This comprehensive report examines the technical foundations, operational mechanisms, privacy implications, and regulatory landscape surrounding mobile advertising identifiers—specifically Apple’s Identifier for Advertisers (IDFA) and Google’s Advertising ID (GAID). The analysis reveals that these device-level identifiers have fundamentally transformed mobile marketing attribution and targeted advertising since their introduction in the early 2010s, yet their evolution demonstrates a critical tension between advertiser tracking capabilities and consumer privacy rights. As regulatory pressure intensifies and users increasingly reject tracking through frameworks like Apple’s App Tracking Transparency, the mobile advertising industry faces unprecedented disruption, forcing transitions toward privacy-preserving alternatives such as SKAdNetwork, aggregated measurement approaches, and first-party data strategies while simultaneously exposing the persistent efforts of advertisers and data brokers to maintain tracking through emerging methods including device fingerprinting and location data exploitation.
Understanding the Technical Foundations of Mobile Advertising Identifiers
The fundamental purpose of mobile advertising identifiers lies in enabling precise user tracking across applications and campaigns without revealing personally identifiable information through traditional account credentials. The Identifier for Advertisers (IDFA) is a random device identifier assigned by Apple to a user’s iOS device that advertisers can use to track data for the purpose of delivering customized advertising, linking user actions and events to campaigns and channels, and enabling precise campaign optimization. Similarly, the Google Advertising ID (GAID), formerly known as the Android Advertising ID (AAID), is Google’s unique device identifier that serves as the Android equivalent of Apple’s IDFA and enables precise measurement of campaign performance. These identifiers function as fundamental infrastructure components within the mobile advertising ecosystem, providing a standardized mechanism through which the thousands of applications, advertising networks, and data aggregators can maintain consistent tracking records across disparate touchpoints.
From a technical perspective, both identifiers follow similar architectural patterns. The GAID is a combination of eight characters followed by a dash and three sets of four characters, using all lowercase letters and numerical digits. For instance, a GAID might appear as “bk9384xs-p449-96ds-r132.” The IDFA follows a similar format, consisting of 32 characters with four dashes breaking it into sets of eight numbers, creating identifiers such as “AEBE52E7-03EE-455A-B3C4-E57283966239.” These alphanumeric strings are generated as anonymized identifiers during the initial device setup, with none of the user’s personal information directly embedded within the ID itself. This anonymization, however, should not be confused with true privacy protection, as the identifier remains globally unique to each device and enables comprehensive behavioral profiling when correlated with collected data.
The scope of accessibility represents a critical distinguishing feature of these identifiers. Unlike application-scoped identifiers that remain internal to individual apps, both IDFA and GAID exhibit device-scope characteristics, meaning they are accessible to all installed applications by default. This universal accessibility across the device ecosystem creates the structural foundation for cross-app tracking—a capability that transforms advertising from isolated app-level targeting into comprehensive behavioral surveillance spanning entire user ecosystems. When a user installs an app that integrates advertising SDKs and related third-party trackers, each of these components can access the same device-level identifier, enabling data aggregators to correlate user behavior across dozens or hundreds of applications simultaneously.
The resettability characteristics of IDFA and GAID represent perhaps their most significant distinction from their historical predecessors. Users can reset their IDFA at any time on iOS devices by going to security and privacy settings, selecting tracking, and toggling ‘Allow Apps to Request to Track’ off and then on, with each toggle creating a new IDFA. Similarly, Android users can reset their GAID through the device’s Settings app by navigating to Privacy > Ads, then tapping Reset Advertising ID, or they can delete it entirely through the same menu. This resettability feature emerged as a response to privacy advocates’ concerns about permanent device identifiers—a compromise that provides users with technical means to disassociate themselves from accumulated behavioral profiles while simultaneously demonstrating the intentional design philosophy embedded within these tracking systems: they were built to enable comprehensive surveillance while providing surface-level user controls that most consumers remain unaware of or fail to utilize.
Historical Evolution: From Permanent Device Identifiers to Resettable Advertising IDs
The emergence of IDFA and GAID cannot be understood without examining the problematic tracking ecosystem they replaced. In the early days of smartphones, trackers used static device identifiers including the Unique Device Identifier (UDID) on iOS and the Android ID on Android, which were unique, permanent, and frequently accessed by third parties without user knowledge or consent. These hardware-level identifiers represented an unprecedented privacy violation, as the combination of ubiquitous mobile device adoption and universal access to device identifiers created an infrastructure for comprehensive behavioral surveillance at population scale. In 2010, a Wall Street Journal investigation exposed the extent of UDID tracking, and following a series of probing questions from United States members of Congress, Apple began restricting access to the UDID in 2011.
