Recently, mobile attribution companies have been trying to generate buzz on the topic of connecting mobile users across apps and mobile web, which they have dubbed "people-based attribution." As a result, we at Adjust have had questions about our plans for a similar feature.
The answer is simple: Adjust will never release a feature that relies on selling user data, as current people-based attribution solutions do.
Let's have a closer look and explain why.
“Pay no attention to the man behind the curtain!”
First of all, we need to understand what people-based attribution is supposed to mean and how it actually works.
Peering behind the curtain, we find that the feature’s big achievement is an ability to connect the mobile web browser of a device to apps installed on the same device.
Browsers, unlike apps, do not make the device ID (like IDFA or Google Advertiser ID) available in the way apps do. So in order to connect them, you need to drop a cookie in the browser and somehow make the connection to the IDFA of the device.
The easiest approach for this is to use deeplinking.
When a user gets deeplinked through the browser into an app, you can drop a cookie into the browser and then attach it to the deeplink. Once the app opens, it reads the cookie ID from the URL and can simply connect it to the IDFA.
Next time the user opens a website with their mobile browser you can read this cookie and connect their activity to his IDFA.
But in reality, this seemingly simple idea requires some questionable choices in order to make it actually work.
It’s no secret that both Google and Apple frown on using cookies to track users across the web. Apple’s ITP makes it harder and harder with each new version to store cookies for the purpose of tracking users, and both Apple and Google have already made it impossible to drop the third-party domain cookies which typical web trackers rely on.
This means that to be allowed to write a cookie on your browser, the domain in your address bar has to be the same as that of the cookie. In other words, before sending the user into the app, you first need to send the user through a special landing page.
Have you ever wondered why some solutions seem to wait a few seconds before redirecting you into the app?
That’s to trick Apple’s ITP into allowing them to drop a cookie.
In the end, Apple and Google will continue to crack down on cookies that do not serve a functional purpose. With ITP 2.2, for example, Apple reduced the lifetime of cookies like this down to 24 hours.
Which leads us to our second problem.
If this solution only used data generated by the client’s app(s), then they would only be able to identify users on their website that had previously been deeplinked into their app — which would be a very small fraction of users. In other words, people-based attribution won’t work in the vast majority of use cases using only a single client’s data.
Now consider that this is a product being sold by mobile attribution companies. Would you be willing to pay for this service if it’s only going to work for a tiny percentage of your users? Probably not. So there must be something else going on that allows people-based attribution to work for more than a tiny percentage of your users.
So where do all those cookies come from?
"Soylent green is people!"
Certain players in the mobile space that offer people-based attribution understand that to create enough coverage, they would need to tap into all their clients’ data.
This means whenever any user of any app they track gets deeplinked, they drop their cookie and store its connection to the device ID in their device graph, a database of users spanning the mobile web and apps.
This is where the problems begin.
The user’s profile is not stored within the scope of a single app but becomes part of a device graph that is owned and operated by the attribution provider. The data stored in this graph will remain if the user uninstalls the app, or even if the user opts out of a single app’s data-sharing agreement.
Under the GDPR, there is a strict distinction between data processors and controllers. To put it simply, processors only work with user data as if they were an extension of the app publisher’s own service. They cannot use data across multiple publishers or sell data to third parties. Controllers need to have their own relationship with the end-user and need to obtain consent for actions that are not covered under so-called “legit interests,” such as building user profiles.
This means when an attribution company feeds user data into a user graph that is then sold to clients, they should in fact be asking the user to opt-in first, before adding them to their graph.
Now imagine you’re a user, you’ve clicked on an ad and you’re about to be deeplinked into an app… except suddenly a popup from an attribution provider you’ve never heard of asks if it’s ok to create a profile for you and track you.
Not only would this be devastating for conversion rates, it would also almost certainly not have a significant enough opt-in rate to generate sufficient coverage. Don’t even mention the impact it would have on users’ opinions of an app, especially considering all the recent headlines about user privacy and user tracking.
“Do you feel lucky, punk?”
So how do the companies selling user data solve this dilemma?
The answer is: they don’t. None of them ask for permission to collect users’ data. In fact, none of them even let users know they are being tracked.
While it might be easy for some to ignore the GDPR, the upcoming CCPA will be unavoidable. Legality aside, let’s just stop and think about how this looks from the consumer’s perspective.
Say an app is using a tracking tool that sells user data to an unknown third party without informing users, and without their consent. Do you really want to argue the legal details of this when the Washington Post calls you?
If you’re thinking, “As long as no one knows, I’ll be fine,” some of the providers of people-based attribution proudly display the logos of the biggest apps that feed their device graph in their sales presentations.
After all, the data needs to come from somewhere.
“What is it good for? Absolutely nothing!”
Let’s ignore for a moment that the technology behind people-based attribution is creepy, at best, by looking at what marketers get out of it.
You can make up any scenario where people-based attribution offers additional insights about a user’s journey, but it’s worth asking: What does it really mean for your use case?
Any app that doesn’t have an accompanying mobile website or runs a significant share of web-based inventory doesn’t benefit at all — but their users’ data still feeds into the graph, of course.
There are genuine use cases for mobile apps that also have a web-based presence. However, at the moment, most providers of people-based attribution only offer a simplified diagram of users flowing from app to web and vice versa, instead of a full-fledged actionable analysis.
The marketing for people-based attribution makes it sound as if it is the be-all and end-all to marketer’s questions. In reality, it solves a small subset of issues that focus around users switching from web to app on the same device. For example, people-based attribution using IDFA-to-Cookie linking can solve cross-platform tracking, but it does not provide any cross-device tracking.
And even if it could be leveraged to be more useful, there would still remain an extremely problematic core issue.
“With great power comes great responsibility.”
It is simply unacceptable for an attribution company to sell private user data.
For Adjust this is not just self-evident, it is one of our core principles. We believe that attribution should be done in accordance not only with the law but also with the highest respect for user privacy.
The current technology used for people-based attribution does not pass any of these tests. As such, it will never appear on our roadmap.