Apple is aggressively pursuing end-user privacy improvements and marketing them as positive enhancements to their users; at Apple’s 2021 Worldwide Developers Conference (WWDC21) the company has announced several new privacy enhancements to the default applications and services within MacOS, iOS, iPadOS, and WatchOS. As with recent proposed changes to iOS14 and the App Store marketplace, the new enhancements are designed to provide transparency to end users about the ways in which they are tracked online and provide options to opt-out of tracking altogether. This will primarily take the form of increased notification popups prompting users to allow or deny permission to allow reporting of behaviors and activities from within applications, emails, and websites.
“[The changes] will arrive as part of the fall software update to iOS 15, iPadOS 15, MacOS Monterey and iCloud.com.” At the moment these OS updates appear to be scheduled for release in September of 2021.
As with the recent announcements by various providers to move to a cookie-less web in the near future, the changes Apple is introducing into its ecosystem are a clear indication that brands will need to take a thorough look at their marketing data collection procedures and usage of 3rd party services and trackers. Investments into 1st party data collection, server side analytics, and native in-app tracking events will help mitigate current and future marketing changes due to a rapidly evolving focus on user data privacy.
App Tracking Transparency (ATT)
Starting with iOS 14.5 app developers must disclose tracking to the end-user and “ask users for their permission to track them across apps and websites owned by other companies” (see User Privacy and Data Use - App Store). This change led to a precipitous drop-off in opt-ins with nearly ~80% of the iOS 14.5+ user base choosing to decline participation in 3rd party tracking within apps. This is compounded by the iOS 14.5 adoption rate with 90% of devices released in the last 4 years running on iOS 14 and 85% of all iOS devices running iOS 14.
iOS 15 will now also include the ability to run a privacy report to review “how often each app has used the permission they’ve previously granted to access their location, photos, camera, microphone, and contacts during the past seven days” and make changes as they see fit. Given the iOS 14 adoption metrics it can be presumed that the majority of iOS devices will update to iOS 15.
Intelligent Tracking Prevention (ITP)
Intelligent Tracking Prevention has been included in Safari web browser versions going back to 2017 and was originally built to protect unsuspecting end-users from agents that were surreptitiously collecting data and inputs from browser sessions. The agents targeted were primarily spyware, malware, or other scripts built for nefarious uses such as identity theft. Overtime, ITP has evolved to also provide tracking protections from a much broader set of legitimate 3rd party tracking cookies and pixels. Similar to ATT, the intention of ITP is to provide web users with transparency into how, when, and who is tracking their browsing activities. ITP has the potential to prevent 3rd party tracking cookies and even analytics events (such as Google Analytics) from properly reporting activities or attributing activities to a unique user id. Although Safari does not make up a large market share of browser sessions, this may skew web analytics and events negatively.
Safari 15 will be included in the rollout of iOS 15, iPadOS 15, and MacOS Monterey with some minor updates to ITP 2.3 such as blocking agents from recording a user’s IP address. The lack of IP availability makes it much more difficult to stitch together user profiles from other data sources and will have an impact on marketing activities such as retargeting.
Apple is now also including ITP in other default applications with the biggest impact being the inclusion of ITP into Apple Mail. This inclusion in Apple Mail is significant to both MacOS and iOS devices as it will potentially prevent tracking pixels contained within HTML emails from loading, severely impacting email open and click metrics. This is especially concerning as the Apple Mail app in iOS currently makes up 38.9% of total email client market share. Desktop Apple Mail makes up 11.5% of market share for a total impact of potentially 50% of all users sent marketing emails not reporting basic email metric information.
Link decoration has been a common work around to some of the challenges that ITP has presented wherein data is included in the URL query string of links that can be detected and read on the target server. Another approach is to pass links through a proxy service that tracks clicks and attribution before redirecting to the intended destination. This allows 3rd party services to exchange information about a user to each other without cookies or database connections. Common examples of link decoration include Google UTM parameters for GA attribution or Facebook Client IDs for FB conversion pixels. Link decoration detection and suppression have been part of ITP since version 2.2 and its inclusion in Apple Mail makes tracking pixel workarounds within emails incredibly difficult and not worthwhile.