The advertising industry, deeply invested in the tracking capabilities enabled by UDIDs, responded to Apple’s restrictions with rapid adaptation rather than fundamental reconsideration of tracking practices. In 2012, Apple introduced the Identifier for Advertisers (IDFA), which was almost identical to the UDID it replaced—a globally unique identifier available to all apps by default, with the significant difference that IDFA could be reset, though only if users knew what to look for. The introduction of IDFA represented a carefully calibrated compromise in which Apple appeared to address privacy concerns through the provision of technical reset capabilities while simultaneously maintaining the core tracking architecture that enabled comprehensive behavioral surveillance. Apple also allowed users to enable a setting called “Limit Ad Tracking,” which sent a signal to apps asking them not to track, but this did not actually affect the apps’ ability to access IDFA.
Google followed Apple’s precedent with characteristic pragmatism. Android introduced the Android Advertising Identifier (AAID, later known as GAID) in 2013, making it available to all apps by default without any special permission, while also allowing users to reset their ad identifier but not restrict access to it or delete it. This difference in implementation—Android’s more permissive approach compared to Apple’s marginally more restrictive stance—established a pattern that would persist for over a decade: Android prioritized advertiser interests while maintaining the appearance of user controls, whereas Apple positioned itself as privacy-conscious while enabling the same fundamental tracking infrastructure as its competitor.
The inadequacy of these early privacy protections became evident through behavioral data. Over thirty percent of iOS users chose to opt out of tracking in 2020, representing a 216 percent increase since 2016, demonstrating genuine consumer demand for blocking tracking and ad personalization. In contrast, tracking opt-outs on Android remained minimal, hovering around three percent, a striking discrepancy that reflected divergent platform defaults and user interface designs that either obscured or highlighted privacy options. This divergence foreshadowed the dramatic impact that would result when Apple fundamentally restructured its tracking permissions framework.
The Revolutionary Impact of Apple’s App Tracking Transparency Framework
Apple’s introduction of App Tracking Transparency in iOS 14.5 represented the most significant disruption to mobile advertising infrastructure since the emergence of the smartphone itself. In 2021, Apple introduced App Tracking Transparency (ATT), which requires apps to get affirmative consent before they can track users with IDFA or any other identifier. This transition from opt-out to opt-in, from passive tracking to explicit consent, fundamentally altered the default behavior of the mobile ecosystem. Prior to ATT, approximately 20 percent of users chose to opt out of tracking, meaning four out of five were “opted in,” but after the ATT introduction, the vast majority of users have chosen not to allow tracking, as defaults matter.
The mechanics of the ATT framework operate through explicit user prompts. When an app that wishes to use IDFA is installed on a user’s device, it must request access from the user, displaying a prompt informing them that an app requests to track their activity across apps and websites owned by other companies. When users opt out of the ATT prompt, the policy dictates that the app may not share any identifier for that user with a third party for purposes of advertising targeting, including sharing a user’s email address, real name, phone number, or other identifiers. This represents a categorical departure from pre-ATT behavior, in which apps could access IDFA by default and developers bore no responsibility for obtaining explicit user consent.
The adoption patterns of ATT consent have demonstrated the fundamental transformation in user behavior when confronted with clear choices about tracking. As of Q2 2025, the industry-wide average opt-in rate (based on users shown the prompt) sits at 35 percent, up slightly from 34.5 percent in Q2 2024 and 34 percent in Q2 2023. While this represents modest growth over recent years, the dramatic decline from earlier years reveals the underlying pattern: a recent Singular study shows ATT opt-in rates dropped from 26 percent in 2021 to under 14 percent in mid-2024. This apparent contradiction results from methodological differences and changing user familiarity with tracking prompts, yet regardless of precise measurement, the fundamental reality remains constant—the vast majority of iOS users have rejected IDFA tracking when given explicit choice.
The variation across different app categories illuminates nuanced differences in how users balance tracking concerns against perceived app utility. Gaming remains the top-performing vertical overall, with sports at 50 percent opt-in, hyper casual games at 43 percent, action games at 40 percent, and board games at 30 percent. Education apps saw the biggest shift, rising from just 7 percent in 2023 to 14 percent in 2025, a sign that improvements in onboarding and clearer pre-permission prompts are making a measurable difference in this vertical. These variations suggest that user decisions regarding tracking reflect complex calculations involving perceived value propositions, app category expectations, and the effectiveness of developer messaging within the consent flow.
Geographically, adoption patterns vary considerably. Brazil remains one of the strongest performers with an opt-in rate of 50 percent, followed closely by the United Arab Emirates at 49 percent and Turkey at 42 percent, while countries like Canada and Australia are seeing meaningful gains, reaching 29 percent and 27 percent respectively. These geographical variations likely reflect cultural differences in privacy preferences, regulatory environments that either encourage or discourage data collection, and the effectiveness of localized user education regarding tracking implications.
