iOS 17: Apple's Biggest Privacy News Since App Tracking Transparency

Apple announced their biggest privacy change since killing user-level tracking on mobile. iOS 17 offers similar privacy protections for the web. Learn how this affects your business.

At the 2023 Worldwide Developers Conference (WWDC) in June, Apple made the most significant privacy update since they started the “privacy apocalypse” in 2021. Back in 2021, they released iOS 14.5 and App Tracking Transparency, causing a 40% decrease in return on ad spend (ROAS) for advertisers using Meta’s Facebook iOS install ads.

iOS 17 features two major privacy enhancements: Link Tracking Protection and Privacy Manifests. 

  1. Link Tracking Protection adds more user-level tracking protection on Safari Private Browsing, Mail, and Messages. Mail has nearly 60% market share and 93.23% of iOS users use Safari as their default browser so this development has significant implications for marketers - it also highlights a potential new paradigm for marketing measurement on web
  2. Privacy Manifests will close loopholes that are widely used to get around some of the tracking restrictions from iOS 14.5

Understanding these changes is key to maintaining the effectiveness of your marketing campaigns, now and in the future. Our comprehensive guide breaks down what's new in iOS 17 and offers actionable advice to help you adapt to this shifting landscape. 

Why is user-level tracking important?

Large advertising networks like Google and Meta rely on tracking the users who click on adverts in order to understand if these users convert (purchase). 

They do this so their machine learning algorithms can learn which users are most likely to respond to a given advert. This allows them to show each user the ads they’re most likely to respond to, increasing the return on ad spend for those adverts. For example, someone who regularly buys ski gear but hates camping would see an advert for ski gear rather than tents.

There are 4 main ways in which large ad networks can track users who click or view an ad and subsequently visit the advertiser’s website:

  1. Using a 3rd party cookie or mobile device identifier
  2. Using a click identifier appended to the URL in the advert which the user clicks on
  3. Using information about your device (device type, IP address, language) to match the click to the website visit “probabilistically”
  4. Using personally identifiable information (PII) about the user (e.g. email address or phone number)

iOS 14.5 and other recent changes have made 1) much harder, forcing ad networks to rely more on 2), 3) and 4).

So how impactful was iOS 14.5?

The example in the introduction shows when iOS 14.5 broke user-level tracking, the performance of the most affected campaigns - Meta for iOS - dropped by 40%.  

Is iOS 17 going to be as impactful?

Link Tracking Protection focuses on B whilst Privacy Manifests focuses on 3) and 4).

1st Change: Link Tracking Protection 

This change removes option 2) - stripping User Level parameters (click_ids) from URLs in Mail, Messages, and Safari Privacy browsing

What is happening?

From Apple:

What is changing?

In the developer video from WWDC, Apple mentioned: “When a tracking parameter is detected, Safari strips the identifying components of the URL, while leaving non-identifiable parts intact.” In practice, we believe this means that click_ids and items that can identify an individual user will be removed.

iOS 17 Beta tester Cory Underwood has confirmed this and provided a list of vendor query parameters that are being removed. It appears that all of those that are being removed are at a user level and aggregate information (e.g. utm_campaign, utm_term, and utm_source) are not affected. A word of caution is that this list is likely to expand as this is only what is included in the Beta.

What's The Impact on the Ability of Ad Platforms to Automatically Optimize Targeting?

Click IDs in user parameters are typically communicated back to ad platforms either through a javascript “pixel” which runs in the user’s browser or server side. The more advanced server-side option involves capturing these identifiers in analytics events (e.g. Page Calls), joining them to first-party data on conversion events (e.g. orders), and then sending them directly to the ad platform’s servers.

However, if these click IDs are stripped, both these methods will falter. Therefore, marketers need an alternative way to communicate to the ad platform which users have converted.

Optimization - What can you do

Moving forward, the focus should be on collecting consented first-party data, sometimes referred to as zero-party data. This data can then be sent back to ad platforms (option 4). Generally, there are two approaches to achieving this:

  1. Audience lists, uploading user identifiers such as (hashed) email addresses to ad platforms. If the email address matches a known user on the ad platform then they can identify that user.
  2. Conversion APIs, which allow real-time server-to-server communication and do not require click identifiers. While Google Ads API requires you to include a click identifier (GCLID) and will break when this is unavailable, Meta's Conversion API (CAPI) can use other identifiers, like (hashed) email or phone numbers instead.

Advanced Tip: tools like Hightouch, Simon Data, and LiveRamp, offer 'Match Boosters'. These tools allow you to enrich your consented first-party data. With more hashed identifiers available, ad platforms can more effectively match your desired customers to their social profiles. As a result, Hightouch has seen 15-40% improvements in match rates.

For instance, if you're a B2B company and capture a work email at sign-up but the user is signed into their personal email when they click an ad (such as on LinkedIn) these tools may be able to link the two email addresses, boosting your match rates. This can provide an essential edge in an environment where tracking and identification are becoming increasingly challenging.

Need help setting this up?  Contact the team at Mammoth Growth.

What's the Impact on Your Ability to Measure the Impact of Your Ads (Attribution)?

