How advertisers can drive mobile performance after iOS Privacy Manifest enforcement 

It’s official: Apple will begin to enforce privacy manifests on May 1, 2024. Though this may look like a mere formality for app developers, privacy manifests are poised to have a major impact on the mobile industry. Apple’s new policy will shake up mobile app marketing in particular, because privacy manifests serve Apple’s end goal of restricting probabilistic attribution and ending fingerprinting.

For marketers, the end of fingerprinting means revisiting existing methods of campaign targeting, attribution, and measurement. The advertisers will focus far more on contextual targeting to reach ID-less users, and on Apple’s SKAdNetwork (SKAN) framework to measure campaigns while adhering to the privacy requirements.

Let’s go over privacy manifests and how app developers and marketers can prepare for this new privacy milestone in the Apple ecosystem.

What are privacy manifests?

Privacy manifests are specific files that every SDK and app developer will need to fill and add to their app. They disclose data collection, required reasons API, and third-party SDKs used in the app. 

According to Apple’s documentation:

These files describe which user data the app is accessing and how the app developer intends to use it. On the user side, this information is then displayed in the app’s Privacy Nutrition Label in the App Store, which helps users decide whether or not to install the app. 

Currently, privacy manifests are recommended but not enforced. But this is about to change.

The important dates

In June 2023, Apple announced the upcoming introduction of privacy manifests at WWDC 2023, and the plan to enforce privacy manifests for “sometime” in Spring 2024.

Apple WWDC23

On February 29, 2024, Apple published an update for developers, and announced the important dates of the two stages of privacy manifest enforcement.

Beginning March 13, 2024, Apple will email app developers a reminder if they are not providing an approved reason for API use.

Beginning May 1, 2024, Apple will enforce privacy manifests and approved reasons API policy.

Who needs a privacy manifest?

Every app needs a privacy manifest. But it doesn’t stop there. Every app developer is held accountable for the privacy practices of each SDK used in their app. SDKs need to submit privacy manifests, too — and each individual app’s privacy manifest will then include info from their third-party SDKs’ manifests. 

Non-compliance with Apple’s privacy policy will result in delays in getting the app approved, or in app rejection during the App Store review.

Apple encourages all SDKs to include a privacy manifest, regardless of whether they’re on the SDK list published in December 2023.

Apple encourages all SDKs to include a privacy manifest to better support apps that depend on them.

 

Source: Apple

Even though mobile measurement partners (MMP) SDKs are not listed in Apple’s commonly used SDK list, it remains very likely that app developers themselves will have to name the tracking domains of the MMPs in the app’s privacy manifest. 

The logic here is three-fold.

    • Reason 1: Anyone who uses a required reason API needs a privacy manifest. This is almost everyone, because most developers will be using the required reason API for their own use (e.g., Disk Space API). 

    • Reason 2: Anyone who has a privacy manifest needs to name tracking domains.

    • Reason 3: With rare exceptions, all apps need to name tracking domains (Reason 2) because of Reason 1.

Most developers will use the disk space API before pushing an update. In this case the developer needs a privacy manifest and they will need to include NSPrivacyTracking and NSPrivacyTrackingDomains:

Apple is actively updating its documentation regarding privacy manifests, and new details appear weekly. The more clarity Apple provides, the more proof we have that tracking domains are being blocked as of May 1, and fingerprinting is going away. 

As spotted by our own David Philippson (Dataseat’s CEO), if an app developer has a third-party SDK in their app which is tracking, then the developer has to name the tracking URL. An example of this is using an MMP’s SDK.

This topic is thoroughly discussed in a recent episode of Eric Seufert’s MobileDevMemo podcast: The future of device fingerprinting (with David Philippson)

If app developers use a tracking third-party SDK like an MMP in their app, then the developer has to name the tracking URL in the privacy manifest

As Apple’s documentation keeps evolving, we encourage you to follow Dataseat on LinkedIn. We’re on top of the mobile-specific updates on privacy and share need-to-know takeaways with mobile marketers.

What’s next?

The obligation to provide a privacy manifest and required reasons starts on May 1. 

Apple continues to move toward ending fingerprinting, and we are approaching the day when it will become impossible. According to Apple’s documentation: Regardless of whether a user gives your app permission to track, fingerprinting is not allowed. 

 

Source: Apple

Right now, “not allowed” does not equal “not technically possible” — Apple has made it clear that they are aiming to shut down fingerprinting. 

What’s the best move for an app, marketing agency, or a mobile-focused brand? Start investing into alternative tech for campaign management now, so you’re not at the back of the crowd.

What should apps, brands and agencies do to keep driving mobile outcomes without fingerprinting?

First, for the app to adhere to App Store requirements: 

  • Have a completed privacy manifest for your app, listing required reasons APIs and tracking domains.
  • Insist that every third-party SDK provides you with their privacy manifest. Do not accept “We don’t need one,” because to compile your own privacy manifest, you will need to know which of those SDKs’ domains are tracking vs. non-tracking. 
  • Remember: Apple will hold you accountable for your third-party SDKs’ privacy practices. As per Apple’s announcement on February 29: Developers are responsible for all code included in their apps

Second, to run future-proof user acquisition and awareness campaigns on iOS:

  • Start consolidating mobile advertising to partners who have a strong SKAN-only proposition.
  • Embrace SKAN as it will become the norm of iOS user acquisition in 2024. SKAN has many benefits:
    • Multi-touch
    • Publisher transparency
    • Re-download measurement
    • View through / click through
    • No SRN/SAN bias
    • Less fraud

How Verve helps advertisers face the privacy-restricted reality on mobile

Targeting and acquiring users: the mobile DSP that does not rely on device IDs

Verve’s privacy-first mobile DSP, Dataseat, is — by design — driving performance and awareness on mobile without relying on any IDs. This means that advertisers running on Dataseat’s DSP are immune to the challenges arising from Apple’s privacy regulations.

Measuring and optimizing campaigns: unique SKAdNetwork expertise

Due to the inherent focus on privacy, Dataseat has been optimizing SKAN-only campaigns for several years. We have a proprietary methodology for configuring SKAN to get over Apple’s privacy thresholds and maximize SKAN data for clients. As a result, SKAN-only mobile campaigns are measurable, and efficiently optimized.

To talk about privacy manifests, SKAN, and the possibilities of running your mobile campaigns on Dataseat (Verve’s mobile DSP), reach out to our global team.