The Technical and Business Implications of IDFA Tracking Restrictions
The restriction on IDFA access fundamentally disrupted business models throughout the mobile advertising industry. The ATT policy is particularly disruptive for companies that rely on user-level behavioral profiles and user-level conversion data for targeted advertising, including companies in the eCommerce and mobile app industries. For mobile advertisers and publishers, the loss of IDFA access has profound consequences. Prior to ATT, advertisers were able to rely on the Identifier for Advertisers as a common identity that allowed them to make informed advertising decisions based on a user’s activity within an app. This capability enabled precise campaign attribution in real time, allowing advertisers to measure exact return on advertising spend for individual campaigns and adjust budgets accordingly.
Without deterministic IDFA-based attribution, the industry faces fundamental measurement challenges. The lack of access to IDFA has made it more challenging for advertisers to engage their audiences, create personalized experiences, and measure the effectiveness of their campaigns, as advertisers are now forced to rely on less precise targeting methods and have less visibility into user interactions and behaviors. The financial implications proved immediately apparent to major platform operators: Facebook stated that Apple’s App Tracking Transparency feature would decrease the company’s 2022 sales by about $10 billion. This figure represents not mere projection but rather a quantifiable measure of the economic disruption that privacy-preserving changes can inflict upon surveillance-dependent business models.
The impact on mobile app developers parallels the challenges faced by advertisers. App developers who relied on IDFA for cross-app tracking, frequency capping, and conversion attribution lost access to these capabilities for the majority of their user base. Mobile measurement partners (MMPs) who built their entire business model on aggregating IDFA-based attribution data discovered that their core product offering had become partially obsolete overnight. The transformation forced the mobile advertising ecosystem to reconceptualize how attribution, measurement, and campaign optimization could function in a post-IDFA world, leading to simultaneous development of multiple competing frameworks and approaches that remain in flux years after ATT’s introduction.
Android’s Alternative Approach: Delayed and More Permissive Privacy Controls
While Apple imposed ATT as a mandatory requirement affecting all iOS developers and users simultaneously, Google pursued a characteristically more gradual and industry-aligned approach to advertising identifier restrictions on Android. Following the industry push for increased user permissions and transparency spearheaded by the rollout of iOS 14.5, Google released Android 12 in 2021, starting with this update allowing users to limit ad tracking by toggling on “Opt out of Ads Personalization” in their Ads settings, which zeroes out the GAID, preventing advertisers from accessing device-level data. However, the implementation of this opt-out mechanism differed fundamentally from Apple’s opt-in approach. From Android 14 onward, the process involves more options for users, including the ability to customize ad settings, completely remove the GAID, or to reset it.
More significantly, as of April 1, 2022, Android requires developers to request a separate permission in order to access the ad ID, however, this is treated as a “normal” permission, meaning users don’t see any pop-up asking for their consent. This technical distinction represents a fundamental divergence in privacy architecture between the two platforms. On iOS, users receive explicit prompts asking whether to permit tracking, whereas on Android, developers must declare the permission in their app manifest files but users receive no additional notification or choice interface. The regulatory rationale for this distinction appears perplexing: despite the ad ID’s central role in enabling third-party tracking, the developer documents explain that this kind of permission is for data that presents “very little risk to the user’s privacy.”
This characterization of GAID access as low-risk contradicts extensive evidence of its widespread use in surveillance advertising and data exploitation. The consequence of Android’s approach manifests in dramatically lower opt-out rates compared to iOS, with users forced to navigate deeply buried settings menus to access opt-out mechanisms that iOS users encounter at the point of app installation. Google justified this divergence partly through the stated intention to eventually phase down the GAID through Privacy Sandbox on Android, claiming that reliance on the GAID would be significantly reduced by Privacy Sandbox initiatives. Google has stated that reliance on the GAID will be significantly reduced by Privacy Sandbox on Android, which is currently still in testing and development, due for rollout in 2025.
However, this transition timeline has become increasingly uncertain following Google’s dramatic reversal of Privacy Sandbox commitments. Google has officially killed the Privacy Sandbox, with 10 remaining Privacy Sandbox technologies being axed, including Attribution Reporting API for both Chrome and Android, IP Protection, On-Device Personalization, Private Aggregation, Protected Audience API for Chrome and Android, Protected App Signals, Related Website Sets, SelectURL, SDK Runtime, and Topics for Chrome and Android. This decision fundamentally undermines Google’s stated roadmap for transitioning away from GAID. With the Sandbox’s demise, that roadmap has effectively disappeared, and right now, no one knows for sure whether GAID will remain indefinitely. This uncertainty creates profound implications for Android developers and mobile marketers who had anticipated transitioning toward post-GAID measurement frameworks only to discover those frameworks being abandoned before achieving meaningful adoption.
