💎 Growth Gems #109 - Privacy, Data, and Paid Acquisition
Hey,
This week, I’m sharing gems on privacy manifest, fingerprinting, and Google privacy sandbox.
I’m betting I’ll lose some “growth generalist” subscribers over this one…but I think it will be valuable to the mobile marketing folks!
These insights come from David Philippson and Eric Seufert.
Enjoy!
🥇 TOP GEM OF THE WEEK
SPONSORED INSIGHT
Vibe.co has been on my radar for a while, as I find their promise of democratizing TV advertising quite compelling.
While I haven’t run streaming and CTV ads myself, I’ve seen some strong arguments to test this channel when ready to go past the biggest platforms.
Campaigns start at $50/day, it’s a CPM model, and there is no commitment. Check them out!
In this post-ATT era, where measurement is never straightforward, this looks like a promising channel.
The demo is with my man Alex Pham, so I can pretty much guarantee you it will be a good convo.
Privacy, data and paid acquisition: privacy manifest, SKAN, Google’s privacy sandbox, programmatic
Gems from David Philippson (CEO at DataSeat) and Eric Seufert (Independent Analyst & Investor) in The future of device fingerprinting on the MobileDevMemo podcast.
What’s often tricky with predicting the future is not only what you predict, but also the timeline: back in 2021 Eric was predicting a real crackdown on fingerprinting, which still hasn’t come.
Are those who embraced SKAN from Day 1 better off than those who have been relying on “probabilistic attribution”, even if it’s temporary? Not sure.
Nonetheless, if I’m going to listen to two people taking out a crystal ball to talk about the future of privacy and measurement, it’s going to be on MDM.
I learned a lot from this one: Eric and David are sharp, and their discussion helps understand how some things are connected, so that even if the future doesn’t turn out a specific way you get a sense of what might be next.
Privacy manifest
💎 Apple said it would give “A list of privacy-impacting SDKs (third-party SDKs that have particularly high impact on user privacy)”. Instead, it gave a list of commonly used SDKs (not just privacy-sensitive SDKs). Is this to not put themselves in a corner, or is this a list of the ones you thought might not be privacy-sensitive to tell developers that this is the baseline of privacy-sensitive?
(07:35) by Eric
💎 It could be that Apple is putting “self-policing” on the developers. The fact that the list has such common SDKs (e.g., DiskSpace, required for updates) means that essentially everybody needs a Privacy Manifest. Example: Disk Space, very commonly used, is listed.
(08:55) by David
David is wondering if this is orchestrated and planned through or if it is a lack of coordination/knowledge within Apple.
When I see the recent DMA announcement, I think it’s the former.
💎 Fingerprinting does not require any of the “required reasons” APIs. All you need is an IP address, device type, and OS version. You don’t need DiskSpace or the last boot time (although it would enhance it!).
(11:00) by David
💎 MMPs should not celebrate not being on the list. Apple considers probabilistic attribution to be fingerprinting and is rolling out tools to combat it. Apple presents a policy that is not based on a technical solution so that MMPs can’t find a workaround. By doing so, it ends up being judge, jury, and executioner: they decide who does fingerprinting.
(11:50) by Eric
Eric shared that all developers can do is try to fill up their privacy manifest correctly. In the end, if they violate that and present it to consumers, they are the ones misrepresenting data usage (not MMPs).
💎 Some MMPs (e.g., Branch, Singular) are leaning more toward SKAN and being compliant, while other MMPs lean the other way. As soon as 20-30% of developers are advised to list their MMP’s tracking domain URL in the privacy manifest, the rest of the developers will start to self-enforce (maybe after some slaps on the wrist).
(14:02) by David
SKAN 4 vs. Fingerprinting
💎 You have to balance the benefits of fingerprinting against the risk relative to the functionalities of SKAN 4. Meta still needs to increase the SKAN 4 penetration between other platforms and begin to really invest there.
(15:00) by Eric
Eric poses the following question: “Once SKAN 4 is ubiquitous, do you really get much more out of IP address fingerprinting?”.
This becomes even more relevant in light of recent observations that SKAN 4 has 70% less null conversion value than SKAN 3, which means that only 20 installs (per day per campaign) are required to get 97% of signal for crowd anonymity tiers 2 & 3.