User Level Attribution is still possible for advertisers with iOS 17 even if they are using Private Browsing. This is because you can associate an individual user who comes to your site with a campaign_id (which Apple isn’t targeting in iOS 17). However, there are two things to watch out for:

  1. Auto-tagging (on web) - If you are using auto-tagging (using GCLID) to tag Google Ads campaigns then you should move to manually tagging campaigns. Auto-tagging is where tools like Google Analytics take the click ID (GCLID) and then enrich campaign data (utm_source, utm_medium, etc.) to make setting up campaigns simpler. In addition, certain platforms, like Shopify, piggyback off this system. When click_ids, like GCLID, get removed, auto-tagging will fail.
  2. Email conversion tracking - most email providers append a user-level identifier to each email click so that they can tie conversions/purchases back to a specific user. Without this or a suitable campaign-level alternative, you might face issues with your email platform’s reporting i.e. you may track fewer conversions.

Measurement & Attribution - what you can do

The good news is that both of these can be solved:

  1. Auto-tagging - we recommend that people stop using auto-tagging and start manually adding utm_source, utm_medium, and utm_campaign in a consistent way to all of their campaigns
  2. Email conversion tracking - investing in reliable first-party attribution reporting will help you reduce reliance on in-platform reporting and provide you with more consistent data across your different channels 

Where could this be heading?

Apple got a lot of criticism when they released iOS 14.5 for not giving the industry enough warning and fully blocking user-level tracking for install ads on iOS. As part of iOS 14 they released a measurement framework called SKAdNetwork that restricts both the advertiser and ad platform from knowing where each user came from - each just knows the total number of users each campaign converted.

iOS 17 isn’t as restrictive, as the campaign parameters are still included in the URL, the advertiser can still see at a user level where they came from. Removing the click ID only impacts the ad platform's (or email provider's) visibility of what the user went to do. 

Apple have released a web equivalent of SKAdNetwork, Private Click Measurement, which indicates they could be heading down a similar path to what they did with App Tracking Transparency but are just taking a more staged approach.

Further, whilst the latest changes are currently restricted to Safari Private Browsing, it would be prudent to expect Apple will make this the default (or opt-out) behavior for all Safari Browsing in the future.

Want to talk about privacy centered ad measurement? Let us know.

2nd Change: Privacy Manifests & Blocking Requests to Tracking Domains 

This change removes option 3 - ending the workarounds advertisers started exploiting after the release of iOS 14

What is happening?

With the introduction of iOS 14.5, Apple unveiled the App Tracking Transparency (ATT) feature that devastated user-level tracking. ATT mandated user consent to track a user’s activity across different apps. Neither the ad platform nor the business knew how successful install ads were unless they obtained explicit ATT consent. 

As a workaround, some Mobile Measurement Providers and ad network SDKs (particularly non-Self Reporting Networks) introduced 'probabilistic attribution', viewed by others as a form of fingerprinting. The approach involves collecting data about a user’s device (device type, IP address, language) when they click or view an ad and when the app is launched. They can then match the two together proabilistically.

Appsflyer (an MMP) estimated their probabilistic attribution methods had an aggregated accuracy rate of 92% and a coverage rate of 89%.

This method is widely used but not fully compliant with  Apple's policies.

What is changing?

There are two core changes that will impact probabilistic matching in iOS 17: Privacy Manifests and blocking of tracking domains. 

These modifications aim to curtail proabilistic matching/fingerprinting by requiring apps and third-party SDKs (like ad providers and Mobile Measurement Providers) to specify what data they require and why. This information will be included inthe app's Privacy Manifest (visible to users). Notably, any app employing an SDK or calling an API that could be used for fingerprinting needs to define a legitimate purpose for doing so its own Privacy Manifest.

This is likely to end fingerprinting for two reasons: 

  1. Apps are being held accountable for the third party code (SDKs) they include - if an app can get banned from the app store based on this third party code then it will force change
  2. Requests to tracking domains will be blocked without ATT consent - Apple will block requests to tracking domains containing additional device or user information that could be used for fingerprinting, likely stopping the practice

Impact & What You Can Do Today

Changes since iOS 14.5 have already significantly impacted app marketers. These changes aim to close the gaps in that policy which were being exploited by ad networks and advertisers. 

As we navigate the wave of changes in iOS 17, here are some immediate steps that marketers can take:

  • Optimization of campaigns: Using option 4 -  sending (hashed) customer email addresses to ad platforms will continue working. However, app developers need to be confident they are compliant with privacy laws like GDPR and CCPA when doing so. This may also violate Apple’s terms of service - if caught, developers could be banned from the app store.
  • Measurement, Attribution & Reporting: This is the perfect time to invest in privacy-centric marketing measurement. Ensure you’ve set up SKAdNetwork appropriately, invest in Marketing Analytics, Media Mix Modelling, and Experimentation. 

Where This Is Heading

In the last two years, the landscape for app marketers has changed rapidly. User-level tracking is declining, a shift that seems both inevitable and justified. Google is expected to follow Apple’s lead on Android with its suite of Privacy Sandbox initiatives and the planned deprecation of GAID in 2024. The Privacy Sandbox also includes an SDK RunTime feature, which appears similar to Apple's approach for monitoring the data which SDKs have access to.

Given the stated aims of Apple & Google, it’s likely that user-level tracking of ads will become progressively less feasible and eventually disappear. It’s therefore essential that you stay ahead of these and other changes, adopting new privacy-safe tools and consent-based tracking before existing approaches disappear.

Ready to unlock new
growth opportunities?

We and selected third parties collect personal information. You can provide or deny-  your consent to the processing of your sensitive personal information at any time via the “Accept” and “Reject” buttons.