In addition as a result of these changes to cookie policy in ITP, all Safari client cookies not set explicitly with a “Set Cookie” http header will expire in one day. On subsequent visits outside the initial 1-day timeframe, the user would be tracked as a new visitor. These non-explicit cookies are typically assigned from Javascript snippets using the “document.cookie” method. The forced expiration of cookie trackers especially affects tracking of anonymous visitors who have not been identified to the app/web-site via a 1st party login mechanism. The forced expiration of cookies in this manner makes it harder to track full user journeys as there are no easy solutions to link customer touch-points.
iCloud Plus: Hide My Email & Private Relay
Apple has also updated iCloud with a new iCloud Plus subscription option that includes two new privacy features: Hide My Email and Private Relay.
Hide My Email allows the user to generate a one-off alias email address for use in marketing forms as a means to protect the user’s true email address; Apple will allow the user no limit to the number of aliases in use. Since the user will potentially sign up with multiple email aliases across different services it removes a key piece of personal information used in data stitching across various data sources.
Private Relay is effectively an Apple provided VPN service that uses a double blind strategy to ensure that the user’s web activities are hidden from their ISP and Apple. With Private Relay in effect there will be no ability for IP tracking to occur in any browser or application while the user is connected.
Since iCloud Plus is a paid subscription service it is unclear as to what the adoption rate may be across Apple devices but it can be estimated based on reported subscriptions across other Apple services to be in the 100M+ market share.
In Summary
- Transparency and notification to end-users of 3rd party tracking has become a de-facto standard within Apple ecosystem
- User who are provided notification and opt-in/opt-out decision buttons select to opt-out the majority of the time as has been shown with iOS ATT notifications
- Primary keys such as email address and IP address are increasingly being obfuscated on Apple devices making user data augmentation and stitching of customer profiles increasingly difficult
- ITP is targeting workaround mechanisms such as link decoration, proxy servers, unique user ID (UUID) assignments, and social media buttons to prevent unintentional data sharing from end-users which is making conversion and attribution tracking increasingly difficult from Apple devices and browsers
- Inclusion of ITP into Apple mail clients may severely impact basic email metric reporting and any downstream campaign logic or optimizations built on basic email KPIs (e.g. open email triggers next campaign step)
- Continued evolution of privacy evaluations and criteria in ITP may impact conversion tracking, attribution, and basic web metric reporting from Safari based browsers
- Any easy technical workarounds to ITP are likely to be suppressed in future ITP updates as has been shown in ITP development history so far
- Owned technologies and platform solutions are very resource intensive but provide brands a more future-proof solution in an evolving privacy landscape
Conclusion
With all of the proposed privacy changes to the Apple ecosystem as well as changes in the broader Internet software market it is becoming increasingly key for brands to own and architect their own data collection mechanisms as a means to ensure meaningful marketing signals are still accessible. Efforts should be made across several workstreams:
- Increase 1st party data collection through owned channels so that key identifiers such as email, name, contact information are collected
- Drive collection via compelling content
- Exclusive promos
- Exclusive content
- Uniqure offers or forms of loyalty programs
- Rotating editorial content
- Exemplary service such as concierge services
- Foster 2-way conversations
- Store data in owned data warehouses or data lakes
- Increase conversion of anonymous users to registered users to enable deeper behavioral tracking and prevent ITP and VPN blockage of key metrics by utilizing identifiable 1st party app sessions (cookies)
- Reduce reliance on 3rd party vendors and service providers including
- Data brokers (list buys)
- SaaS analytics
- Data insights augmented with non 1st party data
- Channel attribution from 3rd party mechanisms such as query string links (see below)
- Social media login mechanisms that don’t generate a local session
- Where possible implement owned server side analytics to track key events and ensure continued capture of behaviors that enable marketing segmentation
- Key app events (both web and mobile)
- Key page/screen views
- Registrations and logins
- Evaluate experiments, optimizations or smart campaign flows that rely on open and click email metrics for potential impact
- Drip campaigns are of particular concern
- Evaluate usage of attribution or other data sharing through URL query string parameters or proxy domains (such as link shortening services)
- These are potentially impacted by ITP