Mobile Advertising ID Functionality and Operational Mechanisms
Understanding how IDFA and GAID function in operational advertising contexts requires examining the complete data flow from impression through conversion attribution. Mobile marketers use advertising IDs like the Google Advertising ID and IDFA to understand which ads, creatives, and channels are most effective, with ad networks utilizing these IDs to get a sense of a user’s behaviors and interests, while advertisers use them to monitor ad engagement and conversions. Through this identification mechanism, advertisers and developers can see views and clicks of ads as well as when a user subsequently installs an app, makes a purchase, or signs up for a subscription or other service.
The attribution process operates through a series of technical exchanges between platforms. When a user encounters a mobile advertisement and clicks through to an app store, the link briefly redirects through mobile measurement partner servers, which record the click event paired with device-level data including the device ID, IP address, user agent, and timestamp. Following the app installation and first launch, another exchange of data occurs as the app’s integration of measurement provider SDKs communicates back to servers with install-time data. Through systematic matching of pre-install click data against post-install events, measurement providers attempt to attribute the user acquisition to specific advertising campaigns and channels.
The sophistication of this attribution matching extends across multiple fallback methodologies. Device ID match occurs first through checking for any past clicks matching the same advertising ID, while for Android phones we also check for matches via Play Store referrer which contains a unique value assigned to a specific click. If the above data is unavailable, the system looks for past click engagements from the same IP address, creating a scorecard taking into account device type, device name, operating system, version, and language. If above data is unavailable, the system looks for past impressions that came through the same advertising ID, and if above data is unavailable, it checks for past impressions from the same IP address as the install’s IP address. This cascading fallback approach acknowledges the reality that advertising IDs represent only one component within a broader ecosystem of tracking mechanisms, each with varying reliability and privacy implications.
The implications of this comprehensive tracking extend far beyond simple campaign measurement. By assigning a device to a single IDFA, advertisers have crystal clear certainty about the defining qualities of that user and are able to accurately attribute them to the correct advertising campaign. This capability enables extraordinarily precise user segmentation, frequency capping to limit ad repetition, and dynamic budget allocation toward highest-performing channels and campaigns. For major technology platforms like Facebook and Google that operate sophisticated advertising marketplaces, this granular attribution data represents a competitive moat and revenue engine.
IDFA and GAID in the Context of Mobile Attribution and Campaign Optimization
The centrality of advertising identifiers to mobile attribution workflows cannot be overstated, as these identifiers enable the fundamental measurement infrastructure through which mobile marketers justify advertising expenditures. Mobile attribution links app installs to marketing efforts, assigning value back to the source that drove the desired action, such as a channel or campaign. In multi-channel, mobile marketing campaigns where marketers spend budgets across a variety of different channels to achieve desired results or measurable events, attribution becomes the essential mechanism for determining which channels drive results and deserve increased investment.
The measurement partner ecosystem evolved to specialize in this attribution challenge. Major mobile measurement partners including AppsFlyer, Adjust, Branch, and numerous smaller competitors built business models centered on integrating with apps as SDKs, collecting detailed user-level data at multiple touchpoints throughout the user journey, and applying proprietary matching algorithms to attribute conversions back to paid channels. Prior to iOS 14.5, this industry created a unified, device-level attribution ecosystem in which a single advertising ID could be matched against click and install events with high confidence, enabling precise return-on-investment calculations that allowed marketers to optimize in real time.
The loss of IDFA access fundamentally undermined this model. For ATT opted-in users, IDFA is recognized as a valid form of identification for conducting attribution, but many advertisers no longer have access to this capability as the majority of iOS users have chosen not to permit tracking. This creates what might be termed an “attribution cliff” in which roughly two-thirds of iOS users remain unmeasurable through IDFA mechanisms, forcing advertisers to operate campaigns on the large opted-out user segment through either probabilistic attribution methods or aggregated measurement frameworks that provide substantially less granular insights.
The business consequences manifest in multiple dimensions. Advertisers face diminished visibility into user-level campaign performance, forcing them to either increase their sample sizes to achieve statistical confidence or accept greater measurement uncertainty when allocating budgets to iOS channels. Mobile measurement partners discovered that their fundamental value proposition—providing precise, device-level attribution—had become partially obsolete for the majority of iOS traffic, forcing painful business model transitions toward aggregated analytics and incrementality testing. Publishers and app developers lost critical feedback mechanisms for understanding which user acquisition channels were driving the most valuable cohorts, complicating their ability to optimize lifetime value.
