Data Governance & Privacy
April 1, 2024
App Tracking Transparency (ATT) has been around for nearly 2 years now, so it seemed a good time to reflect and see what impact it’s had since its introduction. In this article, I’ll explore whether ATT has really been such a good thing for end users, as well as some of the pitfalls faced by organizations trying to comply with App Tracking Transparency. It goes without saying that I’m not a lawyer, and this is purely my own opinion, so please consult your own legal team before making any rash decisions!
Let’s examine these 2 statements that Apple uses to explain App Tracking Transparency to end users, and developers/app distributors respectively:
Users: If you choose Ask App Not to Track, the app developer can’t access the system advertising identifier (IDFA), which is often used for tracking. The app is also not permitted to track your activity using other information that identifies you or your device, such as your email address.
App Developers: You must use the AppTrackingTransparency framework if your app collects data about end users and shares it with other companies for purposes of tracking across apps and websites.
In my opinion, one of the fundamental issues with ATT, is that it gives users a less than accurate impression of exactly how much privacy they get when they “Ask App Not To Track”. An end user reading the above statement is told, in no uncertain terms, that the app may not “track” them using Personally Identifiable Information (PII), if they ask the app not to track.
The word “track” is a lot less transparent here than the average person would assume, which is only made clear on reading the statement intended for app developers. In the prompt presented to the user in the app, there is some fine print that clarifies “…across other companies’ websites and apps”, but in my opinion, the wording means that the average user is more likely to believe that the app is not allowed to track their activity at all.
To make matters worse, users are now subjected to a barrage of consent pop-ups on a daily (perhaps hourly!) basis, to the point that, in stark contrast to the good intentions of consent regulations, many users have become apathetic, and blindly accept “recommended” settings (hint: “recommended” often means “best for the company”, not “best for the user”). Apple has simply added to this noise, creating a worse user experience for app users, for very little user benefit. Worse still, the App Tracking Transparency prompt does not in any way constitute GDPR consent (or other GDPR-like regulations), so app vendors are forced to request GDPR consent on top of ATT consent, further contributing to “Consent Fatigue”.
Another issue is that getting through Apple’s strict app review process can be extremely difficult and confusing, and app reviewers sometimes seem to apply Apple’s policies inconsistently, which can result in a seemingly random app rejection, despite past successful submissions. Following a rejection, app distributors have very little recourse, with Apple acting as judge, jury, and executioner. One such case I’ve recently been involved with, concerned an app that was rejected by Apple on the grounds that, in addition to the ATT prompt, the user was subjected to a second GDPR-compliant consent prompt. Apple’s argument was that once a user has selected “Ask App Not To Track”, there should be no further requests for the user to provide consent.
On the surface, this seems reasonable; if someone says they don’t want to be tracked, then that should be clear. However, given Apple’s definition of “tracking” as “[sharing data] with other companies for purposes of tracking across apps and websites”, a user declining App Tracking Transparency consent is not necessarily declining all tracking, and there may be other legitimate first party tools that you’d still like to give your users the option to opt in or out of. It’s worth noting that Apple seems to only object to a second consent prompt in the case where the user has declined ATT consent; if they accept, apps may still show a second consent prompt to comply with local regulations, such as the GDPR.
The simplest way to avoid confusing your users by asking for ATT consent, is simply not to ask. By that, I’m not advocating ignoring the rules, but you should question whether you can achieve your aims without ever requesting ATT consent in the first place. Thankfully, Tealium can help here. Tealium is, first and foremost, a first party CDP, and all data you collect belongs to you; Tealium doesn’t share it with third parties, and therefore does not require App Tracking Transparency consent.
There’s a lot you can do with first party data without ever engaging a third party, and because you have collected the data yourself, you can trust it! If the GDPR (or similar privacy law) doesn’t apply, you could, for example, use your first party data collected while a known user was browsing your website to personalize their in-app experience and more prominently display products you know they’ve been looking at on the web, perhaps even offering them a discount if they buy now. Alternatively, you could retarget the user with emails or push notifications (assuming they’ve opted-in to marketing communications).
There are also some cases where, even if the user hasn’t consented to ATT, you can still use their data, but for a more limited purpose. One such example is with the Facebook Conversions API (a.k.a. CAPI), which can receive one prioritized event from opted-out users, just for attribution purposes. In this case, you can send Facebook a flag to indicate that the user has opted out, and their data will then only be used for attribution purposes, not for retargeting or advertising.
It’s fair to say that App Tracking Transparency has created a lot of disruption over the past couple of years, and some have questioned whether Apple’s motives were entirely altruistic, or just a cynical attempt to reduce Facebook’s stranglehold on advertising. Whatever the truth, users have been left confused and frustrated, and I would argue, worse off than before, with less-relevant, but no fewer ads. Now that the dust has largely settled, I believe we’ll be stuck with the current system for quite some time, though I remain hopeful that Apple will do something truly game changing and make marketing consent easy and consistent for users across all the apps they use.
What I’d like to see is Apple making legally-compliant, centralized, consent within the operating system, so that rather than seeing a different consent prompt in each app, I can signal to all apps what I’m OK with as far as tracking is concerned. Since Apple also knows the device’s location and home country, they can identify which consent policy is relevant to the user’s location, without ever revealing that location to the host apps. Control could be provided both on an all-app basis (“Ask all apps never to use my data for personalized ads”), or on a per-app basis (“Ask Uber [for example] not to use my data for personalized ads”).
For extra credit, they could even, dare I say, work with Google to come up with a standard for consent that could be deployed across all mobile operating systems. I suspect that is very wishful thinking, but it would be great for transparency, and save users the constant burden of clicking “Accept Recommended Cookies” multiple times per day!
Tealium supports the latest server-side APIs for all the major technology vendors, and our customers enjoy turn-key integrations with these APIs through our Connector Marketplace. Tealium also makes it simple to integrate with many different Consent Management Platforms, reducing the effort and time it takes to make sure your apps and websites are legally compliant, and of course, provide an exceptional experience for your end users.
Tealium gives you the tools to make your high quality first party data work for you, but also to integrate with third party tools quickly and easily when the need arises.
For more information on how Tealium can support your App Tracking Transparency needs, schedule a free demo today.
