Like Facebook in 2017, Apple Closes “Deep Link” Ad Tracking Loophole

Branch is by far the most widely adopted deep linking solution today. Years ago, we recognized that linking infrastructure that “just works” would be critical for consistent, compelling user experiences. So we built a platform to provide exactly that infrastructure, across every platform, privacy framework, and channel. Deep linking is part of what helped mobile apps cross the chasm from a “nice to have” add-on to a core part of any company’s strategic vision. 

This week, on the cusp of the iOS 14.5 public release and accompanying enforcement of the AppTrackingTransparency policy, Apple made a last-minute change to their User Privacy and Data Use marketing page. A superficial reading of this new addition could seem like an extremely broad limitation on deep linking. However, the reality is that Apple is simply closing a loophole related to ad tracking.

Let me explain.

Over the years, Branch has seen just about every application of deep linking technology, but the primary use case has always been to drive overall mobile adoption and retention by improving the user experience.

This means deep linking itself is a UX tool: it delivers tremendous value by removing friction from the user experience. However, like many technologies, this core functionality can be reused for purposes it was never intended to support. 

Gaps like these, between what is technically feasible with a tool and what is permissible use under platform policy or applicable law, are sometimes purposefully exploited to create convenient “grey areas”. Misusing deep links designed for user experience as an “alternative” to a tracking link designed for advertising measurement is just such a grey area. Yes, the technology theoretically makes it possible, but only when intentionally abused.

As it turns out, we have a precedent for exactly this situation when it comes to deep linking: back in 2017, Facebook closed a loophole that allowed access to device-level advertising attribution data without the contractual and technical standards of their MMP program. This workaround was most famously used by TUNE, after they were removed from the MMP program in 2014: by calling Facebook’s deep linking API to retrieve parameters intended for UX optimization, TUNE could instead hack this data to perform device-level advertising measurement.

Once Facebook discovered this workaround, they made a policy change to address it and TUNE was forced to retract their offering.

That brings us to the section Apple added to their User Privacy page this week:

This addition might appear quite disruptive on the surface, but it is actually just closing the same tracking loophole that Facebook addressed in 2017.

At first glance, it’s possible to read the question itself as Apple upending the use of all deep linking until users have given consent to tracking via the ATT opt-in. However, we believe interpreting the question this way would not be a sincere reading of Apple’s intent, based on their full public answer immediately below it.

Why? Apple’s answer explicitly clarifies that deep linking requires ATT opt-in if those links are being used to power ad targeting, ad measurement, or sharing with a data broker. This is a direct parallel to their existing guidance against using probabilistic “fingerprinting” or first-party data (like a hashed email address) as IDFA alternatives. In other words, this is a simple clarification that data collected by any means, if used for purposes related to advertising tracking, is subject to the ATT policy.

We agree with Apple’s stance on this, and we’re glad to see them make this move to keep deep linking focused on its original purpose: creating great product experiences for users.

In summary, if you plan to use deep linking technology, tracking link technology, fingerprinting, hashed user email addresses, or any other data collection technique for advertising tracking applications, you must collect opt-in permission via the AppTrackingTransparency framework.

However, if you — like the vast majority of developers — are using deep links to enhance user experiences by enabling users to find the content they want, and carefully ensure that the data from these links is not misused to subvert the ATT framework, Apple’s updated guidance should not create any new compliance concerns.