’s App Tracking Transparency in iOS 14
Mobile marketing has always been the domain of alphabet soup. Now it’s getting even worse.
Apple’s App Tracking Transparency pop-up will be required for IDFA access as soon as March. While there’s a lot of information available about ATT in iOS 14, there’s also a lot of misinformation. I spent some time with Singular CTO Eran Friedman to separate the wheat from the chaff and get the real scoop.
ATT, of course, is all about consent. It’s about asking people if they agree to sharing their Identifier For Advertisers with app publishers for purposes of measuring marketing effectiveness, enabling new marketing, advertising to similar people, and other purposes.
“In a nutshell, it’s very similar to how you’re required to request consent for using the camera, the location, photos in the app,” Friedman says on a recent edition of the Growth Masterminds podcast. “Now there’s a new type of consent. And now it’s specifically for user tracking.”
Fun fact: SKAdNetwork is not new to iOS 14.
Apple actually introduced it first in iOS 11 … four years ago!
In fact, ATT consent is required before tracking of any kind, including measurement technologies of mobile-web-to-app traffic. While the ATT framework is only available in native apps, marketers have to observe the standard when measuring new app users coming in from the mobile web as well. (Prediction: Apple will create some SKAdNetwork-type technology for mobile Safari so that ATT can interface with ITP — intelligent tracking prevention — and enable privacy-safe attribution on mobile web as well in mobile apps.)
ITP, of course, is one of Apple’s privacy technologies for the web, where it deletes most first-party cookies in a week and blocks all third-party cookies by default.
Adding to the alphabet soup: LAT, or Limit Ad Tracking.
“Limit Ad Tracking is kind of ATT’s predecessor,” Friedman says. “It worked a bit differently from ATT … it was a simple setting option in an iOS device that you can click off and disable or limit your ad tracking … which essentially kind of zeroed your IDFA.”
Does a marketer only have only one shot to get ATT consent?
Yes and no, Friedman says.
You may not even get one in the first place. If people turn off the Allow Apps to Request to Track setting in iPhone Settings > Privacy, you will not be able to request tracking permission via the ATT prompt. In addition, if that setting is on and you do request permission but get denied, you can’t ask again — at least via the native ATT prompt.
However, you can still provide information in your app about why someone might want to enable tracking for your app, give them instructions about what to do, and provide a link directly to the right setting. So in that sense, you have multiple opportunities.
“However, incentivizing users or limiting some of your app’s capabilities because they don’t want to be tracked is not allowed as part of Apple’s policies,” says Friedman. “And you’re also required of course not to provide any misleading explanations or basically hide information.”
Generally speaking, then, you’ll have zero or one opportunities depending on how people have toggled that option in their phone’s privacy settings.
People can revoke permission
People can revoke their permission, in which case you have some GDPR-style right-to-forget kind of work: deleting personal identifier data that you’ve collected and stored.
“If the user … changes their opinion later on and decides to stop giving you permission, then you are required to respect their decision and not only stop tracking them, but also make sure to disassociate any previous information,” Friedman says.
(And no, you can’t store or cache data at one point in time in the hope that people will provide consent at another point in time later.)
Single-sign on: OK
Single-sign-on is a unique use case that is permitted, as long as data is not also being collected for tracking or targeting purposes. That’s precisely why Facebook recently released a limited SSO version that doesn’t enable additional data transfer.
Compliance isn’t just about IDFA requests
App publishers and mobile marketers shouldn’t think that just because they’re not asking for an IDFA and therefore kicking off the ATT prompt they are automatically in compliance.
“If you’re not using IDFA — not pulling it — that’s one step of the equation,” says Friedman. But also if you’re, for example, collecting a log-in … let’s say like collecting an email and then sending that email to Facebook for retargeting purposes, then it’s still considered a matter of tracking, even though you didn’t touch the IDFA. And that’s not allowed without asking for permission.”
Kids, ATT, and SKAdNetwork
Apps for kids are of course a special flavor of apps in the App Store, and have long had special restrictions in terms of tracking, measuring, and advertising. The good news for mobile marketers is that because SKAdNetwork is privacy-safe — no personal information gets shared, no device-level or identifying data is transmitted — installs for kids’ apps are now attributable.
You’ll still never get an IDFA, of course, nor be able to pop open an ATT prompt for apps aimed at children. But you also don’t need to: SKAdNetwork will handle attribution, and Singular will manage the data.
And, of course … enforcement
Ultimately, Apple’s ability to enforce these new rules rests on its ability to determine which apps are allowed on the App Store, and whether you can update your app with a new version. Developers and marketers need to make sure their apps are in compliance with Apple’s guidelines.
We’ve been sharing SKAdNetwork information for over a year now on the Singular blog, but it’s a good idea to get a legal opinion from your counsel on potentially sticky compliance issues.
Need more information specific to your app or business?
If you’re looking for more details and specific insight, we’d love to walk through ATT and SKAdNetwork with you and provide detailed information on what you might need to do to get ready for iOS 14.5.