We’re still far from full adoption, but the trend is good (27% of postbacks are SKAN 4, according to AppsFlyer)…Even Meta, which doesn’t have a lot of incentives to speed things up, has ramped up adoption in the last few weeks.
💎 You want to have one source of truth, but now we might get into the same dynamic as what happened with SRNs. Meta is beginning to offer options such as Aggregated Event Measurement (AEM) with advanced data sharing as an option. For the latter, MMPs send data including IP address and user agent header. Advertisers are forced onto SKAN, but if Meta is allowed to fingerprint, then it will be an unleveled playing field, and eventually, all the other ad networks will try to come up with similar solutions (and ask the MMPs to send the same data).
(16:05) by David
Eric shared that ad networks like Meta know that MMPs want to stay relevant on iOS in this new SKAN era and use it as leverage to ask them to do their “dirty work” of collecting user data.
This is what’s happening with Advanced Data Sharing, which collects data even for users who have not opted into ATT. Here is AppsFlyer’s doc on AEM and Advanced Data Sharing.
That said, they both agreed that even without AEM and advanced data sharing, the biggest ad networks still have Server 2 Server capabilities (e.g., Meta’s Conversion API, TikTok’s Event API, etc.).
As an advertiser, what are you going to do? If S2S and AEM campaigns perform, you keep them around…
💎 Apple might know that obfuscating users’ IP addresses would end fingerprinting. It would start an ATT 2.0, but Private Relay would also be expensive in server costs to roll out to all iOS users (vs. just the ones paying for iCloud like right now). But a cheaper solution is to make a policy like they just did to scare app developers away from engaging in fingerprinting while making SKAN good enough.
(22:15) by Eric
💎 Apple could even just add noise to fingerprinting because it creates false positives: directing 10-20% random amount of traffic through Private Relay would break fingerprinting, particularly since there’s already some noise (e.g., in areas where more people are on their phone operator’s IP address vs. wifi).
(23:45) by David
David even imagined that Apple could micro-target advertisers and ad tech that seem to be breaking rules, force Private Relay just for them, and gather wanted features for SKAN in the meantime (e.g., geo-targeting).
Either of those things would be smart…Don’t shoot the messenger.
💎 The current status is in favor of those breaking the rules. Comparing 2 developers/advertisers, the one using fingerprinting will be making more money. This pushes them to the “dark side”.
(27:05) by David
Google Privacy Sandbox
💎 Google introduced a LAT-style setting on Android 13 where users can turn their GAID off in their settings. However, only a very small base of users turn this off. But if Google gets rid of GAID, there won’t be an opt-out/opt-in.
(28:52) by Eric
💎 Google is working in partnership with MMPs/SSPs/DSPs to run proof of concepts. They want to maintain retargeting capabilities, retain their Audience and the Topics API. It’s very collaborative. It will be different in terms of privacy from now, as there will be no more user profiling. Attribution will still be in real-time and deterministic.
(29:58) by David
💎 Google Advertiser ID is going to be around for a while. Apple and iOS can push out an operating system: it comes out in September, and by the holidays adoption 80-90%. With Android, it takes years because Google has the OEM complexity (e.g., Samsung modifies Android). The plan is for Android 16 to be “purely sandbox”, and then adoption still needs to happen.
(31:05) by David
He explained it will take even longer in emerging countries (e.g., in LATAM), where it’s going to take people longer to buy new phones that have Android 16 installed.
💎 The privacy sandbox offers a lot more than SKAdNetwork: Topics API, targeting, Fledge, Retargeting, attribution reporting API, an equivalent of SKAN but much richer and without intentional delays on postbacks.
(33:25) by David
Not yet familiar with privacy sandbox?
Big topic. The good news is, it seems like we have some time.
Here is Google’s documentation. For a SKAN vs Privacy Sandbox comparison, check out this article by Rich Jones (Director of Product at DataSeat)
Eric mentioned that the area where things might be harder is Google Chrome.
💎 There will be an Android system for attribution, in which case MMPs might become more of an aggregation dashboard like they are for iOS.
(34:30) by David
💎 There was always tension between MMPs and advertisers. You could build what they do yourself for one source of data, but what happened is that Facebook gave MMPs the privilege of getting the data: you had to be part of Facebook’s partnership program. This prevented any challengers to emerge.