Regulatory Frameworks and Privacy Legislation Surrounding Mobile Identifiers
The regulatory environment surrounding mobile advertising identifiers has evolved dramatically in recent years, with privacy legislation emerging at both national and international scales. The California Consumer Privacy Act (CCPA), also known as “the California GDPR,” is a state-wide data privacy law that regulates how organizations handle the personal information of California residents, having been passed in 2018 and gone into effect on January 1, 2020. The CCPA grants California residents the right to know what personal information a business has collected about them and how it is being used and shared, enables consumers to opt out of the sale or sharing of their personal information with third parties, and requires companies to obtain consumers’ consent to collect and use personal data if it is categorized as sensitive or belongs to a child.
Critically for mobile advertising, the CCPA defines personal information broadly to include personal data collected through cookies and other tracking mechanisms. This definition creates potential conflicts with the mobile advertising industry’s prevailing assumptions about what constitutes personal data. While industry actors frequently characterize advertising IDs as merely technical identifiers rather than personal information, regulators have increasingly taken positions suggesting that these IDs, when combined with behavioral data, constitute personal information subject to privacy law protections.
The California Privacy Rights Act (CPRA) also enforces the “Delete Act,” effective January 1, 2024, which imposes deletion obligations on data brokers, allowing consumers to more easily delete their personal information held by data brokers in California. This expansion of deletion rights creates additional friction for the data broker ecosystem that has historically profited by accumulating and reselling location data, behavioral profiles, and other sensitive information correlated with advertising identifiers.
The European Union’s General Data Protection Regulation establishes even more stringent requirements. Under the GDPR, personal data is defined very broadly as “any information relating to an identified or identifiable natural person,” including direct identifiers like names and ID numbers as well as indirect identifiers that can be used to recognize an individual, location data, IP address, and factors specific to a person’s physical, psychological, or genetic identity. The GDPR requires companies to provide a clear, transparent, and easily accessible privacy policy that discloses what personal data is being collected and processed, the purposes for which personal data is being used, how long personal data will be stored, who personal data may be shared with, and the rights individuals have over their personal data.
Most significantly for mobile advertising, the GDPR requires explicit, affirmative consent from individuals before collecting and processing their personal data if the legal basis for processing is consent, which becomes the required option for many companies. This consent requirement parallels iOS’s ATT framework but operates at the regulatory level across all businesses serving European customers, creating enforcement mechanisms far more powerful than Apple’s contractual requirements for App Store developers.
The Ecosystem of Data Brokers, SDKs, and Hidden Tracking Mechanisms
Beyond the direct use of advertising identifiers by advertisers and publishers, a parallel ecosystem of data brokers and SDK providers has emerged that exploits advertising IDs to build comprehensive behavioral profiles for sale to third parties. Many SDKs facilitate data collection and third-party disclosure, with apps embedding third-party software development kits directly into their applications to facilitate in-app advertising and transmit data to multiple parties simultaneously. When users grant permissions to an app—such as access to their camera or location—any third-party code embedded in the app receives those same permissions.
Recent FTC enforcement actions have exposed the scale of location tracking exploitation enabled by advertising identifiers. The FTC alleged that Mobilewalla collected more than 500 million unique consumer advertising identifiers paired with consumers’ precise location data from January 2018 to June 2020, and the raw location data Mobilewalla collected was not anonymized, meaning such data could be used to identify individual consumers’ mobile devices and the sensitive locations they visited. Furthermore, Mobilewalla collected location data from women who visited pregnancy centers, which was used to build audience segments targeting pregnant women, and collected location data from people who protested the death of George Floyd and determined the protesters’ racial backgrounds and whether they lived in the cities in which they protested.
Similarly, Gravy Analytics and Venntel allegedly obtained consumer location information from other data suppliers and claimed to collect, process, and curate more than 17 billion signals from around a billion mobile devices daily, with the location data the companies sold usable to identify consumers and not anonymized. Gravy Analytics used geofencing to identify and sell lists of consumers who attended certain events related to medical conditions and places of worship and sold additional lists associating individual consumers to other sensitive characteristics.
These enforcement actions illuminate the systematic exploitation of advertising identifiers to construct de facto identification systems that enable tracking across intimate domains of human life—healthcare decisions, religious practices, political activities, and intimate relationships. The ad identifier is a significant channel that enables a whole range of privacy breaches in leading cases like invasive third-party profiling by Facebook and Google, psychographic targeting by political consultants like Cambridge Analytica, and location tracking by the US military.
