UA after iOS14.5: Is your partner controlling your data?

The rollout of Apple’s latest software update, iOS 14.5, has introduced a new privacy-centric feature for advertising in which users must now provide consent to in-app tracking. This has become a pivotal moment in the mobile advertising industry, affecting user acquisition and retention tactics along with attribution and the measurement of ROI. Targeting will eventually become less invasive by default.

Apple’s change also ties in with legislations such as the General Data Protection Regulation (GDPR) in the EU which came into force in May 2018. The GDPR strictly discusses the handling of user data through definitions such as “data controller” or “data processor”. In the context of Demand Side Platform (DSP) partners, the former title could be problematic in the sense that a data controller holds the power to determine the use of the end-user’s data.

In this post, learn what a “data controller” is, how to watch out for data-controlling practices, why it’s safer to work with a DSP that only processes your app’s data, and how this all ties into the new post-IDFA reality.

The main change with iOS 14.5 lies in asking users for their consent to app tracking within each app itself. Previously, users had the option to opt-out and limit ad tracking through their device settings. The shift from passive to active consent means that the Identifier for Advertisers (IDFA) is no longer readily available for marketers. Without the IDFA, traditional attribution and targeting models that track granular behaviors such as app installs, app opens, and in-app user behavior are no longer possible.

The adoption of iOS 14.5 currently lies at 13% worldwide and early data from AppsFlyer shows us that the majority of iOS mobile users will likely not opt in to app tracking, therefore creating a large group of untrackable users in terms of user behavior (i.e. whether they’ve installed an app or where they may have dropped off). Although a portion of users will still allow app tracking, maintaining ad performance with the ID is only possible if the same users allow app tracking across all apps - both from the publisher and advertiser side.

The opt-in to IDFA rule has, therefore, created a new segment for marketing on iOS: user acquisition without the ID, alongside the commonly known user acquisition and retargeting of users identified with ID.

Here’s a quick recap of the definitions: according to Art. 4 (7). GDPR, a data controller “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

Art. 4 (8). GDPR then states that a data processor “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

In mobile marketing, the control of data resides with the first touch point along with who determines how the collected information will be used. This means that when an ad successfully converts a user for the first time (i.e. through an install), the party that ran the ad creates the first touch point with the customer. IP address, click ID, and specific URL are some of the information acquired through the ad. While user acquisition without the ID is not much of a privacy-topic, understanding the nuances that make a mobile marketing platform either a “data controller” or “data processor” is still advisable.

While the DSP taking the role of a data controller does not breach the GDPR, being a controller comes with a host of further obligations. In particular, one needs consent to process data for its own purposes (the very nature of being a controller as opposed to processors, who work for someone else). When a UA partner acquires a user through an ad, they would need to ask the end-user for consent to create a profile for delivering better ads. However, most advertisements do not provide opt-in banners for remarketing and therefore are in violation of the GDPR.

Another instance is to be a controller without collecting consent. In this scenario, the mobile marketing partner would be a "Joint Controller", according to Art. 26 GDPR. Using the same example, the app would collect consent through their install campaign, and the DSP would use the data for its own purposes, even though they have not collected consent themselves. The various controller obligations would be shared and distributed in a Joint Controller Agreement. The client who is responsible for collecting consent is obliged to inform the user that they are sharing the data with their DSP partner, ask for consent to do so and mention how their partner will be using the data (such as building a profile, covered below). Again, this does not seem possible in UA, as the client cannot collect this consent from the user before their UA partner acquires the user - the partner would have already used the data.

When a DSP takes on the role of a data processor, the use of data is determined by their client. For a DSP to remain a data processor while offering user acquisition services, the following things must be considered:

How the DSP stores advertiser and campaign data determines whether it is controlling or processing data. Storing the data in silos protects the advertiser’s data from being used accidentally or intentionally outside of the purposes stated by the advertiser.

A data processor does not build audience profiles nor lookalikes. The accessibility of data based on the point above previously allowed other service providers to profit from the creation of audience profiles. These could be created through the use of IDFAs by tracking all user behavior and then used to create user acquisition strategies. Audience profiles made use of the business secrets of one party to create a successful campaign for a competitor. For example, users could be identified by their purchase history and likelihood to convert. From there, these users would be used for UA campaigns in similar, competing apps. Though this tactic is now rendered useless without the IDFA, we advise mobile marketers to stay vigilant on how their data will and could be used in the future.
A data controller would be allowed to aggregate, sell, transfer, and make use of data for its own or someone else’s purpose, whereas a data processor must not.

By aggregating several data sources in connection with an IP address, one could still determine a specific user without the ID. While fingerprinting is forbidden under App Store regulations, pay close attention to other naming conventions. The sharing and selling of data makes a service provider a data controller.

Using the IDs of already acquired users is considered safe. The data from such lists are shared with the DSP by the advertiser, who is and should be the controller of the data. The use of these IDs for other purposes however, would violate the GDPR if the DSP was only appointed as a data processor; the DSP would, by definition, become a data controller. In this case, processing as a controller would violate the Data Processing Agreement between the client and DSP and would violate GDPR, as there is no longer a "lawful basis" for processing.

While more players enter the user acquisition market, years of industry experience in UA shouldn’t be the only deciding factor in selecting a DSP. Without the IDFA, providers must find new ways of driving high-performing campaigns - and the application of privacy-centric practices is not always a guarantee. When choosing a UA partner, go for a holistic approach that takes performance, privacy, transparency, and science into account.

Even though privacy is now on the radar of the app ecosystem and global legislations are catching up, mobile marketing practices should not necessarily be considered privacy-centric simply with the deprecation of the IDFA.

As the IDFA becomes less available, new practices and services will emerge. The safest way to work with a DSP is to select one that acts as a data processor. This role guarantees the safety and security of the app marketer’s data and ensures that it will not be used for other purposes beyond the client’s own campaigns.

Remerge is the award winning app marketing platform that helps the world’s most ambitious apps grow their business, drive revenue, and boost user loyalty. As of May 2021, Remerge has expanded its services beyond app retargeting, and is now also offering user acquisition for ID and NO-ID users. Remerge continues to uphold its standards on privacy by carefully checking each part and process of its business, thereby maintaining the role of the data processor.