Yes, you can do fingerprinting in iOS 14 (in these three circumstances)
The reality is that some vendors have placed huge bets that fingerprinting is still OK. That it’s fine, and that mobile marketers can still attribute mobile app install campaigns with device fingerprints. Especially, of course, if we call it a much more gentle and benign-sounding name: probabilistic attribution.
After all, it’s just probabilistic, right? A fingerprint does not identify a single device or human being with 100% accuracy. So it’s private, right? Kind of? And Apple will be OK with it right?
Not going to work.
Fingerprinting is mostly not OK in iOS 14
The reality is that Apple’s App Tracking Transparency prompt (ATT) covers all modes and methodologies of measurement across third-party apps and websites. And Apple has made that absolutely crystal clear in a recent FAQ: “you may not derive data from a device for the purpose of uniquely identifying it.”
Some may think that the word “uniquely” saves them, but let’s be real here: fingerprinting, or probabilistic attribution, wouldn’t be attribution at all if it didn’t with some degree of accuracy uniquely identify devices or people.
But there are a few cases when you can use probabilistic or fingerprinting attribution with complete legitimacy and no fear of breaking any App Store or Apple regulations. I recently spoke to Singular CTO Eran Friedman about them.
Three cases when fingerprinting or probabilistic attribution is OK in iOS 14
There are three known cases when you can legitimately use fingerprinting in iOS 14, and they’re all visible in this chart:
Two of the cases are where you’ve already gotten ATT opt-in from your new user or customer. That means that they’ve seen the attribution tracking transparency prompt and said yes: you may track or measure me. That could be either when you have a new user acquired via a paid campaign, or a new user acquired via an owned property: a mobile website, for example.
(This shouldn’t be shocking to anyone: when you have permission to track … you … have … permission. But let’s be honest: it’s also a little bit useless, at least in app-to-app campaigns, because you’d prefer to have the IDFA, which is deterministic, and you actually do get it, because you have permission. For web-to-app campaigns, it certainly can be useful.)
The third case is an edge case.
You don’t have ATT permission, but you also can’t ask for it on the mobile web (at least not yet). But in an owned scenario, you don’t need to. When someone visits a website you own and you direct them to the App Store to download and install your app, it’s owned. It’s first-party data. There’s no third party involved, and you can use probabilistic or fingerprinting methods to establish attribution, because you’re not tracking them across websites and apps owned by others.
Many cases where you can’t use fingerprinting or probabilistic attribution in iOS 14
The reality is that most who are hoping to use fingerprinting in app install campaigns are hoping to use it in an app-to-app scenario where they have not asked for tracking and measurement permission. They’re hoping to keep measuring and attributing the same old way as they’ve always done — perhaps a little less efficiently, given how probabilistic attribution works, but still largely in the traditional method where a new user has no real understanding that their activity is being tracked.
That’s just not going to fly in iOS 14.
And as Eran says, there are very real potential consequences.
“Apps who are found to be engaging in either tracking users without consent or doing fingerprinting … can be either rejected from review from the App Store or even in some cases …the app can be removed from the app store with the developer agreement revoked,” Friedman says.
That, of course, is the nuclear option. But smart mobile marketers and entrepreneurs definitely do not want to test Apple’s resolve at enforcing their rules and regulations: if as big and successful a company as Epic can face App Store removal for breaking App Store rules, the vast majority of smaller apps cannot flaunt the rules safely. Apple does have the big red button, and it has pressed it before.
Cases where fingerprinting is not OK include:
- App-to-app (paid)
- App-to-app (owned, but ATT opt-out)
- And several others: see the full chart for details
This is not always easy: as you can see in that chart, there are some challenges here. Plus, things can change. You might capture fingerprinting data on the mobile web and then you learn that you were not allowed to have it when a user opts out of tracking in a new install, or you discover they opted out in a re-engagement scenario.
Also: people can revoke permission over time, meaning that you will need to delete their data in a way that’s reminiscent of GDPR.
Which is why, Friedman says, Singular is aligning its processes and technology to keep customers safe and only use probabilistic attribution when they know it is absolutely allowed.
Looking for more?
Need more insight for your specific situation? Request a demo, and we’ll walk you through Singular’s technology and perspective on mobile user acquisition in iOS 14.