Methods for Disabling and Resetting Advertising Identifiers
Given the privacy risks enabled by advertising identifiers, mobile operating systems provide mechanisms through which users can limit tracking. On Android devices, disabling advertising ID tracking involves relatively straightforward steps. On Android, users can open the Settings app and navigate to Privacy > Ads, then tap “Delete Advertising ID” and confirm the changes, which will prevent any app on the phone from accessing the advertising ID in the future. This option became available starting with Android 12, though the feature may not be available on older versions, in which case users can instead reset their ad ID and instruct apps not to track by turning on “Opt out of Ads Personalization” in their Ads settings.
On iOS devices, the process differs reflecting the different technical architecture of Apple’s privacy framework. Apple requires apps to ask permission before they can access the IDFA, and when an app asks for permission to track users, users should select “Ask App Not to Track” to deny it IDFA access. To see which apps have previously been granted access to the IDFA, users can go to Settings > Privacy > Tracking, and here they can disable tracking for individual apps that have previously received permission. Users can set the “Allow apps to Request to Track” switch to the “off” position to prevent apps from asking to track in the future, and if users have granted apps permission to track in the past, toggling this switch off will prompt them to ask those apps to stop tracking, with the option to grant or revoke tracking access on a per-app basis.
Beyond direct advertising ID controls, users can employ broader privacy strategies. Apple has its own targeted advertising system separate from the third-party tracking enabled by IDFA, and to disable it users should navigate to Settings > Privacy > Apple Advertising and set the “Personalized Ads” switch to the “off” position to disable Apple’s ad targeting.
The effectiveness of these opt-out mechanisms varies significantly based on user awareness and technical proficiency. Disabling the advertising ID makes it substantially harder for most advertisers and data brokers to track users, as these industries process data from millions or billions of users every day and rely on convenient technologies like the ad ID to make that kind of scale possible, so removing this tool from their toolbox results in substantially less data that can be associated with users. However, important limitations exist. Removing the advertising ID won’t stop all tracking, as fingerprinting, IP logging, and first-party data such as Google or Facebook logged-in tracking still enable tracking. Additionally, some apps bypass advertising ID restrictions, especially if users use the same Google or Apple account everywhere.
Regular resetting of advertising IDs provides marginal additional privacy benefits. Resetting creates a new random ID, making it harder to build a long-term profile, and breaks tracking chains, though resetting isn’t instant as it can take hours for ad networks to update, and some apps may ignore “Opt out of ads personalization” but still use the ID for analytics.
Alternative Tracking Mechanisms and Device Fingerprinting
The restrictions on IDFA and GAID access have prompted the advertising and data broker industries to develop alternative tracking mechanisms that circumvent regulatory restrictions and user privacy preferences. Device fingerprinting represents perhaps the most sophisticated of these alternatives. Device fingerprinting is a sophisticated method used to identify and track devices based on a collection of unique attributes and works by collecting a set of attributes and characteristics of a device to create a unique identifier from this data. Unlike advertising IDs, which depend on explicit system-level identifiers that users can reset or disable, fingerprinting constructs identifiers from the combination of numerous device characteristics that remain relatively stable across time and sessions.
Device fingerprinting involves gathering extensive information about a device’s hardware and software configurations, including browser information such as the web browser type, version, and installed plugins, hardware specifications like screen resolution, CPU type, and available fonts, network information such as IP address, time zone, and geolocation data, and user behavior including interaction patterns such as mouse movements and typing speed. By combining these diverse attributes, fingerprinting systems generate unique identifiers that remain consistent across sessions even when advertising IDs are reset or deleted. The collected data is processed to generate a unique identifier or “device fingerprint,” which can be hashed for privacy, ensuring that only the profile (and not individual data points) is shared or stored.
The effectiveness of fingerprinting as a tracking mechanism has increased as machine learning and artificial intelligence have been integrated into fingerprinting detection systems. Key innovations in device fingerprinting for 2024 include enhanced accuracy, integration with AI and machine learning, improved methods to detect device spoofing, and advances in cross-device fingerprinting that enable seamless user identification across multiple devices. These technological improvements have prompted regulatory concerns and enforcement actions. Apple has stated in its recently updated privacy FAQs that fingerprinting is not allowed.
Despite Apple’s stated position, fingerprinting techniques persist in mobile advertising and fraud prevention contexts, operating in a legal gray zone where enforcement remains inconsistent. The use of fingerprinting raises fundamental questions about whether regulatory frameworks designed for traditional identifiers can effectively address fingerprinting-based tracking, as fingerprinting exploits properties of devices and browsers rather than explicit tracking identifiers that regulators can easily address through legislation.
