A history of IDFA – Apple’s privacy U-turn

Apple’s recent announcement of changes to IDFA, its proprietary user identifier, signals a significant step change in the company’s approach to in-app user privacy by giving the user the upper hand for the first time. Not only that, the change is representative of a trend and a general change in attitude that we’re seeing in all areas of technology and privacy law.

An attitude change from Apple

User privacy hasn’t always been a leading message for Apple. Back in 2010, the tech giant was sued for sharing user information without permission via the UDID (Unique Device Identifier), which was permanent for each user device and available to all apps without limitation. As a result, Apple retired the UDID two years later and introduced the IDFA, which users could reset and also withhold from advertisers via a ‘Limit Ad Tracking’ (LAT) setting.

Even though user privacy was being acknowledged, this LAT option was still only passive privacy protection. Until 2016, turning it on only indicated a user’s preference, and didn’t protect their IDFA. Even after Apple strengthened LAT in iOS10, the IDFA was still fair game for all apps unless users proactively dug up the setting and turned it on. User awareness was also lacking; while people understood that clearing browser cookies can help protect their privacy on the web, fewer people understood that they could protect or reset their mobile advertising ID (and then made the effort to do so).

Only 13% to 15% of global iOS users were estimated to have withheld their IDFA using LAT in 2016 and by early 2019, adoption was still languishing at around 16%. Despite a relative surge to ~25% adoption in 2020 – perhaps a result of growing awareness around data security and Apple’s own elevation of the LAT setting – there were still enough in-app identifiers available to support the advertising industry within Apple’s app ecosystem.
Apple’s latest move to make IDFA sharing opt-in changes their approach to in-app privacy protection from passive to active, and upsets a balance of power which for years has benefited personalized advertising over user privacy. Apps cannot use the IDFA for tracking without explicit permission upon install, and Apple’s bluntly-phrased consent request upon install doesn’t do much to sugarcoat the situation.

It’s no surprise that opt-in rates are expected to be low. With iOS14, Apple is deliberately bringing LAT – and data privacy – into the spotlight, raising user awareness of cross-domain ad tracking methods while blocking them by default.

What’s next?

Given Apple’s historical record with ITP on the web, plus its very public focus on user privacy, it seems likely that IDFA will be fully removed from the app ecosystem. For now, requiring consent for IDFA leaves it crippled and Apple’s consolation offering in the form of SKAdNetwork attribution isn’t a substitute for the campaign flexibility and user-level insight that currently drives a significant proportion of revenue for advertisers, and publishers in turn. (For more on the impact to the ecosystem and ways to mitigate it, read our other post “IDFA – the next third-party ID to fall“).

Apple has accepted that the industry needs time to prepare for the change by delaying it until 2021. However the company’s focus is clearly on protecting user privacy above all else, and those in the advertising ecosystem who relied on free sharing of user information via the IDFA are expected to accept a new normal.

While many publishers are upset by Apple’s lack of industry consultation and perceived dismissiveness of collateral damage, there will be those who understand the inevitability of change in an industry that has long been conveniently blind to users’ rights to privacy. There is legitimate reason for concern about the safety of user data in an ecosystem which relies on sharing it freely via third-party identifiers. The privacy-conscious in the industry are rectifying this by dismantling these identifiers, and the concept of ‘identity’.

An advertising ecosystem without identity?

We’re heading towards anonymous app and web ecosystems.

Apple (and Mozilla) kicked things off by blocking third-party identifiers (cookies) on the web. Google is following suit in such a way that shows their acknowledgement of privacy legislation as a driving force for the change. Now, Apple’s privacy-first focus has reached app as well as connected TV – and while their tvOS market share is relatively small, it’s setting a precedent that may be difficult to ignore in the face of growing legislation that supports a user’s right to anonymity.  With laws like GDPR and CCPA highlighting user privacy rights, it’s hard for an industry to carry on indefinitely without considering its methods.

In the face of these changes, publishers can also consider their methods and get ahead by reducing reliance on those third-party identifiers – including but not limited to IDFA and third-party cookies – which will ultimately disappear. By working with Permutive to target users while respecting their privacy, publishers can maximize their first party data assets in an anonymous app ecosystem and make themselves invaluable to advertisers.

Permutive is here to help you prepare for the new privacy-focused world.