Complying With ATT Is Not Enough


All apps are in violation of the GDPR/French DPA if they meet the following criteria:
a. Have European users
b. Use an MMP SDK
c. Either:
    i. Are fingerprinting on iOS for users who do not consent to ATT (collecting data after an opt-out)
    ii. Have any Android users (there is no ATT-equivalent on Android, so no consent framework exists at all)

Continue reading for the full explanation of why the above is true. Many of you may have already seen Eric Seufert’s latest and greatest Mobile Dev Memo post about Voodoo being fined by the French privacy watchdog for using the IDFV for advertising purposes without user consent.  Up till now, most of the mobile industry has focused on complying with ATT. As made clear by France’s privacy regulator, CNIL, this is NOT enough, especially because complying with ATT does NOT equate to complying with any privacy law.  


But, why is that?

Well, ATT says that you can access and do what you wish with the IDFV (assuming it’s not breaking some other Apple policy) even if the user opts out of tracking. The ATT opt out only protects the user’s IDFA. GDPR and the French DPA, on the other hand, make it clear that you cannot do anything with that IDFV without opt-in unless it is:
1. clearly contractual (e.g., the user has already contractually agreed to be tracked) or
2. it’s in the legitimate interest of the advertiser (e.g., the advertiser must use your IDFV for tracking in order to provide the basic functionality that the user expects from the product).
Refer to Eric’s post for more details that support the above assertions.

    Now, in terms of measurement, what does this mean for the mobile industry?

    1. Most apps use an MMP SDK for measurement.
    2. MMP SDKs must collect device data in order to measure (whether that data is IP address, etc. for fingerprinting, which is against Apple’s policies, but has remained generally unpoliced on both iOS and Android, or a cross-publisher device ID like IDFA on iOS or GAID on Android).
    3. GDPR and the French DPA state that device data can only be collected after clear user consent unless the company meets one of five other legal bases, the most common of which are:
          a. the company has a contractual obligation to collect that particular data (contractual basis) or
          b. it must collect that particular data in order to provide the expected functionality of the product or service (legitimate interest basis)
    4. Only on iOS are MMP SDKs requesting user consent before collecting the cross-publisher device ID (IDFA), whereas on Android, the cross-publisher device ID (GAID) is collected unless the user specifically opted out, which is an option buried in the settings; on both platforms, most advertisers have the MMP SDK configured to collect other data like IP address for fingerprinting if the device ID can’t be accessed anyway.
    5. Recent GDPR rulings suggest that a contractual basis isn’t applicable even when only using first-party data like the IDFV (which based on ATT, doesn’t require user consent on iOS) to target ads (the European Data Protection Board ruled that the contractual basis wasn’t applicable in Meta’s case) since users were essentially forced to agree to the contract terms in order to use the product, which is expressly disallowed.
    6. Recent regulator advice suggests that a legitimate interest basis isn’t applicable even when only using first-party data like the IDFV to target ads (the Irish DPC advised TikTok to abandon their plans to use the legitimate interest basis for targeting ads with first-party data) since targeting ads ostensibly doesn’t constitute a legitimate business interest.
    7. Measurement is unlikely to be interpreted differently from ads targeting in any significant way in terms of the applicability of the contractual or legitimate interest bases (e.g., measuring the performance of marketing is not necessary to fulfill contract obligations to users nor is it a part of the expected functionality of the product).

      What can we conclude from this?

      1. All apps are in violation of the GDPR/French DPA if they:
          a. Have European users
          b. Use an MMP SDK
          c. Either:
              i. Are fingerprinting on iOS for users who do not consent to ATT (collecting data after an opt-out)
              ii. Have any Android users (there is no ATT-equivalent on Android, so no consent framework exists at all)

      2. Even if companies only collect data from users who have consented (which would require them to create consent dialogs on Android since the platform doesn’t have a built-in framework like ATT on iOS):
          a. Fingerprinting would be rendered unnecessary since the company would already be able to collect the cross-publisher device ID
              (much more accurate than fingerprinting) with the consent (currently, it’s used as a nefarious backup if the user denies consent)
          b. SKAN, which has tons of visibility issues, would be the only viable way to measure last touch on iOS
          c. Even worse, last touch measurement on Android would be almost impossible since the MMP would need consent from each user in the publisher app
              (the app that displays the ad) and the advertiser app (the app that buys the ad) to attribute any user (often called the double opt-in problem), which as
              we’ve seen after ATT was released on iOS, is incredibly rare.

