iOS Tracking Analysis
With the release of iOS 14.5, Apple introduced new App Tracking Transparency (ATT) standards requiring iOS app developers to either cease engaging in user and device data tracking or request permission to continue doing so. According to Apple, "tracking" occurs when user or device data is either (1) linked with information that identifies such user or device collected on apps, websites and other locations owned by third parties for the purposes of targeted advertising or advertising measurement, or (2) shared with data brokers. Although many iOS developers themselves may not engage in tracking activities, it's prudent to conduct preliminary analyses of any third parties with access to the developer's iOS user or device data to better elucidate whether such third parties, and thus the developer according to Apple, are engaged in tracking. To that end, below are some high-level steps an iOS developer can take to identify whether third parties may be engaged in tracking through the developer's app.
- Linking as Tracking
- For each third party, perform a two-step analysis asking the following questions:
- Q1: Is user or device data being combined or linked with any user or device collected from any third party or their owned/operated properties?
- If no, the linking is most likely not tracking.
- Q2: If yes to Q1, is the developer or third party's purpose of the linking/combination targeted advertising or advertising measurement?
- If no, the linking is most likely not tracking.
- If yes, the linking is most likely tracking.
- Q1: Is user or device data being combined or linked with any user or device collected from any third party or their owned/operated properties?
- Sharing with Data Brokers as Tracking
- Apple generally defines a "data broker" as any company that regularly collects and sells, licenses, or otherwise discloses to third parties the personal information of particular end-users with whom the developer does not have a direct relationship. Applicable statutory/regulatory definitions of data broker may apply as well.
- Some states have data broker registries (e.g., California and Vermont), so a good first step is to perform an online search in such registries for the third parties with access to user or device data through the developer's iOS app.
- If the third party has access to developer's iOS user or device data and is included in one or more registries, they are a data broker and likely engaged in tracking.
- Even if the third party isn't listed on any registry but they are receiving user or device data from the developer, the developer should review the applicable agreement(s) between the developer and such third party to determine whether the third party is expressly prohibited from (a) using such data for purposes other than providing the services to the developer or (b) disclosing such data to third parties generally.
- If the service provider is expressly prohibited (and not listed on any registry): assuming the third party is in compliance with the agreement(s), the third party most likely isn't tracking via the developer's app and Apple's "sharing with data brokers" trigger.
- If the service provider is not prohibited (and not listed on any registry): the developer must conduct more in-depth analysis to determine what the third party actually does with the developer's iOS user/device data to come to a clearer conclusion on whether such activities constitute tracking. The developer should also seek to amend such agreement(s) to ensure tracking activities are expressly prohibited.
Print and share
Explore more in
Perkins on Privacy
Perkins on Privacy keeps you informed about the latest developments in privacy and data security law. Our insights are provided by Perkins Coie's Privacy & Security practice, recognized by Chambers as a leading firm in the field. Subscribe 🡢