iOS 26: Everything privacy-related Apple announced at WWDC 2025

We already know about the 5 big AAK updates at WWDC 2025, but there’s definitely more to talk about. Some privacy updates were prominently featured in Apple’s WWDC keynotes and sessions. Others arrived quietly in the developer documentation released alongside iOS 26.

(Yeah, Apple operating systems are now being labeled by year: the year after they’re actually released. So the next iOS is iOS 26.)

Here’s everything privacy-related that Apple announced at WWDC … and 1 thing they didn’t exactly announce.

Advanced fingerprinting protections in Safari for iOS 26

Safari 26 now includes default-on protections against browser fingerprinting in both normal and Private Browsing modes.

Yep.

Good for people, tough for marketers.

Safari will block website access to common fingerprinting APIs, including:

• Screen dimensions
• CPU cores
• Speech synthesis voices
• Apple Pay capability
• Web Audio readback
• 2D Canvas rendering details

Safari will also prevent suspicious scripts from using localStorage and cookies to store and check identifiers, and it will strip tracking-related query parameters from the document.referrer.

Browser-based fingerprinting is going to get a lot harder.

I’m not sure this impacts mobile-specific and UA marketers that much. Sure, we’re using web2app a lot more these days, and web landing pages, but I’m not sure many are using fingerprinting extensively in these types of campaigns or journeys.

Link tracking protection in iOS 26

Apple is still serious about making tracking people across websites and apps hard if not impossible. In Safari 26, Apple will expand Link Tracking Protection.

For Private Browsing, Safari will strip out known tracking parameters from URLs (think utm_source or gclid from Google). That will also happen for links clicked inside Mail and Messages, regardless of whether someone is in Private Browsing mode or not.

Common tracking and measurement parameters that Safari will likely strip:

• Utm_source: Campaign source (Google Analytics)
• Utm_medium: Marketing medium (Google Analytics)
• Utm_campaig:n Campaign name (Google Analytics)
• Utm_term: Paid search keywords (Google Analytics)
• Utm_content: Ad content identifier (Google Analytics)
• Gclid: Google Ads click identifier
• Fbclid: Facebook click identifier
• Mc_cid: Mailchimp campaign ID
• Mc_eid: Mailchimp encrypted email ID (user identifier)
• Msclkid: Microsoft Ads click identifier
• Dclid: Google Display Network click identifier
• Igshid: Instagram link sharing ID
• Vero_conv: Vero (email marketing platform) conversion ID
• Wickedid: Wicked Reports tracking ID (attribution platform)
• trk_*: Various generic tracking parameters (common in B2B marketing platforms)

And, as you saw above, document.referrer will also be scrubbed of these parameters.

If you rely on UTM parameters or click IDs in email campaigns, Safari’s new protections will disrupt how much you can track. Your open rates won’t change, but your measurement of click-to-conversion funnels and your attribution in Google Analytics and ad platforms will degrade when users click email links on Apple devices.

• Campaign source may not be attributed correctly
• Clickthrough rate (CTR) tracking in email platforms like Mailchimp, Hubspot, Klaviyo will degrade
• Personalized funnel analysis won’t work
• Cross-channel and multi-touch attribution chains break
• Post-click segmentation becomes incomplete or inaccurate
• Retargeting performance drops

This isn’t a death sentence: not everyone uses Apple’s own Mail app. Many use Gmail or other email apps, which won’t strip parameters like this. But perhaps a third of iOS users do use Mail, meaning there will be measurement degradation.

Of course, email is not a major mobile user acquisition channel, though it has become more interesting in recent years.

An important note:

Just because you can’t measure something doesn’t mean it’s not happening.

Remember after iOS 14.5? People didn’t stop watching and clicking on ads on iOS … it just became harder to measure. While performance marketers need measurable datapoints to optimize, assuming nothing is happening just because you can’t measure it in 1 particular way is self-defeating.

Believe it or not, some top-notch technical and modern marketers still swear by “where did you hear about us” type surveys for new users or customers.

My point: there are options.

Phone and messages privacy features

This isn’t as relevant for marketers, but it’s something privacy-related that Apple announced at WWDC 2025.

Apple introduced several new privacy-preserving intelligence features in iOS 26 for communications:

• Live Translation for Phone calls, FaceTime, and Messages runs entirely on-device using Apple Intelligence models, so audio and content stay private
• Call Screening provides real-time transcripts of unknown calls locally … so again, no cloud processing required
• Hold Assist allows users to mute hold music and get alerted when an agent joins … yep, all processed on device

On-device AI, including visual intelligence in iOS 26

In a similar vein, not super-relevant for marketers. But, indicative of Apple’s overall direction and focus.

Apple’s new Foundation Models API in iOS 26 will let developers use Apple Intelligence models for text and image processing on-device, so that app interactions stay private.

• Apps can process content locally without sending data to Apple servers
• This enables AI-driven features like summarization, visual intelligence, and more while keeping user data safe

Additionally, Visual Intelligence will let users interact with on-screen content privately, without sending screenshots or visual data to the cloud. That includes things that could be relevant for marketers, including the ability to copy text, shop, or create calendar events based on what’s visible on-screen.

AdAttributionKit updates

While I covered them in detail here, these are the big AAK privacy updates from WWDC:

• Overlapping re-engagement windows
• Configurable attribution windows
• Configurable attribution cooldown
• Country codes in postbacks
• Easier testing for AAK integrations

Overall, this makes AAK much better and easier to use, but … as I mentioned in my blog post, none of that matters if there’s no industry adoption of AAK.

Note: these are being released with iOS 26 but aren’t tied to a specific mobile operating system.

Declare age range API

Finally, something that Apple didn’t explicitly mention at WWDC 2025 but did share to the developer documentation repository for iOS 26 is Age Range API. 

This is probably in response to existing and pending legislation in Australia and US states like Utah, Texas, Louisiana, Nebraska, and New York that will require app stores to verify users’ ages and require parental consent for minors for certain kinds of content. There’s also the new federal App Store Accountability Act in the US. Reintroduced in Congress on May 1, 2025, this act would mandate that app stores verify age and get parental consent for minors. It has bipartisan support and is backed by many advocacy groups.

Here’s how the Age Range API in iOS 26 would work:

• Apps can request a parent-verified age range for a user (e.g. 13–15, 16–17, 18+)
• Parents must confirm the child’s age range via system-level controls
• Apps receive only the age range, not a birthdate or exact age, which complies with child protection laws and preserves privacy

If the device was set up in Family Sharing as a child’s device, the parent or guardian configures the child’s Apple ID and birthdate. Apple then knows the child’s true age and can automatically provide an age range (e.g. “12 or under”) to apps that request it via the API.

Note: parents can also choose whether to allow this age range to be shared with apps.

Of course, like all things technical, there’s a massive truck-sized loophole.

When anyone sets up their own device, they will be able to declare an age range in some way. They will not need to give a birthdate, only the range. But but but …  this is self-declared, so an adult pretending to be 13 would technically be possible unless platform-level enforcement is added. 

And, of course, a kid pretending to be an adult is just as possible.

For app marketers, expect to be required to support some technology around this in multiple jurisdictions around the world, especially if your app is in a sensitive category like dating, gambling, or adult content.

Summing it all up: privacy at WWDC 2025

As expected, there were a bunch of new privacy features at WWDC 2025, mostly for iOS 26. Some of them will likely require some extra work on your part, such as the Declare Age Range API, and possibly some of the fingerprinting and tracking protections.

Others, like AAK updates, will only matter if the wider ecosystem of ad networks decides they are important enough to support.