Apple’s WWDC23: Privacy Updates That Shake Up Digital Advertising

Apple has once again made a splash with their Worldwide Developer Conference (WWDC) this June. You’ve probably seen the highlights, especially the unveiling of the Vision Pro VR goggles. Alongside this major reveal, there were also important announcements across the OS & Mac product suites. Buried in the avalanche of features, there are privacy updates worth discussing. In this post, we’ll unpack the key privacy updates and how they change the way we approach privacy & advertising. Let’s jump right in!

Early Takeaways

  1. Apple made no policy changes on the privacy front this year. The privacy updates they’ve announced should make it easier for developers to comply with the existing Apple privacy policies.
  2. If you haven’t already embraced Apple’s privacy policies on iOS, it’s time to get with the program. The announcements in WWDC23 have made it explicitly clear that Apple is in this for the long haul and they’re serious about enforcing their view.
  3. Privacy Nutrition Labels will serve as the central repository for all app privacy information.
  4. Measurement and attribution features are receiving continued investment from Apple, but this will become increasingly more difficult for advertising with Safari 17 & iOS 17.

Manifests, Reports, & Labels

For the record, we are not talking about a shipping or cargo company! Apple’s commitment to privacy is unwavering, and they made that crystal clear with the introduction of App Tracking Transparency (ATT) in 2021 & Privacy Nutrition Labels in 2022. During WWDC23, these were highlighted again, along with new items introduced to simplify the creation of the Privacy Nutrition Labels. 

With Privacy Manifests, there is now a tool for app developers & third-party SDK developers to provide the necessary information about their privacy practices and the use of consumer data they collect. When an SDK developer creates a privacy manifest file it will generate a property list declaring data types collected by the SDK. The file also includes information on how that data is used, if it is linked to a user, if it is used for tracking, and the reason for collecting this data. All of the privacy manifests will be rolled up into a single privacy report for an app. The hope here is this compilation will make it easier for app developers to create accurate Privacy Nutrition Labels. 

All of this helps users see what data an app collects, how it is used, and how that impacts their privacy. Be on the lookout for Privacy Nutrition Labels and Privacy Reports in 2024. For more information on data used in the privacy manifest and how to create one, check out the developer documentation from Apple.

Privacy Impacting SDKs

Apple said they will publish a list in late 2023 of third-party SDKs with a high impact on user privacy. There are two things to note for these privacy-impacting SDKs: 

  1. If you develop an SDK on this list, you must include a Privacy Manifest!
  2. Apple is introducing a new concept of signatures for SDKs. This also must be included by the third-party SDK developer. The SDK signatures help validate a code signature from the developer and drive accountability in the app development supply chain.

There are little additional updates on the signature process and when it will be required. Apple is stressing that it is not a bad thing to be on this list. Ultimately, it gives developers the transparent chance to prove they’re aligned with privacy best practices.

Required Reasons

We do have some API updates coming out of WWDC23. The big one is the introduction of the new Required Reason APIs to minimize the chance of fingerprinting. In a privacy manifest, app developers will declare allowed reasons for usage of an API. This is Apple limiting APIs strictly to their selected use case. Ultimately, no funny business with an API outside of its purpose on a privacy manifest.

Link Tracking Protection in Safari Private Browsing

Apple continues to let us know that online tracking without permission is eroding user privacy. To combat this, they’re introducing Link Tracking Protection along with additional measures to limit cross-context tracking in Safari 17. Link Tracking Protection strips URLs of known tracking query parameters to prevent fingerprinting. This effectively breaks the way UTM parameters have been used for tracking in advertising, which has become common practice to measure certain types of campaign performance. The most interesting tidbit about this update is Safari 17 will automatically strip the user based parameters when a URL is copied & pasted into the navigation bar. While this is only happening in Safari’s Private Browsing mode, it still makes the following things more difficult in advertising:

  1. All campaign and audience measurement metrics
  2. Transparency tools supporting fraud & bot detection
  3. Website analytics tools for Publishers
  4. Non-contextual ads that leverage user identity data to respect their preferences

Digging a bit deeper, here is the complete list of technical changes listed on the WebKit site for Private Browsing mode:

  1. Adding blocking for known trackers and fingerprinting
    1. It is believed that Apple will continue to use the DuckDuckGo tracker radar to assist with this blocking in Safari 17.
  2. Adding support for mitigating trackers that map subdomains to third-party IP addresses
    1. Similar to CNAME cloaking, this reduces the number of cookies rolling up to a tracker.
  3. Adding blocking for known tracking query parameters in links
    1. For a view of tracking query parameters that will be blocked, check out the Desktop Private Mode tables from PrivacyTests.
  4. Adding noise to fingerprintable web APIs
  5. Adding console log messages when blocking requests to known trackers
  6. Adding support for blocking trackers that use third-party CNAME cloaking
    1. This already exists as part of Safari’s regular browsing experience with Intelligent Tracking Prevention.
  7. Adding support for Private Click Measurement for direct response advertising, similar to how it works for in-app direct response advertising.
    1. It is not surprising Apple is simultaneously pushing Private Click Measurement for attribution with direct response. They’re basically saying that retargeting can work within the context of a single, ephemeral browsing session. For a refresher, check this link for how it works in-app.

That’s a clear focus on tracking prevention and minimizing fingerprinting surface area.

Tracking Domains on iOS 17

On the app side of things, a privacy update  in iOS 17 focuses on control of network connections from an app. Apple is trying to prevent unintended tracking of people without their permission and this feature should make that impossible in an app. For example, if a user does not provide tracking permission, iOS 17 will automatically block tracking domains from an app. The tracking domains are all declared as part of each privacy manifest. As we referenced earlier, privacy manifests are going to play a huge role in compliance with Apple’s privacy policies going forward.

One more note on tracking. Blink and you might have missed it, but Apple briefly mentioned SKAdNetwork 5.0 during WWDC. The solo update shared is new support for app opens. Other than that, silence on the SKAN framework from Apple. For a refresher on the current iteration–SKAN 4–here are the developer docs.

Signing Off

Apple’s privacy updates from WWDC23 are a clear indication of their plans to keep pushing the boundaries on privacy. However, these updates don’t come without disabling many commonly used technical features in advertising. WWDC23 presents a new set of challenges to advertisers and AdTech companies. 

We’ll leave you with Apple’s WWDC23 sign off on these updates:

App developers: Ask for SDK privacy manifests from your third-party SDK developers. Always refer to the Xcode privacy report when you are submitting your app to keep your Nutrition Label up to date.

SDK developers: Adopt signatures and manifests. These are super helpful to your customers. 

All developers: Document and declare tracking domains and Required Reason API usage in your app or SDK’s privacy manifest.”

Questions about the WWDC23 updates? Reach out to us at Tech Lab!

ABOUT THE AUTHOR

Jared Moscow
Director of Product, Privacy & Addressability
IAB Tech Lab

Latest News

  • Embracing AI to Safely & Effectively Reach Audiences
  • VAST CTV Addendum for Public Comment: Includes Backwards Compatibility for Foundational Building Blocks for CTV Success
  • Enhancing Transparency and Combatting Ad Fraud: Upgrade to Supply Chain Plus API
  • IAB Tech Lab Launches Second Public Comment Period for Data Deletion Request Framework
  • Introducing Initial OpenRTB Support for the Protected Audience API