Apps have become not just a core avenue for brands to grow their audiences and awareness, but also an important revenue driver. Perhaps the best-known example of app-boosted success is Starbucks; achieving a 26% jump in transactions after enabling customers to purchase drinks via mobile, as well as gaining a rich store of data for powering personalised marketing. But the number of brands seeing millions of downloads and healthy volumes of in-app sales keeps growing, including the likes of McDonald’s, Coca-Cola, Sephora, and IKEA.

Such apps have required huge investment to acquire users in the first place and solidify this channel as their preferred touchpoint. This tactic has proven so effective that many big brands have largely reoriented their businesses around them. In the case of Starbucks, higher coffee purchase rates among digitally engaged users have resulted in a digital engagement strategy where two out of three pillars are mobile app-focused.

Sustaining this success, however, may be about to get tougher. Committed to constantly enhancing the protection of user privacy, Apple unveiled significant changes to its privacy measures during WWDC 2023, which are set to have a sizable effect on developers and brands. In fact, close inspection of the finer details suggests the updates might matter even more to brands’ ability to engage with their customers than Google’s third-party cookie execution.

A brief blow-by-blow of Apple’s privacy clampdown

Spurred by rising consumer concern about the use of their personal data, Apple rewrote the rules of data collection in its iOS ecosystem. It began with App Tracking Transparency (ATT) in 2021, which blocked many tracking signals by default — including device IDs — unless users opted in via in-app prompts. Apple’s olive branch to advertisers was SKAdNetwork (SKAN), a framework and technology that provides ad measurement without requiring device IDs.

To say SKAN had a rocky launch is an understatement. Its first iteration was widely maligned, and it wasn’t until the SKAN 4.0 release in 2022 that developers and advertisers saw viable functionality for campaign measurement and optimisation. However, the data signals SKAN provides remain scarce, requiring platform-specific expertise to stitch together its patchwork of insights into something usable. Those who have been wrestling with Apple’s strict privacy initiatives for years are no doubt looking at Google’s Privacy Sandbox rollout with a sense of “been there, done that”.

At last year’s WWDC, SKAN 5.0 was announced with a landmark new feature: reengagement support. Exactly how this will work is still unclear, but the capacity to measure app ad click-throughs from users who have already downloaded apps — not just in-app conversions — will be a significant boost to attribution. Such insights may also inform future targeting strategies to bolster app use and revenues. Although, as of yet, the upgrade is not due to include tools for ensuring ads only reach existing users, or the ability to track post-install ad views.

While SKAN’s reengagement support is a welcome carrot for advertisers and app developers, WWDC also came with two hefty sticks: Privacy Manifests and required reason APIs, both of which are squarely aimed at putting an end to fingerprinting.

Apple has sent advertisers back to the drawing board

In short, Privacy Manifests are enforcement muscle for Apple’s ATT initiative. Where ATT implementation to date has made good progress in preventing device ID-based tracking, this new add-on is intended to tackle the probabilistic approaches many industry players have switched to in lieu of ATT consent, including fingerprinting.

According to Apple, Privacy Manifest files will help developers “to understand how third-party SDKs (software development kits) use data”. At the technical level, this will involve developers requesting details about the privacy practices of certain SDKs and any domains SDKs (or the app) connect to that run tracking, with information from various SDKs then bundled into one collective report developers can pass on when distributing their app.

Beneath this seemingly simple process lie multiple complications. Firstly, apps using APIs with the potential to enable fingerprinting must select from one of Apple’s allowed reasons and only collect data for this purpose, covering everything from file timestamp and user defaults to disk space APIs. Secondly, network requests from tracking domains will fail if users haven’t given ATT consent, including those tracking installs and in-app behavioural events, such as conversions. Finally, there is the confusion around which SDKs have to abide by these rules.

Initially, Apple stated Privacy Manifest provisions would chiefly apply to the most “privacy-impacting” SDKs and promised a comprehensive list before the end of 2023. This list is still pending, but Apple has released a list of commonly used SDKs — and announced developers will need to start requesting privacy manifests from listed SDKs by May 1st 2024.

For now, the list features very few ad-related SDKs, and mobile measurement partners (MMPs) are not included in the list.

However, Apple is making its expectations clear when speaking about Privacy Manifests, stating in its developer blog: “We encourage all SDKs to adopt it to better support the apps that depend on them.” For a deep dive into the technical ramifications of Privacy Manifests that are too detailed to fit here, please refer to our resource centre.

The strong emphasis on developer accountability, and the risk of penalties if they miss avenues of possible data misuse, makes it likely that most app developers will take the cautious route: declaring every MMP as a tracking domain and thereby making it subject to Privacy Manifests and the restrictive stipulations that come with them. All of this means there will be a dramatic reduction in access to data about user activity, essentially driving the death of fingerprinting, and creating an urgent need for adaptation.

How brands can continue to engage and grow audiences on iOS

Implementing long-term strategies to ensure apps are self-sufficient is the first step to try and mitigate the impact of Apple’s latest anti-tracking salvo. Developers and partners who have come to rely on fingerprinting as a way around ATT (and third-party cookie loss), will need to find further privacy-friendly ways to maintain targeting effectiveness if they want to keep fuelling app growth.

Contextual targeting is one especially viable option. Completely privacy-safe, contextual solutions rely on relevant non-personal signals, such as information about mobile content and intelligently anonymised user data, with no necessity for device IDs or data that falls under the broad fingerprinting umbrella. While it will be vital for developers and brands to explore a range of options for privacy-compliant ad delivery, harnessing contextual tools that allow them to serve messages in line with what audiences are consuming and the interest areas most likely to inspire engagement, and action, is a solid jumping off point.

While third-party cookie deprecation is going to be stealing the limelight this year, any brand with significant app-based engagement — or planning to pivot to it — will be far more affected by Apple’s privacy measures. As seen with Starbucks, McDonalds, and the array of loyalty apps that form the backbone of many retail media strategies, apps are a significant source of growth, forming a link between the real world and the digital world through the user’s smart device. Chrome may be huge in terms of numbers, but it is a less meaningful environment for truly understanding consumer behaviour.

In fact, as web browsers become less relevant for day-to-day life and stripped of the signals that once made them a goldmine for insights, apps are only going to increase in importance. Understanding how to best leverage SKAN while deploying privacy-first technologies such as contextual targeting on iOS is going to be vital for audience growth and engagement, all occurring in an environment that — thanks to Apple’s PR blitz accompanying its privacy measures — consumers have come to trust. And trust, when it comes to brand building, is everything.