(35:05) by Eric
SKAN already reduced the relevance of MMPs, and with Google’s privacy sandbox this will go even further.
The MMP privilege position won’t exist anymore, and they won’t be able to charge as much for that (not the same technology, not the same server costs). This is the same thing Lucas Moscon was referring to in the insights I shared in Growth Gems #107.
This is why some MMPs are building out their value proposition outside of data dashboards, even though I’ve yet to see those be complimentary…
💎 There used to be 100k+ of ad networks, but that’s reduced as well. With SKAN, there are only about 100 SKAN signatures. So the value of MMPs has decreased there as well.
(39:10) by David
Programmatic on mobile
This is a good time to mention that experts have different views, that usually are consistent with their company’s narrative. Doesn’t mean the insights are not true, but it’s good to keep in mind.
💎 Mobile web traffic was underutilized, had less demand, and therefore was cheaper. However, it was always trackable with fingerprinting (e.g., mobile search, SMS, QR codes, etc.). SKAN 3.2 couldn’t track Google Search, but SKAN 4.0 does. However, SKAN has no view-through traffic, so mobile web performance from banners/videos will most likely be under-reported.
(40:18) by David
💎 The majority of programmatic performance is driven by rewarded video, but this ad format is for a native app (typically a game), not mobile web. This has made mobile web less desirable for app advertisers.
(42:10) by Eric
💎 Hypercasual games were an ad machine, but there are a lot fewer now. This means less supply, which could lead to higher inventory prices. On the other end, with SKAN, there might also be less demand when fingerprinting is banned as some advertisers might not be able to be ROAS positive with SKAN only (and therefore will end up spending less).
(42:39) by David
💎 On the demand side, we’re beginning to see more brand spend in-app. CPMs were inflated by the huge amount of investor/VC-backed money. Now, the bubble has popped, and CPMs are lower, which is why some big brands like Nike, Adidas, retail apps, etc. advertise more in-app.
(43:34) by David
David shared that most of the big brands that have apps use global media agencies for their media buying (e.g., GroupM, OMD, etc.). Those don’t really engage with app specialists and limit themselves to the status quo of trading deals with DV360 (Google’s Display & Video 360), the Trade Desk, and AdNexus.
So, he expects that if a big agency is running a campaign with Trade Desk and the campaign is SKAN only, they’ll have no clue what’s happening and just think it doesn’t perform because they won’t be able to log into their MMP and see their 360 day LTV results.
David’s business benefits from this, and DataSeat has started working with bigger brands, as they need a specialist who understands SKAN.
💎 The demographics of games are great for many big-scale brands: there are many middle-aged women (e.g., Candy Crush). Big brands used to be priced out by games for in-app inventory, but that’s not as much the case anymore: they can now compete for impressions.
(46:40) by Eric
💎 In the current climate (war, upcoming elections, etc.) brand safety is higher in games than on mobile web (e.g., mobile puzzle games). Brands are gun-shy related to anything that could be a vulnerability for their brand safety.
(47:20) by Eric
They explained that this doesn’t happen for in-app ads and contextual targeting because every campaign that is run is on a publisher’s whitelist: advertisers need enough spend to push past the SKAN privacy threshold (which means you can’t do “run of network”). As a result, the source apps where in-app ads are displayed are approved by brands, which makes them brand-safe.
As David said, with a game, “All users will see is a 30-second ad, then they’ll go back to popping bubbles”.
💎 There are two types of DSPs:
The biggest ones were built through hyper-targeting and recognizing users. They’re bigger on Android than iOS and have not embraced SKAN as well as they can.
The ones that have embraced iOS and SKAN (e.g., contextual targeting like DataSeat)
(1:01:24) by David
David shared with me that most advertisers do not know that sharing data with the DSPs leveraging hyper-targeting is helping their competitors…For example, the biggest loser would be Expedia, while the biggest winner would be a new hotel booking app working with the same network.
Before I leave, here is a quote on establishing a quality bar:
“You can’t just 80/20 everything” - Mark Zuckerberg
See you next time.
Stay curious!
⛏️ Sylvain
🔗 Sources: