Apple says you can’t use email lists for targeting anymore
Updated: January 25, 2023
Apple recently updated one of the App Store privacy policy sections. The refreshed article includes new details on the definition of tracking under the jurisdiction of the App Tracking Transparency (ATT), an updated framework announced by the company at WWDC 2020 which might become mandatory in March 2021. In the updated guides, App Store has confirmed that it includes sharing of user emails with ad networks on the list of tracking forms that must follow the ATT guidelines.
In other words, Apple claims that developers must obtain explicit consent from the user through the ATT mechanic to use custom email addresses for retargeting and look-alike audiences. By deliberately highlighting these user cases in the updated guidelines, Apple makes it clear to developers that even usage of user data that is outside of Apple’s purview must comply with these new ATT principles.
Sharing email lists to build look-alike audiences and retargeting was one of the last ways to keep iOS targeting effective after Apple ditched IDFA. In June, developers were looking for workarounds to preserve the pre-iOS 14 environment, but the company has been steadily closing all available loopholes.
Are there any workarounds left by Apple?
Below, we present some of the developers’ speculations on what tools will remain available after iOS 14 release, as well as the corresponding responses from the App Store team. They can be found in the FAQ section of the App Store User Privacy and Data Use page.
In theory, fingerprinting will allow advertisers to continue to attribute individual users to ad campaigns after Apple opts out of IDFA. But Apple’s clarification proves otherwise:
Q: Can I fingerprint or use signals from the device to try to identify the device or a user?
A: No. Per the Developer Program License Agreement, you may not derive data from a device for the purpose of uniquely identifying it.
On the paper, 3rd-party single-sign on scheme (SSO) will allow networks with self-attribution of traffic like Facebook to connect in-app events to user accounts of the proprietary platform. This will preserve user profiling for ad targeting after IDFA rejection. Again, this is not the case anymore:
Q: I have integrated an SDK from another company. Am I responsible for the data collection and tracking of users of my app by that company?
A: Yes. Developers are responsible for all code included in their apps. If you are unsure about the data collection and tracking practices of code used in your app that you didn’t write, we suggest contacting the developer of the SDK.
Q: I have integrated a 3rd-party SSO. Am I responsible for the data collection and tracking practices of that company?
A: Yes. Developers are responsible for any code included in their app, including single sign-on (SSO) functionality provided by third parties. If the user will be subject to tracking as a result of SSO functionality included in your app, you must use the app tracking transparency prompt to obtain permission from that user list.
Lastly, maybe it would be possible to use hashed emails to index in-app events to user accounts for the purposes of user profiling after IDFA?
Q: If I have not received permission from a user via the tracking permission prompt, can I use an identifier other than the IDFA (for example, a hashed email address or hashed phone number) to track that user?
A: No. You will need to receive the user’s permission through the ATT framework to track that user.
According to these statements, Apple is no longer allowing users to share email lists for retargeting or look-alike audiences, thus closing the last loophole to revert to ‘ad continuity’ prior to the release of iOS 14.
This shouldn’t be surprising. Facebook removed the option to create look-alike audiences from custom audiences for iOS 14 campaigns, allowing look-alikes to be generated only from live ad sets based on conversions. Put differently, although Facebook does allow advertisers to upload email lists, such lists cannot be used to generate look-alikes, and look-alike audiences could only be created from existing campaigns. Reading between the lines: Facebook doesn’t feel comfortable letting advertisers use email addresses or other identifiers for look-alike targeting, knowing that the company can’t confirm whether these users have chosen to be tracked through ATT or not.
While email list exchanges often take place through mechanisms outside of Apple’s field of vision, the company still expects full compliance with its new privacy policy. Yes, Apple cannot directly see if the email list is being distributed between the advertiser and the ad network. But for the largest advertisers, Apple is not a faceless publishing platform, but rather a business partner: the App Store and developers are connected by real human relations. Albeit indirectly, Apple will find out about developers who continue to use email-based targeting on a serious scale.
The consequences of being caught could be a disaster. Apple has all the levers of influence: the company can disapprove of the developer’s application, completely remove it from the App Store, or exclude the ad network from participation in the SKAdNetwork mobile measurement framework, which will essentially kill such business on iOS. Even before Apple announced that it viewed the transmission of email addresses as a form of tracking, executives at major mobile advertisers generally dismissed it as too much of a risk for the ATT-regulated environment.
There is no trick to avoiding ATT compliance; there is no tricky workaround that guarantees success where the advertiser has beaten Apple. Advertisers who recognise that their approach needs to be drastically changed by ATT will thrive once ATT compliance becomes mandatory. The privacy landscape in digital advertising is changing on the Internet as a whole, and it’s crucial for advertisers to feel the change in the wind. For better or worse, user-based ad targeting will be phased out for mobile app advertising, and advertisers are best placed to leverage the coming months to adapt to this new reality.