Complying With ATT Is Not Enough


All apps are in violation of the GDPR/French DPA if they meet the following criteria:
a. Have European users
b. Use an MMP SDK
c. Either:
    i. Are fingerprinting on iOS for users who do not consent to ATT (collecting data after an opt-out)
    ii. Have any Android users (there is no ATT-equivalent on Android, so no consent framework exists at all)

Continue reading for the full explanation of why the above is true. Many of you may have already seen Eric Seufert’s latest and greatest Mobile Dev Memo post about Voodoo being fined by the French privacy watchdog for using the IDFV for advertising purposes without user consent.  Up till now, most of the mobile industry has focused on complying with ATT. As made clear by France’s privacy regulator, CNIL, this is NOT enough, especially because complying with ATT does NOT equate to complying with any privacy law.  


But, why is that?

Well, ATT says that you can access and do what you wish with the IDFV (assuming it’s not breaking some other Apple policy) even if the user opts out of tracking. The ATT opt out only protects the user’s IDFA. GDPR and the French DPA, on the other hand, make it clear that you cannot do anything with that IDFV without opt-in unless it is:
1. clearly contractual (e.g., the user has already contractually agreed to be tracked) or
2. it’s in the legitimate interest of the advertiser (e.g., the advertiser must use your IDFV for tracking in order to provide the basic functionality that the user expects from the product).
Refer to Eric’s post for more details that support the above assertions.

    Now, in terms of measurement, what does this mean for the mobile industry?

    1. Most apps use an MMP SDK for measurement.
    2. MMP SDKs must collect device data in order to measure (whether that data is IP address, etc. for fingerprinting, which is against Apple’s policies, but has remained generally unpoliced on both iOS and Android, or a cross-publisher device ID like IDFA on iOS or GAID on Android).
    3. GDPR and the French DPA state that device data can only be collected after clear user consent unless the company meets one of five other legal bases, the most common of which are:
          a. the company has a contractual obligation to collect that particular data (contractual basis) or
          b. it must collect that particular data in order to provide the expected functionality of the product or service (legitimate interest basis)
    4. Only on iOS are MMP SDKs requesting user consent before collecting the cross-publisher device ID (IDFA), whereas on Android, the cross-publisher device ID (GAID) is collected unless the user specifically opted out, which is an option buried in the settings; on both platforms, most advertisers have the MMP SDK configured to collect other data like IP address for fingerprinting if the device ID can’t be accessed anyway.
    5. Recent GDPR rulings suggest that a contractual basis isn’t applicable even when only using first-party data like the IDFV (which based on ATT, doesn’t require user consent on iOS) to target ads (the European Data Protection Board ruled that the contractual basis wasn’t applicable in Meta’s case) since users were essentially forced to agree to the contract terms in order to use the product, which is expressly disallowed.
    6. Recent regulator advice suggests that a legitimate interest basis isn’t applicable even when only using first-party data like the IDFV to target ads (the Irish DPC advised TikTok to abandon their plans to use the legitimate interest basis for targeting ads with first-party data) since targeting ads ostensibly doesn’t constitute a legitimate business interest.
    7. Measurement is unlikely to be interpreted differently from ads targeting in any significant way in terms of the applicability of the contractual or legitimate interest bases (e.g., measuring the performance of marketing is not necessary to fulfill contract obligations to users nor is it a part of the expected functionality of the product).

      What can we conclude from this?

