Apple: email lists cannot be used for ad targeting

Apple quietly published an information portal related to App Store privacy policy recently, including new details about how it defines tracking with respect to the App Tracking Transparency framework that it announced at WWDC 2020 and which, according to rumors, will be made mandatory in March 2021. One revelation from the portal is that Apple considers the sharing of user emails with advertising networks or data brokers to be a form of tracking which is subject to ATT guidelines.

(emphasis in the screenshot is mine. Edit: while the page linked above was published last month, the guidance around tracking was originally published verbatim in June on a different page)

Put another way: Apple is telling developers that it must receive explicit approval from a user via the ATT opt-in mechanic in order to use their email address for the purposes of a) retargeting them with ads or b) creating lookalike audiences. By deliberately calling this use case out, Apple is making it clear to developers that even data sharing activities that sit outside of its purview and utilize data that was surrendered by the user are subject to ATT guidelines.

Sharing email address lists for lookalike audience creation and retargeting was perhaps the last glimmer of hope for many ad tech firms and advertisers of retaining advertising targeting efficiency on iOS once the IDFA is deprecated. But it shouldn’t have been. Apple has been clear since WWDC 2020 that it isn’t implementing ATT in a superficial or haphazard way. The ad tech firms that have tried to make the case since June that workarounds or loopholes will allow advertisers to maintain the pre-iOS14 status quo have consistently been rebuffed by Apple, mostly via its App Store User Privacy and Data Use FAQ:

Theory: Fingerprinting will allow advertisers to attribute individual users to ad campaigns in the post-IDFA environment.

Apple Response:

Theory: Third-party SSO will allow self-attributing networks like Facebook to connect in-app events to proprietary platform user accounts, preserving user profiling for the purposes of ad targeting in the post-IDFA environment.

Apple Response:

Theory: It will be possible to use hashed emails to index in-app events to user accounts for the purposes of user profiling in the post-IDFA environment.

Apple Response:

And now, with this latest proclamation that Apple will not even allow for email lists of users to be shared for the purposes of re-targeting or lookalike audience creation, Apple has slammed shut the last trapdoor to pre-iOS14 advertising continuity.

This shouldn’t be a surprise. As I covered back in August, Facebook removed the option of creating lookalike audiences from custom audiences for iOS14 campaigns, allowing lookalikes to be generated only from live ad sets on the basis of conversions. In other words: while Facebook would allow advertisers to upload email lists, those lists couldn’t be used for lookalike generation, and lookalike audiences could only be constructed from existing campaigns. Reading between the lines: Facebook didn’t feel comfortable allowing advertisers to use email addresses or other identifiers for lookalike targeting, knowing it couldn’t certify whether those users had opted into tracking via the ATT prompt or not.

This is important. In a Twitter thread I published on the topic, a number of people pointed out that email list sharing happens server-to-server or via other sharing mechanics that are totally outside of Apple’s line of sight. Why, then, would Facebook relent and prevent lookalike audiences from being created from email lists?

Because Apple expects full compliance with its new privacy policy, and the cost of being caught flouting it is potentially catastrophic for any given advertiser. It is true that Apple can’t directly observe if a list of emails is being shared between an advertiser and an ad network. But to the largest advertisers, Apple is not a faceless publishing platform but rather a business partner: real human relationships affix app developers to the App Store. It’d be impossible for any advertiser to utilize email-based targeting at scale without Apple finding out through some backchannel.

And the consequences of being caught are enormous. Apple holds all of the leverage: it can withhold approval for app developers’ apps or remove their apps from the App Store entirely, and it can also exclude an advertising network from participating in the SKAdNetwork framework for mobile measurement, which would essentially kill its iOS business. Even before Apple formally and decidedly articulated the fact that it considers email sharing to be a form of tracking, serious executives at large mobile advertisers were mostly dismissing email sharing as too big of a risk to take in the ATT-governed operating environment.

There is no loophole to avoid ATT compliance: no clever workaround that will succeed because an advertiser has outsmarted Apple. The advertisers that recognize that their approach to advertising execution and measurement must fundamentally change in service of ATT obedience are those that will prosper once adherence to ATT becomes mandatory. The digital advertising privacy landscape is changing — not just on mobile with IDFA, but on the web with ITP and the third-party cookie phaseout. It’s important for advertisers to be able to distinguish between a tidal wave and a sea change. For better or worse, user-based ad targeting will be extinguished for mobile app advertising, and advertisers are best served by using the coming months to adapt to that new reality.

Photo by John Schnobrich on Unsplash