Alternative Identifier Frameworks: App Set ID, IDFV, and Cross-Publisher Tracking
As regulatory and user pressure has restricted access to device-wide identifiers, the industry has developed alternative identifier frameworks that operate with reduced scope or enjoy greater regulatory approval. App Set ID on Android is a unique ID that can be used by publishers to know which of their apps any given user has installed—that’s the “set” in App Set ID, allowing a publisher to know whether a user has multiple apps from their portfolio installed on the same device. App Set ID allows you to analyze a user’s behavior across multiple apps that an organization owns, as long as you don’t use user data for advertising purposes.
Notably, App Set ID will be reset if all the apps in the set are uninstalled from the device, or if they go more than 13 months without being used. This reset mechanism provides users with some means of disassociating themselves from accumulated profiles, though the reset only occurs under specific conditions that many users may not trigger. The scope limitation inherent in App Set ID—restricting it to a single publisher’s portfolio of apps—represents a significant departure from the universal device-wide tracking enabled by GAID.
Apple’s equivalent framework, the Identifier for Vendors (IDFV), is a code assigned to all apps by one developer and shared across all apps by that developer on a device, with the IDFV being identical across apps from the same developer running on the same device but different values being returned for apps from different developers. The IDFV is predominantly used in cross-promotion as it allows developers to accrue first-party data that can be leveraged within their own advertising and publishing ecosystem, attribute cross-promotional installs, and track reinstalls. Importantly, the IDFV remains until all apps from that developer on the device have been deleted, and if they download an app (or more) from that same vendor again, a new IDFV is generated.
The critical distinction between IDFV and IDFA reflects a fundamental philosophical divergence in identifier design. Unlike the identifier for advertisers (IDFA) which is unique to each app on a device, the IDFV is unique to the app developer account and is identical across all apps published by that developer that are on the user’s device. The IDFV cannot be reset by the user and is provided by the App Store to the developer, persisting until all apps from that developer are uninstalled from the device. More significantly for privacy, availability of the IDFV will not be affected by the AppTrackingTransparency framework, which requires user opt-in to access the IDFA. This exemption reflects Apple’s judgment that publisher-level cross-promotion represents a more acceptable use case than third-party behavioral targeting.
SKAdNetwork and Privacy-Preserving Attribution Frameworks
As IDFA access became restricted through ATT, Apple simultaneously introduced SKAdNetwork as its officially sanctioned replacement attribution framework. SKAdNetwork is Apple’s privacy-compliant framework for measuring app installs and select post-install events, providing privacy-safe install postbacks with timer-based conversion values. When you launch a SKAN 4.0 campaign, ad networks receive up to three postbacks over roughly 35+ days, with each eligible app install generating up to three postbacks aligned with specific conversion windows and random 0–24-hour delays for privacy.
The operational mechanics of SKAdNetwork represent a radical departure from IDFA-based attribution. Window 1 occurs at 0–2 days with a postback around day 2–3, Window 2 occurs at 3–7 days with a postback around day 7–8, and Window 3 occurs at 8–35 days with a postback around day 35–36, though it can arrive after day 41 depending on conversion window settings and Apple’s crowd anonymity thresholds. The randomized delay built into these postbacks exists explicitly to prevent correlation of postback timing with specific user actions, protecting privacy by introducing uncertainty that prevents attackers from reconstructing individual user journeys.
Critically, each postback includes a conversion value and a campaign ID but does not include a user ID. This aggregation prevents measurement partners from performing user-level attribution and forces the industry toward campaign-level and cohort-level analysis rather than individual user tracking. The implications represent a fundamental constraint on advertiser abilities to optimize campaigns in real time based on granular user-level data, forcing transitions toward batch-level optimization and cohort-based approaches.
The adoption and effectiveness of SKAdNetwork has proven mixed. Currently, only 15 percent of in-app bid requests observed are SKAdNetwork compatible. This low adoption rate reflects the significant engineering effort required for ad networks to integrate SKAN postback handling, the technical complexity of configuring conversion value hierarchies for different business models, and advertiser hesitation about the measurement limitations inherent in aggregated, delayed postback data.
Meta (Facebook) developed Aggregated Event Measurement (AEM) as an alternative attribution framework designed to provide richer data than SKAdNetwork within Meta’s advertising ecosystem. Meta AEM delivers near real-time, modeled conversion data limited to Meta’s ecosystem, while SKAdNetwork provides delayed, deterministic install and event postbacks across all iOS ad networks, adhering to strict privacy thresholds. Critically, although AEM covers web and in-app events within Facebook, Instagram, and Audience Network, it doesn’t attribute installs from non-Meta channels or satisfy Apple’s SKAN requirements, therefore SKAdNetwork remains mandatory for complete iOS attribution.
