Skip to main content

iOS 17 Privacy Manifests – What You Need to Know

By September 6, 2023December 12th, 2023News & Updates, Education 13 Min Read
Recent Developments as of December 2023

In early December, Apple released a list of 86 software development kits (SDKs) that will require a Privacy Manifest and Signature starting in the spring of 2024. This means iOS app developers must include the Privacy Manifest and Signature when submitting a new app or an app update that incorporates any of these SDKs.

The listed SDKs provide a mix of functionality including authentication, push, UX development, networking, database and asset management, charts, and more. It’s notable to mention that Google, Meta, Flutter, and OneSignal account for 54 of the 86 SDK entries.

While it is likely this list will grow in the future to include additional SDKs, it is not immediately clear what drove this initial SDK listing or how it might be expanded. Kochava SDK engineers will closely monitor any future developments. All Kochava iOS SDKs will be ready to support Apple’s Privacy Manifests and Signature requirements.

Expected impacts from Apple’s new privacy-focused developer controls

With Privacy Manifests on iOS 17, Apple is giving iOS app developers new control over the egress of data from their apps. Recall this important excerpt from Apple’s User Privacy and Data Use Policy FAQ:

Question:

I have integrated an SDK from another company. Am I responsible for the data collection and tracking of users of my app by that company?

Apple’s Response:

Yes. Developers are responsible for all code included in their apps. If you are unsure about the data collection and tracking practices of code used in your app that you didn’t write, we suggest contacting the developer of the SDK.

FAQ

The key here is that “developers are responsible for ALL code included in their apps.” Prior to Privacy Manifests, a developer implementing third-party SDKs had to trust that the SDK functionality was not collecting and using data for any purpose outside the scope of Apple’s User Privacy and Data Use Policy. If there was any doubt, the developer had no recourse to prevent unauthorized usage other than to pull the SDK altogether—not an ideal approach. 

Privacy Manifests allow the developer to keep SDKs in their app while ensuring they can’t transmit certain data points without a user first consenting to allow app tracking via the AppTrackingTransparency (ATT) framework. This is particularly helpful for app developers integrating SDKs that they may not yet fully trust or understand. 

That being said, when developers are working with SDKs of trusted partners like a mobile measurement partner (MMP), analytics provider, data management platform, and more—care will have to be taken to ensure the proper implementation of certain Privacy Manifest features.

Zeroing in on tracking domains

One particular component of Privacy Manifests, the declaration of tracking domains, requires special attention. Here’s an excerpt from Apple’s documentation.

Declare tracking domains in your app’s privacy manifest

If you determine that the domains your app connects to are using data sent from your app to track people, declare them in your privacy manifest and ask for permission to track under the App Tracking Transparency framework. For more information, see User Privacy and Data Use. The operating system blocks network requests to declared tracking domains when the user has not granted tracking permission.

If you are not expecting your app to track, consider removing the code or contacting the third-party SDK developer whose code is contacting the domain. If the third-party SDK has a privacy manifest, the manifest may also provide you with details about whether the third-party SDK is engaged in tracking. For more information, see Describing data use in privacy manifests.

This means that any domain declared by a developer as engaging in tracking will have all network traffic blocked when ATT=0 (e.g., the user hasn’t opted to allow tracking via the ATT framework). Apple defines ‘tracking’ as:

“the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes.”

However, there’s one potential hiccup here. What if an app developer mistakenly declares a domain that’s not engaged in tracking? 

To be clear, Apple isn’t dictating what these domains are, but rather looking to developers to make this decision themselves. This is where it becomes vital for app developers and marketers to closely communicate with their vendors. If this component is not implemented correctly by an app developer, the potential exists to handicap important functionalities provided by an MMP, for example, that are completely unrelated to tracking as defined by Apple’s ATT framework.

Providing implementation guidance as a 3rd party SDK provider

To help app developers and marketers optimally navigate implementation, we will be creating Privacy Manifests for all of our SDKs that support iOS app measurement. In these Privacy Manifests we will clearly spell out what data is collected and for what reasons. Additionally, new developer documentation will provide clarity on which domains contacted by our SDKs are used to provide consented tracking and therefore should be declared as tracking domains. 

In 2021, Kochava released Privacy Profiles to provide our clients with complete control over how our SDKs collect and use data when ATT consent is not present, including controls to ensure no tracking takes place. We’re excited to further iterate on Privacy Profiles and will be segmenting out new domains for network communication from our SDK that allow for continued data signals unrelated to tracking, but vital for other functionality, including: 

  • Support of SKAdNetwork (SKAN)
  • App install and event measurement (without attribution)
  • Owned media and cross-promotional campaign measurement
  • 1st party analytics
  • Privacy-compliant Apple Search Ads results from the AdServices framework
  • Deep linking into the app for personalized experiences
  • Deep link meta data capture to support cohorted attribution with self-attributing networks (Examples include: gBraid from Google Ads, Facebook’s Aggregated Event Measurement (AEM) campaigns, etc.)
  • And more

We’re committed to privacy and transparency and will be providing our clients with a clear path to compliance with Apple.

What impact marketers should expect from Privacy Manifests

While Privacy Manifests is operating on an honor system at the moment, in that app developers have the onus to implement it, Apple is almost certainly going to make it mandatory in the not-too-distant future. Fingerprinting has continued to persist as a workaround utilized, and in some cases even promoted, by certain vendors skirting Apple’s ATT policies that went into effect in April 2021 with the release of iOS 14.5. Privacy Manifests is shaping up to be the mechanism that Apple will use to finally force compliance by making it technically impossible to gather signals off device without consent via ATT. If you’re in a position where you’re relying on this as a crutch, Apple has clearly sent a final warning shot across your bow.

Proactively future-proof your measurement strategy

The good news is that marketers have a growing array of options to help future-proof their measurement strategy in a privacy-safe manner. Here are recommendations of steps you can take to proactively position yourself for success as campaign measurement continues to evolve. 

A.) Further invest in SKAN 

SKAN can be difficult to get right, but it’s possible. Apple is clearly pushing it as the future of campaign measurement on iOS. If you’re new to SKAN or just want a refresher, check out our Ultimate Marketer’s Guide to SKAN

If you’ve been using SKAN for any length of time and are still struggling to get the insights you need from your SKAN data, our experts on the Kochava Foundry team offer a SKAN Consult that has been a game-changer for some of the biggest brands in the world. Learn more HERE

B.) Explore cohorted campaign measurement with SANs

Kochava now supports cohorted attribution on Google’s gBraid as well as Facebook’s Aggregated Event Measurement (AEM) campaigns, which are privacy-safe approaches to driving reengagement on iOS. Other SAN partners are also planning to introduce these privacy-safe approaches to driving measurable growth. Connect with your client success manager or email Support@Kochava.com to learn about utilizing these campaign types. 

C.) Set the stage for MMM

Marketing mix modeling (MMM) is gaining steam and making a comeback. With advances in technology, next-generation MMM platforms like AIM (Always-on Incremental Measurement) are now dynamic enough to meet the needs of today’s marketers. 

If MMM isn’t on your radar, it should be. It doesn’t rely on the row-level, granular attribution data that is increasingly being phased out. A good prerequisite for effectively testing an MMM platform is adopting a cost aggregation solution that will bring together your spend and conversion data by app, by partner, by country, and by day. This data will provide the foundation for building MMM models. 

If you want to learn more about MMM, check out our MMM 101 webinar series HERE.

Do you have questions?

We want to help, so don’t hesitate to reach out to your Client Success Manager or email Support@Kochava.com

Not a Kochava client? Contact us to connect with our experts and see how we can help you.