Mobile Privacy and Cookieless Attribution

The Privacy Shift in Mobile Tracking

Apple's App Tracking Transparency (ATT) framework, introduced with iOS 14.5 in April 2021, requires apps to ask users for permission before accessing their IDFA. Industry-wide opt-in rates sit between 15% and 30%. For affiliate programs, this means deterministic device-level attribution works for a minority of iOS users. The majority of iOS installs must be attributed through probabilistic methods, SKAdNetwork, or server-side workarounds.

Google is following a similar path with the Android Privacy Sandbox. While GAID remains available today, Google has announced plans to deprecate it in favor of the Privacy Sandbox APIs (Topics, Attribution Reporting, FLEDGE). Android attribution will shift from deterministic device matching to aggregated, privacy-preserving measurement -- a change that will affect every mobile affiliate program.

Impact on Affiliate Attribution

SKAdNetwork for Affiliate Programs

Apple's SKAdNetwork (SKAN) provides privacy-preserving install attribution on iOS. It confirms that an ad (or affiliate link) led to an install, but it does not provide user-level data. SKAN reports are aggregated, delayed by 24-48 hours, and limited to a small number of "conversion values" -- numeric codes that represent post-install behavior.

• SKAN reports confirm the install source (ad network or affiliate) but do not include user IDs or device IDs
• Conversion values (6 bits = 64 possible values) must encode your most important post-install signals into a single number
• Reports are delayed 24-48 hours and have a privacy threshold -- low-volume affiliates may not receive any SKAN data
• SKAN 4.0 introduced hierarchical conversion values and multiple postbacks, improving granularity for higher-volume sources
• For affiliate programs, SKAN is useful for validating volume from large affiliates but insufficient for per-user commission tracking

Privacy-Safe Attribution Strategies

The operators that maintain accurate mobile attribution in the post-ATT landscape share three practices. First, they maximize first-party data by encouraging authenticated sessions (login, registration) as early as possible in the user journey. Second, they use S2S postbacks for all commission-relevant events, eliminating dependence on client-side tracking. Third, they run hybrid attribution that combines SKAN data, probabilistic matching, and first-party signals into a composite attribution model.

• First-party data: Encourage early registration so you have an authenticated user ID before any in-app event fires
• S2S postbacks: Route all attribution data server-to-server -- no client-side tracking code that can be blocked
• Promo codes and referral links: Low-tech but highly reliable -- a unique code ties the user to the affiliate regardless of tracking restrictions
• Contextual signals: Use campaign-level data (geo, time, creative format) to validate attribution when user-level data is unavailable
• Consent optimization: Design your ATT prompt to maximize opt-in -- clear value proposition, shown at the right moment, not on first launch

Preparing for the Next Wave

Privacy restrictions will continue tightening. The programs that will thrive are those building attribution systems that work without any device-level identifier. Invest in S2S infrastructure, first-party user matching, and commission models that can tolerate some attribution uncertainty. A RevShare model based on lifetime player revenue is more resilient to attribution gaps than a CPA model that requires exact click-to-install matching for every conversion.