Yesterday, Shopify officially unveiled Shopify Audiences, a new product that allows Shopify Retailers to target relevant audiences using aggregated customer data from across the Shopify platform. Details on the functionality of the Audience product are light: the existence of the product was leaked from an alpha program last year, and a limited amount of functional design context was shared then.
My understanding of the product from the aforementioned leak is that it creates custom audiences and lookalike audiences based on purchase data generated from opted-in retailers. Those audience lists are encrypted and delivered to retailers’ ad accounts on participating advertising platforms — which, according to the product’s one-pager, is comprised currently of just Facebook and Instagram.
One question that immediately surfaces: how is this approach to audience aggregation and targeting privacy-compliant under Apple’s App Tracking Transparency (ATT) guidelines?
There are two reasonable approaches to answering this question.
The first is that ATT is not law: it’s an exceptionally vague platform policy that is enforced by fiat via the whims of Apple. The language of ATT is likely nebulous and murky by design: Apple wants to reserve maximum optionality in enforcement, and sharpening the corners of ATT with very specific prohibitions would reduce that optionality (and likely create a cat-and-mouse game of workarounds). Keep in mind that, while ‘fingerprinting’ is explicitly forbidden by ATT policy, the practice continues unabated on iOS because Apple hasn’t actually defined that term pointedly to the extent that it is prosecutable, although I do believe fingerprinting will be policed in the near-term future. The common law principle of relying on the consistent application of precedent to adjudicate disputes — and of stare decisis, which binds judges to precedent in ruling on specific cases — doesn’t apply to ATT or any other platform policy. Apple can make decisions in the dark and enforce its policies however stringently it so chooses for any given instance. No participant in the iOS ecosystem can ever know if it is fully compliant with ATT; it can only know, based on sanctions from Apple, when it isn’t.
But the second reason why Shopify’s approach to audience targeting could be deemed compliant with ATT policy is that it mirrors Apple’s own approach to delivering ad targeting:
- Apple owns iTunes, which processes IAP transactions and app downloads, and that data is considered first-party to Apple despite the fact that it describes transactions related to developers’ apps;
- Shopify processes payments for retailers, and that transaction data is considered first-party to Shopify despite the fact that it describes transactions related to retailers’ properties.
With the caveat that I haven’t seen any technical documentation for Shopify’s Audience product, if my rough hypothesis of the data transmission workflow is correct, then the data used to construct targeting audiences on behalf of retailers belongs to Shopify: Shopify processes transactions and owns the customer data related to those transactions. It’s entirely within Shopify’s prerogative to deploy those encrypted custom audiences (lookalikes) to an ad platform for use in ad targeting; it makes no difference what property Shopify is choosing to advertise using that first-party transaction data.
Note that this would not be true if Shopify didn’t have a credible first-party claim to transaction data: if Shopify was a third-party recipient of transaction data from retailers, and Shopify aggregated the data from many different retailers for the purpose of building audiences, this would be a clear violation of ATT. Similarly, if Shopify allowed the aggregated data to be accessed by retailers for their own use in building audiences, that would constitute the comingling of first- and third-party data that ATT is architected to disrupt. But because Shopify owns the data that it sends to ad platforms, then its use of that data conforms with the restrictions of ATT, and the properties it uses that data to promote are irrelevant.
What an ad platform receives from Shopify is not atomic conversions data that it can use to aggregate user-level profiles: those user-level profiles remain within the sole purview of Shopify, and what is sent to an ad network is a list of profiles that are already targetable and aren’t decomposable into behavioral histories of individuals. In the workflow depicted above, ad platforms simply receive targeting lists, and those lists can’t be used to enrich the user profiles that ad platforms possess — they can merely be used for targeting ads, and the ad platform would be blind to any conversions resulting from that targeting. Worth noting is that Ben Thompson predicted that Shopify might deploy a strategy very similar to this back in February.
Again: this use case is not prohibited within ATT. Advertisers are free to create custom audiences from their own first-party data and to use those audiences for targeting on ad platforms. What ATT is designed to prevent is the transmission of user-identifiable conversion data to ad platforms such that the ad platforms can compile cross-site behavioral profiles for those users.
One objection to my characterization here might be that ad platforms are receiving data that is obviously useful: while the platform might not have direct visibility into why any given user is identified as valuable, it can probably make an educated guess given the source (Shopify facilitates eCommerce transactions!), and it might be able to use the mere inclusion of that user in a list as a signal of value for similar advertisers. This is true, but it invokes the first point from above: ATT doesn’t specifically prohibit sending lists, and because no clear precedent has been established from which to draw guidance (because Apple doesn’t litigate this type of behavior in the open), Apple would have to sharpen its guidelines to explicitly prohibit this form of data sharing. Additionally, Apple’s enforcement options in a case like this are limited. Shopify operates web storefronts, so Apple can’t use the app approval process to influence behavior.
Effectively, with its Audience product, Shopify is operating a Content-Fortress-as-a-Service: it is aggregating first-party data and utilizing it on behalf of its customers (retailers) for ad targeting, but those ads are being served on a separate property. This is not a formulation of the Content Fortress construction that I had envisioned when I came up with the concept, but it is nonetheless functional in the new, post-ATT environment. As a reminder: a Content Fortress is any platform or portfolio of products supported by a rich advertising ecosystem serving owned and operated inventory using only first-party data. I imagine, as everything becomes an ad network, that productive partnerships between first-party data aggregators and the properties that service owned-and-operated inventory proliferate where that makes more sense than the alternative.
My assumption is that Shopify won’t launch a proprietary ad network across its retailer web properties: retailers might bristle at the idea of their competitors poaching their customers via ads hosted on their own websites. But Shopify can combine its first-party data across all retailers and use it as a sort of communal pool of data to target users on other properties with little controversy: in this case, Facebook and Instagram. In situations where this makes sense — where a company can’t feasibly build ad inventory across its owned portfolio of content — then utilizing its first-party data as a Content-Fortress-as-a-Service to target ads on non-owned properties may be a suitable alternative.