Later in the video, Apple makes two additional points that are germane to ongoing developments in the mobile advertising ecosystem. The first is that leaking user data out of an app to a third party is considered a violation of ATT even if the resultant performance reporting shared with either an advertiser or a publisher is aggregated. This clarification seems to be directed at various solutions being explored by ad tech vendors and ad platforms alike that ingest user-level data from partners but only surface back to them aggregated, campaign-level performance data.
The second point is more consequential, and it is made at the outset of the final segment of the video: Fingerprinting is Never Allowed. The video defines fingerprinting, rather broadly, as “using signals from the device to try to identify the device or user.” This is an all-encompassing interpretation that ignores any distinction between use cases, such as attributing an install versus attributing purchases, and operational implementations, such as with probabilistic methods. Apple’s edict here is straightforward and unequivocal: fingerprinting, even when a user has opted in via the ATT prompt, is in violation of ATT guidelines.
A precedent exists for doing so. Back in April 2021, Apple began rejecting updates from apps in which a specific ad tech vendor’s SDK was integrated; some of the notifications cited the presence of that SDK as the basis for rejection, and others pointed to the fact that certain device parameters were being collected. The ad tech SDK in question was quickly updated to remove the violating access and Apple began approving app updates in which that SDK was included.
If Apple has utilized the app approval process to police fingerprinting before, why won’t it now? As I explain here, app rejections punish app developers first and foremost, and regulating fingerprinting through wholesale ad tech SDK rejection (vs. just one specific ad tech SDK) would cause app updates from every scaled app to be disrupted.
But if Apple appears sufficiently serious about eradicating the practice (and rejecting app updates in the process), maybe the threat of being caught will motivate the general abandonment of the practice. Or Apple may reject enough updates that word of enforcement spreads and the offending SDKs are either updated or stripped out of apps by developers en masse. So while no apparatus or conumer feature, like an expanded Private Relay, was introduced at WWDC to regulate fingerprinting, Apple did assertively and very visibly proscribe its use.