      1. All apps are in violation of the GDPR/French DPA if they:
          a. Have European users
          b. Use an MMP SDK
          c. Either:
              i. Are fingerprinting on iOS for users who do not consent to ATT (collecting data after an opt-out)
              ii. Have any Android users (there is no ATT-equivalent on Android, so no consent framework exists at all)

      2. Even if companies only collect data from users who have consented (which would require them to create consent dialogs on Android since the platform doesn’t have a built-in framework like ATT on iOS):
          a. Fingerprinting would be rendered unnecessary since the company would already be able to collect the cross-publisher device ID
              (much more accurate than fingerprinting) with the consent (currently, it’s used as a nefarious backup if the user denies consent)
          b. SKAN, which has tons of visibility issues, would be the only viable way to measure last touch on iOS
          c. Even worse, last touch measurement on Android would be almost impossible since the MMP would need consent from each user in the publisher app
              (the app that displays the ad) and the advertiser app (the app that buys the ad) to attribute any user (often called the double opt-in problem), which as
              we’ve seen after ATT was released on iOS, is incredibly rare.

      What can you do?

      The mobile industry is approaching another watershed moment. Do you have the right measurement to succeed? Fortunately, Polaris by MetricWorks is a turnkey, privacy-centric incrementality MMP.  Polaris does not need device IDs, painful migrations, heavy lifting, SDKs, or additional skills.  Most importantly, Polaris will help you avoid any issues with privacy regulators because it respects users’ privacy.

      In summary, for most app companies, the only real options to avoid similar massive fines are:

      1. Block access to European users completely (avoid jurisdiction of European regulators).
      2. Remove MMP SDKs from all apps and completely cease measurement activities.
      3. Continue using MMP SDKs, but ensure no device data is collected unless consent is granted (e.g., disable fingerprinting), meaning only deterministic last touch would be available and only for the few users that the MMP has double opt-in for (this may not even be possible for many MMPs at the moment and you’d still need a custom consent dialog for Android since there’s no ATT equivalent).
      4. Migrate completely to privacy preserving measurement methods that don’t require the collection of device data such as SKAN (iOS only), MMM, and geo lift testing (avoid collecting device data for the purpose of measurement altogether).


        If you’d like to discuss this topic further, feel free to book a time or contact us.


      1. Photo by Marija Zaric on Unsplash 

      Polaris Turns One!

      Exactly one year ago, we publicly launched Polaris on VentureBeat (thanks again, Dean Takahashi). At the time, it was the first of its kind: a measurement product pairing media mix modeling (MMM) and geo lift experiments to provide incrementality performance metrics in the same form factor as an MMP. Actually, it remains the only product of its kind, one year later.

      While we didn’t fully open up the floodgates until Q3 2021, the past year has been a wild ride. The response from the mobile industry was far greater than I could’ve imagined. Our partnership with Meta and collaboration with their world-class Marketing Science and MMM teams have helped us to continually improve Polaris and the science behind it.

      Our growth over the last 2 quarters since we went fully live is nothing short of incredible. We’re adding new people to our amazing team and expanding to new regions across the globe. We’ve onboarded so many notable customers over these months it’s been an absolute blur. None of this would have been possible without my teammates at MetricWorks. I’m humbled to be a part of this journey with all of you.

      To learn more about Polaris, submit a demo request or visit our Polaris product page.

      Introducing Polaris: your true north measurement for the post-IDFA storm

      Today represents a major milestone in our mission to make the lives of marketers much easier.  Following an extensive and highly successful beta program, we are proud to announce that our incremental measurement solution, Polaris, is now live.  Thank you to our clients, partners, advisors and our dedicated team who made this possible.  Polaris is the perfect measurement solution for the post-IDFA storm as it does NOT need IDFA or GAID.  Just like the star after which it is named, Polaris will serve as the true north for marketers when the lights go out soon with iOS14.5. Polaris will allow gaming studios to utilize incrementality to deliver daily measurement, all at the same granularity that you have always relied upon to make informed marketing decisions.  To learn more, submit a demo request or visit our Polaris product page.

      Not only does Polaris help resolve your post-IDFA challenges, it is designed to help you achieve true marketing effectiveness. Contact us today to hear:

      • How Polaris is a ready-to-use, turnkey, drop-in replacement for last touch
      • How Polaris involves zero change to your marketing or UA processes
      • How you can take advantage of special Polaris subscription deals to get you started quickly even before IDFA deprecates

      Reliable measurement is the cornerstone of decision making and our team has worked tirelessly to deliver a solution that will future-proof your UA (without needing IDFA or GAID), and provide true incremental measurement that allows you to dramatically increase the effectiveness of your budget. In case you missed it earlier, here’s a link to our What Is Incrementality? deck.

