Why Apple's "Consent for IDFA" announcement is a game changer for online and mobile privacy | Fieldfisher
Skip to main content

Why Apple's "Consent for IDFA" announcement is a game changer for online and mobile privacy



United Kingdom

If, like me, you're something of an Apple fanboy, then you'll probably follow announcements coming out of Apple's annual Worldwide Developer's Conference with interest – looking for the latest, and greatest, updates to the iOS or MacOS platforms.

This year, Apple had a series of privacy-related announcements that have grabbed my attention even more than normal, and created waves throughout the mobile and privacy communities.

I'll skip, for now, Apple's announcements relating to enhanced privacy transparency, geolocation tracking controls, and recording indicators on iOS, as well as its new privacy reporting functionality for the Safari browser  - you can read about those here and here, if you're interested.

Instead, I want to focus on its announcement that it will require opt-in consent for access to the iPhone IDFA – an announcement which, according to Forbes, sends an $80 billion mobile app install industry into upheaval – and which has potentially wider implications across all of mobile and online tracking.

For those who are unaware, Apple's IDFA stands for "ID For Advertisers".  In short, it's a unique identifier on your Apple iPhone.  Unlike websites, mobile apps don't use cookies to track you, so they need another means to do so.  That's where the IDFA comes in.  Mobile advertisers can access the iPhone's IDFA to track your usage of the apps on your phone (and websites accessed through your mobile browser), and then use this information for targeting and attribution purposes.  Access to the iPhone IDFA is currently permitted under the iOS unless you opt-out (through Settings >> Privacy >> Advertising >> Limit Ad Tracking).

But, with the launch of iOS 14 in autumn later this year, Apple will now force app developers who want access to your IDFA to require opt-in consent.  Users will be presented with a dialogue box asking them if they agree to XYZ company tracking them across apps and websites.  The impact of this is huge.  It could be that Apple succeeds in preventing non-consensual mobile-based tracking where legislative initiatives, like the EU's current ePrivacy Directive or stalled ePrivacy Regulation, have failed.  And, presented with such an option, it seems highly likely, if not inevitable, that many users will refuse consent. 

Privacy advocates will no doubt argue that advertisers shouldn't be afraid of this development: if they have a genuine value proposition to offer to iPhone users, those users will consent to tracking.  Advertisers are likely to argue that, while this is a nice idea, in reality most users will decline whatever the value proposition, with serious impacts on ad funded mobile content. 

At this point, it's early days, and attempting to predict the future often proves to be a fool's errand.  However, here are a few of the "big picture" issues that immediately occur to me:

  • Apple's announcement should not be viewed in isolation.  Instead, it's part of a growing trend towards giving users greater control of their online and mobile data.  Google announced earlier this year, for example, that it would be phasing out third party cookies over the next two years in its Chrome browser.  The privacy-centric browser, Brave, recently announced that it has now passed 15 million monthly active users (representing 2.25x MAU growth over the past year), while other browsers (Safari, Firefox and Edge) have also trumpeted their own privacy improvements.  The trend is clear: users want, and are being given, ever greater control of their online data.
  • Despite this, no one has yet come up with a solution for weening mobile and web publishers off of ad-funded content and history tends to show that, however much users may care about their privacy, they are not yet willing to pay to access online content as an alternative means of funding; indeed, re-introducing subscription models on a widespread basis across the web will likely only serve to reduce access to online content and disproportionately affect lower income families and users.  It may be that non-targeted, contextual-based advertising will come ever more to the fore – but, for that to be the case, advertisers will want to see that it can drive the same kinds of conversions that targeted advertising can.
  • In the meantime, therefore, we may be witnessing the emergence of a struggle between platform and browser providers, on the one hand, who are under growing pressure from their users to provide more privacy-based controls, and advertisers and publishers on the other hand who will argue that they need ongoing access to user device-related information to enable targeted advertising as a means to fund online and mobile content.
  • Further, the impact of Apple's announcement on mobile attribution is unclear.  Third party attribution providers generally need access to the iPhone's IDFA in order to report back to advertisers and publishers where advertising campaigns were successfully deployed.  This is true even for untargeted, or contextual, campaigns – advertisers still need to know whether their adverts were seen in order to ensure appropriate advertising royalty payments to the publisher who displayed their ads.  But if these attribution partners have to ask users to consent to access the IDFA, then it will presumably severely impact their ability to report on advertising campaign success.  Apple appears to have anticipated this concern by building out its own, privacy-centric, mobile attribution framework (called SKAdNetwork) – effectively positioning itself as the gateway to what advertisers can, and can't, know about users who install their apps for attribution purposes.  What this will mean for third party attribution providers is currently unclear – presumably they will either need to interface with this framework, or risk being cut out of the attribution picture altogether.
  • A final big unknown: whether advertisers, even if they use Apple's new consent dialogue, can ever truly obtain a GDPR standard consent.  Bearing in mind the strict requirements that the EU/UK has for GDPR-standard consents – that is, that they must be "freely given, specific, informed and unambiguous" – while advertisers are able to tailor the consent message presented to users, could such a sufficiently well-developed consent ever be squeezed within the confines of a small iOS consent dialogue box?  Further, bearing in mind that app developers and advertisers will typically access the IDFA for multiple reasons (e.g. content personalisation, ad targeting, attribution, analytics etc.) and that the GDPR broadly prohibits so-called "bundled consents", does this mean that apps will need to re-surface the consent dialogue multiple times for each purpose?  Or will they simply take a risk-based view and collect a one-size-fits-all consent?  At this point, we just don't know.

Whichever way you look at this, it is a major development and, like most major developments, it has consequences that are potentially both positive (enhanced consumer privacy protection) and negative (impacts on the mobile adtech industry and ad funded content).  One thing you can be certain of though: this will drive change, in a way that legislative efforts have so far been unable.

Areas of Expertise

Data and Privacy