      What can you do?

      The mobile industry is approaching another watershed moment. Do you have the right measurement to succeed? Fortunately, Polaris by MetricWorks is a turnkey, privacy-centric incrementality MMP.  Polaris does not need device IDs, painful migrations, heavy lifting, SDKs, or additional skills.  Most importantly, Polaris will help you avoid any issues with privacy regulators because it respects users’ privacy.

      In summary, for most app companies, the only real options to avoid similar massive fines are:

      1. Block access to European users completely (avoid jurisdiction of European regulators).
      2. Remove MMP SDKs from all apps and completely cease measurement activities.
      3. Continue using MMP SDKs, but ensure no device data is collected unless consent is granted (e.g., disable fingerprinting), meaning only deterministic last touch would be available and only for the few users that the MMP has double opt-in for (this may not even be possible for many MMPs at the moment and you’d still need a custom consent dialog for Android since there’s no ATT equivalent).
      4. Migrate completely to privacy preserving measurement methods that don’t require the collection of device data such as SKAN (iOS only), MMM, and geo lift testing (avoid collecting device data for the purpose of measurement altogether).


        If you’d like to discuss this topic further, feel free to book a time or contact us.


      1. Photo by Marija Zaric on Unsplash 

      Meet Us At MAU Vegas

      Well, it is finally the week of MAU and we are excited to meet you in Vegas! MetricWorks is proud to be a Gold Sponsor of MAU Vegas. There are many opportunities to meet our team and learn how you can close the gaps in your measurement stack with our MMM-based incrementality MMP, Polaris.

      For a full listing of what MetricWorks is up to at MAU, visit MetricWorks At MAU22. Here are the quick highlights.

      1) Don’t miss our MAU Speaking Session with our CEO, Brian Krebs on Wed, June 8th @ 11:40am in Terrace Ballroom 152. Brian will describe “Why It Is Time To Close The Gaps In Your Measurement Stack With MMM-Based Incrementality Measurement”

      2) Drop by our Booth 644 to win fantastic daily prizes! Book a time to grab a drink with us.

      3) Be among the first 50 to get an exclusive peek on our webinar at the very first Incrementality Industry Report. Sign up now for this exclusive webinar and the report that will follow.

      4) Get our FREE GUIDE on How Marketing Mix Modeling Can Fill the Gaps of Attribution.

      Hit us up with any questions or for a demo of Polaris at See you soon at MAU! 

      Polaris Turns One!

      Exactly one year ago, we publicly launched Polaris on VentureBeat (thanks again, Dean Takahashi). At the time, it was the first of its kind: a measurement product pairing media mix modeling (MMM) and geo lift experiments to provide incrementality performance metrics in the same form factor as an MMP. Actually, it remains the only product of its kind, one year later.

      While we didn’t fully open up the floodgates until Q3 2021, the past year has been a wild ride. The response from the mobile industry was far greater than I could’ve imagined. Our partnership with Meta and collaboration with their world-class Marketing Science and MMM teams have helped us to continually improve Polaris and the science behind it.

      Our growth over the last 2 quarters since we went fully live is nothing short of incredible. We’re adding new people to our amazing team and expanding to new regions across the globe. We’ve onboarded so many notable customers over these months it’s been an absolute blur. None of this would have been possible without my teammates at MetricWorks. I’m humbled to be a part of this journey with all of you.

      To learn more about Polaris, submit a demo request or visit our Polaris product page.