Privacy & Information Security Law Blog

Apple’s iOS 14, which was announced by Apple in June 2020 and is scheduled for official release later this year, will require that all apps receive affirmative (i.e., opt-in) user consent to (1) access an iPhone’s unique advertising identifier (Identifier for Advertisers, or “IDFA”) or (2) to "track" users.

Apple defines "tracking" as “the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes." "Tracking" is also defined to include the "sharing [of] user or device data with data brokers.” Under this broad definition of “tracking,” an app would need to obtain opt-in consent to use any identifier (e.g., name, email address) to “track” users. The ATT Framework is not limited to an app’s collection and use of the IDFA for tracking purposes.

Apple lists the following examples of "tracking":

• displaying targeted ads in an app based on user data collected from apps and websites owned by other companies;
• sharing device location data or email lists with a data broker;
• sharing a list of emails, advertising IDs or other IDs with a third-party advertising network that uses that information to re-target those users in other apps; and
• placing a third-party software development kit in an app that combines user data from the app with user data from other developers’ apps to target advertising or measure advertising efficiency.

Currently, use of the iPhone IDFA is permitted unless the user opts-out (through Settings > Privacy > Advertising > Limit Ad Tracking). With the iOS 14 rollout, Apple will require opt-in consent for every app, meaning that if an app wants to access the IDFA or "track" users, iOS 14 will first present the user with the following dialog box:

By selecting “Allow Tracking,” a user explicitly grants the particular app permission to both access the user's IDFA and "track" the user across apps and services.

Apps may track users without first obtaining consent in two limited scenarios:

• when user or device data from an app is linked to third-party data only on the user’s device and is not sent off the device in a way that may identify the user or the device; and
• when a data broker with whom the app developer shares data uses the data only for fraud detection, fraud prevention or security purposes, and solely on that app developer’s behalf (e.g., using a data broker to prevent credit card fraud).

The shift to opt-in consent is part of Apple’s AppTracking Transparency framework. Read more about the framework.

UPDATE: On September 3, 2020, Apple announced it intends to delay its anti-tracking changes to iOS 14 until 2021. At the same time, Apple released additional information about its changes to the App Store to include a new privacy information section to help users understand an app’s privacy practices before they download the app. Each app’s product page will be required to include information on the data collected, linked or tracked, as well as the app’s privacy practices, including the practices of third-party partners whose code the app uses. These App Store changes are scheduled for rollout by the end of the year.