A bit of history to start. When Apple rolled out AppTracking Transparency(ATT) to users a few years back, the impact was felt across the mobile advertising sector. Apps which sought to comply with the requirements presented users with a prompt, with which they had to agree in order for tracking as defined by the policies to take place. Many users declined, and while the extact ranges vary by industry, seeing 50% or more of users opt-out was devastating to advertisers, which lost an estimated $10 Billion over the following quarters.
While the concepts of App Tracking Transparency have been in place for years, participation and accuracy have largely been based on the honor system. Users were able to flag apps, and gained new tools for reporting via the App Transparency Report but the process was still largely manual on the part of App Developers, and intentional or not – gaps existed.
The App Developers were responsible for compliance and documentation and failed to comply in a number of scenarios. Apple revealed in 2022, that more than 1.7 million App Submissions were rejected, with over 400,000 being for privacy violations.
Privacy Manifests
With this backdrop, Apple has announced Privacy Manifests, which will simplify compliance with App Tracking Transparency. The feature seeks to resolve two issues. First, it seeks to address the fact that some SDK vendors may not be exactly forthcoming with what their SDKs can do. Secondly, it gives developers new tools for compliance with existing App Tracking Transparency Policies.
Developers will be able to leverage XCode to identify privacy concerns related to vendor SDKs and data collection, which will then be used for enforcement actions in early 2024. Apple covered the feature in detail in a WWDC session “Getting Started with privacy manifests“.
Critically as part of this change – the domains leveraged by the SDKs must be declared in the privacy manifest, and if those domains are identified as having tracking capability – then the network calls to those domains will be blocked in the event the user declines the App Tracking Transparency prompt. Depending on how your mobile app is coded this could effectively break the app in a number of scenarios. It will be critical to work with developers and SDK vendors to accurately reflect which domains do what, in order to prevent unintended behavior or breakage.
Apple has also announced they have identified a number of third party SDKs which in particular have a high impact to privacy. These are referred to as Privacy-Impacting SDKs. Apple will release a list of these apps in the coming weeks. Such Privacy-Impacting SDKs are required to not only have a privacy manifest, but be signed by the vendor. Since they have indicated that they will maintain the list remotely, it may end up being a similar list to those vendors targeted by Link Tracking Protection.
Branch has a very good writeup of the more developer focused details which have been revealed to date. What is important for Marketing and Engineering teams however is these changes are coming, and so roadmaps related to app development likely need to be adjusted in the near term.
The Expected Rollout
Beginning in Fall of 2023, upon app submission Apple will send informational emails to the developer flagging use of a privacy-impacting SDKs if they do not contain a privacy manifest, or lack a signature. Apple will also begin to flag when various APIs are leveraged without a declared privacy manifest required reason. These items will become part of the app submission process in early 2024 – and lacking compliance can block the App from being updated or accepted.
In the short term – brands with mobile apps will need plan for and execute:
- Ask for privacy manifests from SDK developers
- Refer to the Xcode privacy report during app development
- Create their own privacy manifest, including documenting required reasons for various identified APIs
- Document and declare tracking domains and required reason API Usage in the app’s privacy manifest
Additionally, they will need to continue to keep the privacy labels up to date in the AppStore, as well as prompt the user (as required) with the App Tracking Transparency prompt.
Once the above process is done, brands will need to work with vendors in order to determine impact to services should the network request be blocked by the user declining the ATT Prompt. I expect at least a modest impact to reporting and campaign attribution as apps begin to be subject to technical enforcement control. Depending on how compliant with the ATT policy an app is today, will determine the exact impact for that app – and this will vary between mobile applications.
What is unknown currently is which companies will end up on the list of Privacy-Impacting SDKs. Depending on which vendors appear here, I suspect impact could rival that of the initial App Tracking Transparency rollout. All that can be said is the next several months will be interesting to understanding the possible impact to the mobile advertising industry.