Google’s approach to privacy is ATT-lite

Back in June, Google announced that its “Opt Out of Ads Personalization” setting on Android would begin to restrict developer access to the Google Advertising ID (GAID) when activated on Android 12 devices starting in “late 2021.” Previously, this setting didn’t limit developer access to the GAID when it was activated, and therefore the setting had no impact on the use of the GAID for ads targeting on third-party ad platforms.

Google recently indicated in guidance to advertisers that this change to the GAID opt-out setting will be applied to “newer devices” running Android 12 in late 2021 and will be expanded to all devices and all versions of Android in “early 2022.” This policy effectively emulates what Apple introduced in 2016 with its Limit Ad Tracking feature (what I called “IDFA Zeroing” at the time). Limit Ad Tracking was mostly dismissed as inconsequential when it was introduced, and I remember ad tech vendors mocking me for drawing attention to it.

But the proportion of iPhones that were “LAT on” — or iPhones where the IDFA had been obfuscated as a result of the Limit Ad Tracking setting being activated — consistently increased over time, with almost half of all iPhones in the United States having the feature turned on by the time Apple introduced its App Tracking Transparency (ATT) privacy policy. The LAT setting was replaced with the “Allow Apps to Request to Track” setting at the device level, and the ATT prompt moderates IDFA access at the app level when that setting is turned on.

Google’s re-calibration of its GAID opt-out setting on Android clearly isn’t equivalent to ATT, but it’s important to consider that the privacy landscape for consumer technology has changed remarkably since 2016, when LAT was introduced. Users are far more conscious now of their privacy and the way their data is utilized, conscientiously and otherwise, by both good actors and bad — in large part as a result of ATT and Apple’s exuberant education campaign around how user data is collected and utilized. It’s entirely possible that the adoption rate of the GAID opt-out setting on Android is vastly accelerated relative to that of the LAT setting on iOS.

It’s worth pointing out the various privacy tools and features being introduced to Android 12 that Google revealed at its I/O developer conference this past May:

And it’s also worth noting that Google is introducing a new device identifier called the App Set ID that developers can use when the GAID is unavailable for fraud prevention, analytics, ad frequency capping, etc. The App Set ID functions similarly to the IDFV on iOS: it is unique and persistent for a device for a given developer across its own apps, but not universally, meaning that each developer’s App Set ID for a given device is unique to it. Like with the IDFV, the use of the App Set ID for advertising targeting is explicitly forbidden by Google.

Google appears to be building an ensemble of privacy tools and functionality that revokes access to data in some places and gives users more insight and control over how their data is used in others. And to the extent that one exists at all, this ensemble is Google’s version of ATT: a suite of features that gives users choice and transparency around how they provide data to different parties but which does so passively and which are engaged with at the user’s volition.

Many people speculated — including me — that Google would introduce some sort of ATT-like mechanic to keep pace with Apple related to privacy. This doesn’t seem to be the case: Google isn’t trying to replicate ATT with a single mechanic but is rather rolling out a slew of features to achieve the same general goal of informed and conscientious user privacy. Google’s approach to privacy on Android is ATT-lite.

One caveat to all of this is that Google does have an existing policy that requires the exposure of a consent dialogue when the GAID is attached to PII:

This clause in Google’s developer policy has existed for some time and is not new, and its applicability is not very clear (“In cases where users may not reasonably expect…”). But if Android 12 is receiving a privacy overhaul, it’s possible that this seemingly dormant and under-utilized policy might be re-animated. My general sense is that this policy would apply with a very narrow scope; probably only to apps that sell owned-and-operated inventory and collect PII from users as a normal course of usage.