• Advertising

RIP Fingerprinting in 2024?

Christine Forman
Christine Forman
5 min read
Posted on September 28, 2023
RIP Fingerprinting in 2024?

Between Apple’s Privacy Manifests and Google’s plans with Android Privacy Sandbox, it looks like we may see the end of fingerprinting in mobile advertising next year. 

It’s easy to be skeptical and think this is yet another boy-crying-wolf situation in the world of ad tech. We’ve been hearing Google talk about its plans to deprecate third-party cookies since 2020. It’s been delayed twice and is now scheduled to happen in early 2024. And while Apple has had a policy against device fingerprinting since the launch of ATT in 2021, it has done little to enforce fingerprinting apart from trying to make an example of one app back in 2021.   

Why is it different this time?   

Well, for one, Apple has a plan – it’s called Privacy Manifests. And even Google has a plan called SDK Runtime, which is part of Android Privacy Sandbox and is already in beta testing.   

Apple announced at its WWDC event in June that the company would be launching a new feature called Privacy Manifests to help app developers better understand and represent the data collection practices of the third-party SDKs that are included in apps. With these new required disclosures, Apple intends to curb the practice of fingerprinting.   

Wait, what is fingerprinting anyway? Why is it on the chopping block? 

Fingerprinting is a method used within digital and mobile advertising for identifying and targeting users as well as measuring performance. Fingerprinting probabilistically identifies users using various pieces of information about a device, e.g. IP address, handset model, carrier, user preferences, available memory, etc. Because of its probabilistic methodology, many have questioned the reliability and accuracy of fingerprinting. For example, many fingerprinting models are anchored by the IP address, but IP addresses are often shared by multiple people using the same Wi-Fi network. They are also very temporary as individuals move from place to place in the course of a day.   

Despite its limitations, fingerprinting has become a go-to alternative for many advertisers in the wake of ATT given the loss of deterministic identifiers and the immaturity of SKAN. This is problematic as we enter a privacy-first world because fingerprinting leverages data users have not consented to sharing for purposes of user tracking and identification. Apple and Google have both prohibited the practice of fingerprinting, but there has been little done to enforce their policies — until now.   

Privacy Manifests: Apple’s plan to end fingerprinting 

Unveiled at WWDC in June 2023, Privacy Manifests require third-party SDKs included within apps to formally publish their data collection and privacy practices. Specifically, SDK developers must list within their Privacy Manifest: 

  • What type of data is being collected 
  • How and why it’s being collected  
  • If the data is being used to track or being linked to users  
  • If and what URLs the data is being connected to for tracking 

Apple also published a set of Required Reason APIs to go a step further in combating the practice of fingerprinting. These Required Reason APIs connect to data that Apple sees as “high risk for fingerprinting” and require any SDK or app using them to specify an allowed reason. So it is safe to assume that fingerprinting is not an allowed reason and that as these new requirements take hold, they will break a lot of the fingerprinting models that exist today. 

Privacy Manifests vs. Privacy Nutrition Labels 

Privacy Manifests are designed to improve the accuracy of Privacy Nutrition Labels, which Apple introduced in 2020, requiring developers to publicly share in their App Store listings what user data was being collected and used by their apps and why. Many developers responded that it was challenging to understand and represent the privacy practices of the various third-party SDKs included in their apps. Privacy Manifests are Apple’s response to this pain point.     

However, Privacy Manifests do not shift the accountability of SDK data practices to SDKs. Ultimate accountability for an app’s privacy practices still remains with the host-app. Privacy Manifests simply make it easier for host-apps to get and organize the information they need from their SDK partners to accurately represent their data privacy practices within an app’s Privacy Nutrition Label. Specifically: 

  • They shift the burden of documenting SDK partners’ data practices to SDK owners.   
  • They also conveniently aggregate all Privacy Manifests from an app’s SDK partners into a single report.   
  • And to help a developer identify tracking domains, there is also something called the Points of Interest instrument in Xcode 15 to assist.   

What about Google? 

Google also has a plan to prevent fingerprinting on Android once Google Advertising IDs (GAIDs) are eliminated with the launch of Android Privacy Sandbox. They have created a separate environment called SDK Runtime so that SDKs do not have the same access and permissions to user data as the host app, as they have had before. Among other things, this prevents SDKs from having unnecessary, unconsented access to device data that could be used for fingerprinting.       

When will this all take effect? 

Apple’s Privacy Manifests recently went live in iOS 17.  However, there is a bit of a grace period on enforcement. Apple has said that starting this fall, they will follow up with developers if they do not see an allowed reason selected for accessing a Required Reason API. Starting in the spring of 2024, Apple will start to reject any apps that do not select an allowed reason for accessing a Required Reason API as part of the App Store review process. 

For Android, beta testing for Android Privacy Sandbox is already in progress with broader roll-out currently slated for later next year. This launch will effectively eliminate GAIDs, but because of SDK Runtime which is already live as of Android 13, fingerprinting will not be the easy-button alternative that it has been for iOS in the wake of ATT.   

How can app performance advertisers prepare for 2024? 

Advertisers may choose to make hay while the sun shines while they still can, but they should realize that the sun is setting soon on fingerprinting. When it does, they don’t want to be caught off guard and have their campaign performance disrupted. It takes time to transition to SKAN, and with Android Privacy Sandbox also coming in 2024, the time is now to embrace this new privacy-first world.    

No need to go it alone. The best way to get started is to talk to partners like InMobi who have a built-up a trove of learnings across app categories over the last 2 years and also have a proprietary platform specifically built to optimize using SKAN conversion values and campaign/source IDs. To learn more about SKAN, check out our Ultimate Guide to SKAN. For a free workshop and consultation on SKAN, get in touch with us at https://go.inmobi.com/app-performance-strategy-session/ 

Reach out today

Stay Up to Date

Register to our blog updates newsletter to receive the latest content in your inbox.