The Future of Mobile Attribution in a Privacy-Restricted Ecosystem
The trajectory of mobile advertising measurement points toward a fundamental reorganization of how attribution operates at scale. The transition from user-level, deterministic attribution enabled by advertising IDs toward aggregated, cohort-level measurement represents a shift as significant as the earlier transition from cookies to mobile IDs. This reorganization will likely feature multiple measurement methodologies operating in parallel rather than a single dominant framework.
First-party and zero-party data collection represents one critical direction. First-party data is information that a brand collects directly from its audience and customers through their interactions with the brand’s owned properties and touchpoints, including website browsing behavior, purchase history, app usage data, CRM information, and engagement with customer service channels. Zero-party data refers to information that customers explicitly and intentionally share with a brand, including preferences indicated in a profile, answers to survey questions, information submitted in quizzes, or an email address provided for a newsletter subscription.
The strategic shift toward first-party data reflects a recognition that sustainable attribution will depend on direct relationships between brands and consumers rather than on third-party tracking infrastructure. Data sourced directly from customers is typically more accurate and relevant than data acquired from third-party sources, reflecting genuine interactions and explicitly stated preferences, leading to more precise targeting and personalization. Building strategies around first- and zero-party data grants marketers greater independence from external data providers and the shifting policies of large technology platforms, providing a much-needed element of stability.
Incrementality testing and media mix modeling represent alternative measurement methodologies that do not depend on deterministic user-level attribution. These approaches treat entire cohorts or populations as units of analysis rather than individual users, measuring the causal impact of advertising through controlled experiments or statistical deconvolution. While less precise than user-level attribution, these methodologies prove more robust to privacy restrictions and technical limitations.
Solidifying Your IDFA and GAID Understanding
The evolution of IDFA and GAID from their introduction in the early 2010s through the present moment crystallizes fundamental tensions inherent in digital advertising infrastructure. These advertising identifiers emerged from the mobile industry’s desire to maintain the comprehensive tracking capabilities that had characterized earlier internet advertising, repurposing permanent hardware identifiers as resettable advertising IDs that provided surface-level privacy protections while maintaining core surveillance functionality. The industry successfully maintained this compromise for nearly a decade, during which time behavioral profiling through advertising identifiers became embedded in countless business models, measurement methodologies, and advertising campaigns.
The introduction of App Tracking Transparency represents a rare instance in which a platform operator made a definitive choice to prioritize user privacy over advertiser convenience, implementing changes that fundamentally degraded the capabilities that the surveillance advertising industry had come to depend upon. Apple’s decision to transition iOS to opt-in tracking, combined with its development and promotion of privacy-preserving alternatives like SKAdNetwork, demonstrated that alternative approaches to mobile advertising were technically feasible, even if commercially less profitable than comprehensive tracking would be.
Google’s approach to Android exemplifies the continued resistance of advertising-dependent companies to meaningful privacy restrictions. By maintaining GAID access through opt-out rather than opt-in mechanisms and burying privacy controls in settings menus rather than displaying them at points of interaction, Google has preserved substantially higher tracking rates on Android relative to iOS. The subsequent abandonment of Google’s Privacy Sandbox initiative reveals the company’s unwillingness to commit to the kinds of systemic changes that would genuinely reduce cross-device tracking in favor of first-party measurement approaches.
The ongoing efforts by data brokers and advertisers to circumvent privacy restrictions through device fingerprinting, location tracking, and other alternative mechanisms demonstrate that regulatory prohibition of specific tracking technologies does not necessarily eliminate tracking practices but rather drives them toward less transparent, more difficult-to-regulate approaches. The FTC’s recent enforcement actions against data brokers including Mobilewalla, Gravy Analytics, and Venntel indicate regulatory recognition of these circumvention techniques and a willingness to pursue aggressive enforcement actions, yet the scale of data broker operations and the innovation rate at which circumvention techniques emerge suggest that enforcement alone cannot fully address systemic tracking practices.
The future of mobile advertising measurement will likely feature a heterogeneous ecosystem in which multiple attribution frameworks operate in parallel: aggregated, privacy-preserving approaches like SKAdNetwork for broad-based optimization; cohort-level measurement approaches like incrementality testing for causal impact assessment; first-party data collection for direct customer relationships; and continued efforts at fingerprinting and alternative identification schemes by less scrupulous actors. The outcome of this evolution depends partly on continued regulatory pressure, user awareness and advocacy, and the strategic choices made by platform operators regarding default privacy settings. The question that remains unresolved is whether privacy-preserving measurement approaches will ultimately prove sufficient to support the advertising industry’s business models or whether the fundamental incompatibility between comprehensive behavioral targeting and meaningful privacy will force a more dramatic reorganization of digital advertising economics.
Protect Your Digital Life with Activate Security
Get 14 powerful security tools in one comprehensive suite. VPN, antivirus, password manager, dark web monitoring, and more.
Get Protected Now