      We have also put together amazing subscription deals that allow you to commence with incremental measurement even before IDFA finally deprecates. Rather than waiting for the inevitable chaos, Polaris will allow you to seamlessly transition from the outdated systems of today into the new world of measurement truth and accuracy from Day One of the post-IDFA storm.

      Submit a demo request to hear about the powerful features of Polaris including that it does NOT need IDFA or GAID and can still provide you the following favorite KPIs, DAILY, in incremental form at the source by country level:

      1. Revenue
      2. Installs
      3. ROAS
      4. LTV
      5. Retention
      6. Any other KPI we have data for that matters to your team.

      The world is quickly approaching a watershed moment. Do you have the right measurement for the post-IDFA storm?  


      CEO of MetricWorks



      Fingerprinting is dead. What’s your next move?

      I’ve seen some folks contend that even though Apple’s latest language is more clear than ever, the phrase “uniquely identifying” means that fingerprinting must be 100% accurate to result in a ban.

      Such an interpretation is only possible if you ignore the preceding words “for the purpose of”. Fingerprinting is always probabilistic, but its purpose in attribution is to match a single converting device (e.g., install) to a single ad-engaged device (e.g., click). Failing to uniquely identify a device does not change the purpose of fingerprinting. It is simply an indication that the fingerprinting tech needs improvement.

      Also, it’s important to remember Apple’s motivations in all this. It does not benefit them to allow a form of tracking that is not controllable by or transparent to them or their users. Fingerprinting has always been the most anti-privacy tracking method available on both mobile and desktop. Apple didn’t spend all those resources on SKAdNetwork just to allow everyone to attribute and track outside of the ecosystem they control.

      No matter how specific Apple’s language gets, there will always be someone interpreting it in just the right way to support their hopes, right up until they are banned from the app store.

      Submit a meeting request below to get any questions answered or to hear about our FREE beta program for our incremental measurement solution that doesn’t need IDFA or GAID and can still provide you, DAILY, in incremental form at the source by country level:

      1. Revenue
      2. Installs
      3. ROAS
      4. LTV
      5. Retention
      6. Any other KPI we have data for that matters to your team.


      CEO of MetricWorks


      IDFA Deprecation Damage Control (Mobile Presence Podcast Interview of Brian Krebs by Peggy Anne Salz)

      Thank you to Mobile Presence’s Peggy Anne Salz (noted author, analyst, content marketing strategist, and frequent Forbes contributor) for interviewing our CEO, Brian Krebs on the positive aspects of the IDFA deprecation including our new measurement solution for the post-IDFA world.  See podcast link below.

      Here’s a quick summary of the podcast:

      With IDFA, marketers will no longer be able to attribute post-install activity, including revenue, directly to a campaign or publisher app. And that means marketers will be in the dark and unable to evaluate important metrics, including retention, DAUs, LTV, and ROAS at the campaign or publisher app levels. Or will they? Not if they harness a “top-down” solution that algorithmically attributes post-install activity to campaigns.  You can listen to the full podcast below or on the Mobile Presence site.

      Listen to “IDFA Deprecation Damage Control: Lifting The Lid On A Mobile Measurement Solution For The Post-IDFA Era” on Spreaker.

      Submit a meeting request below to get any questions answered or to get feedback on your testing plan for post-IDFA measurement. Remember to:

      1. Upgrade your SDKs as soon as possible.
      2. Stay in touch with the vendors who haven’t yet provided an iOS 14 update.
      3. Continue to be vigilant during this 3+ month IDFA deprecation reprieve.
      4. Test thoroughly. The winners will be those that evaluate and adopt the solutions of the future while everyone else is still exhaling.