Apple is set to enforce privacy manifests from 1 May 2024, writes Dataseat's Alessandro Giuliani. He shares how app developers and marketers can prepare for this new privacy milestone in the Apple ecosystem

It’s official: Apple will begin to enforce privacy manifests on May 1, 2024. Though this may look like a mere formality for app developers, privacy manifests are poised to have a major impact on the mobile industry. Apple’s new policy will shake up mobile app marketing in particular, because privacy manifests serve Apple’s end goal of restricting probabilistic attribution and ending fingerprinting.

For marketers, the end of fingerprinting means revisiting existing methods of campaign targeting, attribution, and measurement. Advertisers will focus far more on contextual targeting to reach ID-less users, and on Apple’s SKAdNetwork (SKAN) framework to measure campaigns while adhering to the privacy requirements.

Let’s go over privacy manifests and how app developers and marketers can prepare for this new privacy milestone in the Apple ecosystem.

What are privacy manifests?

Privacy manifests are specific files that every SDK and app developer will need to fill and add to their app. They disclose data collection, required reasons API, and third-party SDKs used in the app.

According to Apple's documentation:

"The privacy manifest is a property list that records the types of data collected by your app or third-party SDK, and the required reasons APIs your app or third-party SDK uses."

These files describe which user data the app is accessing and how the app developer intends to use it. On the user side, this information is then displayed in the app's Privacy Nutrition Label in the App Store, which helps users decide whether or not to install the app.

Currently, privacy manifests are recommended but not enforced. But this is about to change.

The important dates

In June 2023, Apple announced the upcoming introduction of privacy manifests at WWDC 2023, and the plan to enforce privacy manifests "sometime" in Spring 2024.

Apple WWDC23

On February 29, 2024, Apple published an update for developers, and announced the important dates of the two stages of privacy manifest enforcement.

From March 13, 2024, Apple is emailing app developers a reminder if they are not providing an approved reason for API use.

Beginning March 13, 2024, Apple will email app developers a reminder if they are not providing an approved reason for API use.

Beginning May 1, 2024, Apple will enforce privacy manifests and approved reasons API policy.

Apple will enforce privacy manifests beginning May 1. This also applies to the approved reasons API policy.

Who needs a privacy manifest?

Every app needs a privacy manifest. But it doesn’t stop there. Every app developer is held accountable for the privacy practices of each SDK used in their app. SDKs need to submit privacy manifests, too - and each individual app's privacy manifest will then include info from their third-party SDKs' manifests.

Non-compliance with Apple's privacy policy will result in delays in getting the app approved, or in app rejection during the App Store review.

Apple encourages all SDKs to include a privacy manifest, regardless of whether they're on the SDK list published in December 2023.

Apple encourages all SDKs to include a privacy manifest to better support apps that depend on them.

Source: Apple

Even though mobile measurement partners (MMP) SDKs are not listed in Apple's commonly used SDK list, it remains very likely that app developers themselves will have to name the tracking domains of the MMPs in the app's privacy manifest.

The logic here is three-fold.

Reason 1: Anyone who uses a required reason API needs a privacy manifest. This is almost everyone, because most developers will be using the required reason API for their own use (e.g., Disk Space API)
Reason 2: Anyone who has a privacy manifest needs to name tracking domains
Reason 3: With rare exceptions, all apps need to name tracking domains (Reason 2) because of Reason 1

Example: Most developers will use the disk space API before pushing an update. In this case the developer needs a privacy manifest and they will need to include NSPrivacyTracking and NSPrivacyTrackingDomains:

Most developers will use the disk space API before pushing an update. In this case the developer needs a privacy manifest and they will need to include NSPrivacyTracking and NSPrivacyTrackingDomains:

Apple is actively updating its documentation regarding privacy manifests, and new details appear weekly. The more clarity Apple provides, the more proof we have that tracking domains are being blocked as of May 1, and fingerprinting is going away.

As spotted by our own David Philippson (Dataseat's CEO), if an app developer has a third-party SDK in their app which is tracking, then the developer has to name the tracking URL. An example of this is using an MMP's SDK.

This topic is thoroughly discussed in a recent episode of Eric Seufert's MobileDevMemo podcast: The future of device fingerprinting (with David Philippson).

If app developers use a tracking third-party SDK like an MMP in their app, then the developer has to name the tracking URL in the privacy manifest

What’s next?

The obligation to provide a privacy manifest and required reasons starts on 1 May 2024.

Apple continues to move toward ending fingerprinting, and we are approaching the day when it will become impossible. According to Apple’s documentation: Regardless of whether a user gives your app permission to track, fingerprinting is not allowed.

Source: Apple

Right now, "not allowed" does not equal "not technically possible" - Apple has made it clear that they are aiming to shut down fingerprinting.

What's the best move for an app, marketing agency, or a mobile-focused brand? Start investing into alternative tech for campaign management now, so you're not at the back of the crowd.

What should apps, brands and agencies do to keep driving mobile outcomes without fingerprinting?

First, for the app to adhere to App Store requirements:

Have a completed privacy manifest for your app, listing required reasons APIs and tracking domains
Insist that every third-party SDK provides you with their privacy manifest. Do not accept "We don’t need one," because to compile your own privacy manifest, you will need to know which of those SDKs' domains are tracking vs. non-tracking
Remember: Apple will hold you accountable for your third-party SDKs' privacy practices. As per Apple's announcement on 29 February 2024: Developers are responsible for all code included in their apps

Second, to run future-proof user acquisition and awareness campaigns on iOS:

Start consolidating mobile advertising to partners who have a strong SKAN-only proposition
Embrace SKAN as it will become the norm of iOS user acquisition in 2024. SKAN has many benefits:
- Multi-touch
- Publisher transparency
- Re-download measurement
- View through / click through
- No SRN/SAN bias
- Less fraud

This article was originally published on Verve Group’s blog.

By Alessandro Giuliani, VP of Operations

Dataseat (part of Verve Group)

Verve Group has created a more efficient and privacy-focused way to buy and monetize advertising. Verve Group is an ecosystem of demand and supply technologies fusing data, media, and technology together to deliver results and growth to both advertisers and publishers–no matter the screen or location, no matter who, what, or where a customer is. With 22 offices across the globe and with an eye on servicing forward-thinking advertising customers, Verve Group's solutions are trusted by more than 90 of the United States' top 100 advertisers, 4,000 publishers globally, and the world's top demand-side platforms. Verve Group is a subsidiary of Media and Games Invest (MGI).

Posted on: Friday 19 April 2024

Rediscover the Joy of Digital

Policy & standards

Insight

Resources & tools

Latest updates

Industry sectors

IAB UK Gold Standard

Explore the Member Vault

Online training

How advertisers can drive mobile performance after iOS Privacy Manifest enforcement

This content was created by an IAB UK member