Complying With ATT Is Not Enough

January 24, 2023


All apps are in violation of the GDPR/French DPA if they meet the following criteria:
a. Have European users
b. Use an MMP SDK
c. Either:
   i. Are fingerprinting on iOS for users who do not consent to ATT (collecting data after an opt-out)
   ii. Have any Android users (there is no ATT-equivalent on Android, so no consent framework exists at all)

Continue reading for the full explanation of why the above is true. Many of you may have already seen Eric Seufert’s latest and greatest Mobile Dev Memo post about Voodoo being fined by the French privacy watchdog for using the IDFV for advertising purposes without user consent. Up till now, most of the mobile industry has focused on complying with ATT. As made clear by France’s privacy regulator, CNIL, this is NOT enough, especially because complying with ATT does NOT equate to complying with any privacy law. 


But, why is that?

Well, ATT says that you can access and do what you wish with the IDFV (assuming it’s not breaking some other Apple policy) even if the user opts out of tracking. The ATT opt out only protects the user’s IDFA. GDPR and the French DPA, on the other hand, make it clear that you cannot do anything with that IDFV without opt-in unless it is:
1. clearly contractual (e.g., the user has already contractually agreed to be tracked) or
2. it’s in the legitimate interest of the advertiser (e.g., the advertiser must use your IDFV for tracking in order to provide the basic functionality that the user expects from the product).
Refer to Eric’s post for more details that support the above assertions.

    Now, in terms of measurement, what does this mean for the mobile industry?

    1. Most apps use an MMP SDK for measurement.
    2. MMP SDKs must collect device data in order to measure (whether that data is IP address, etc. for fingerprinting, which is against Apple’s policies, but has remained generally unpoliced on both iOS and Android, or a cross-publisher device ID like IDFA on iOS or GAID on Android).
    3. GDPR and the French DPA state that device data can only be collected after clear user consent unless the company meets one of five other legal bases, the most common of which are:
        a. the company has a contractual obligation to collect that particular data (contractual basis) or
        b. it must collect that particular data in order to provide the expected functionality of the product or service (legitimate interest basis)
    4. Only on iOS are MMP SDKs requesting user consent before collecting the cross-publisher device ID (IDFA), whereas on Android, the cross-publisher device ID (GAID) is collected unless the user specifically opted out, which is an option buried in the settings; on both platforms, most advertisers have the MMP SDK configured to collect other data like IP address for fingerprinting if the device ID can’t be accessed anyway.
    5. Recent GDPR rulings suggest that a contractual basis isn’t applicable even when only using first-party data like the IDFV (which based on ATT, doesn’t require user consent on iOS) to target ads (the European Data Protection Board ruled that the contractual basis wasn’t applicable in Meta’s case) since users were essentially forced to agree to the contract terms in order to use the product, which is expressly disallowed.
    6. Recent regulator advice suggests that a legitimate interest basis isn’t applicable even when only using first-party data like the IDFV to target ads (the Irish DPC advised TikTok to abandon their plans to use the legitimate interest basis for targeting ads with first-party data) since targeting ads ostensibly doesn’t constitute a legitimate business interest.
    7. Measurement is unlikely to be interpreted differently from ads targeting in any significant way in terms of the applicability of the contractual or legitimate interest bases (e.g., measuring the performance of marketing is not necessary to fulfill contract obligations to users nor is it a part of the expected functionality of the product).

       What can we conclude from this?

      1. All apps are in violation of the GDPR/French DPA if they:
        a. Have European users
        b. Use an MMP SDK
        c. Either:
            i. Are fingerprinting on iOS for users who do not consent to ATT (collecting data after an opt-out)
            ii. Have any Android users (there is no ATT-equivalent on Android, so no consent framework exists at all)

      2. Even if companies only collect data from users who have consented (which would require them to create consent dialogs on Android since the platform doesn’t have a built-in framework like ATT on iOS):
      a. Fingerprinting would be rendered unnecessary since the company would already be able to collect the cross-publisher device ID
          (much more accurate than fingerprinting) with the consent (currently, it’s used as a nefarious backup if the user denies consent)
      b. SKAN, which has tons of visibility issues, would be the only viable way to measure last touch on iOS
      c. Even worse, last touch measurement on Android would be almost impossible since the MMP would need consent from each user in the publisher app
          (the app that displays the ad) and the advertiser app (the app that buys the ad) to attribute any user (often called the double opt-in problem), which as
          we’ve seen after ATT was released on iOS, is incredibly rare.

      What can you do?

      The mobile industry is approaching another watershed moment. Do you have the right measurement to succeed? Fortunately, Polaris by MetricWorks is a turnkey, privacy-centric incrementality MMP. Polaris does not need device IDs, painful migrations, heavy lifting, SDKs, or additional skills. Most importantly, Polaris will help you avoid any issues with privacy regulators because it respects user privacy.

      In summary, for most app companies, the only real options to avoid similar massive fines are:

      1. Block access to European users completely (avoid jurisdiction of European regulators).
      2. Remove MMP SDKs from all apps and completely cease measurement activities.
      3. Continue using MMP SDKs, but ensure no device data is collected unless consent is granted (e.g., disable fingerprinting), meaning only deterministic last touch would be available and only for the few users that the MMP has double opt-in for (this may not even be possible for many MMPs at the moment and you’d still need a custom consent dialog for Android since there’s no ATT equivalent).
      4. Migrate completely to privacy preserving measurement methods that don’t require the collection of device data such as SKAN (iOS only), MMM, and geo lift testing (avoid collecting device data for the purpose of measurement altogether).


        If you’d like to discuss this topic further, feel free to book a time or contact us. 

      1. Photo by Marija Zaric on Unsplash 

      Got questions for MetricWorks? We have answers.

      Related Posts

      Measurement Explained Through Basketball

      Measurement Explained Through Basketball

      Measurement explained by Mike Thomas through a Golden State Warriors basketball analogy  - TL;DR: Last touch attribution ignores direct causation of factors that contribute to successful conversion. MMM offers a more complete understanding of all contributing...

      State Of Measurement In A Privacy-First World

      State Of Measurement In A Privacy-First World

      Since we are seeing severe impacts around privacy and the ability to measure, we decided to put together a five-part series, together with our friends at GameMakers, to help advertisers really understand the measurement crisis, and explore the different tools and...

      Share This