Apple iOS 14 Privacy & Facebook Advertising: What Ecommerce Brands Need to Know About IDFA, ATT, and the SKAd Network

by Taylor Holiday

Jan. 21 2021

With Facebook Ad Manager already updating in anticipation of iOS 14’s full rollout, reporting has become a mess of inconsistent, inaccurate, and — in some cases — missing data.

To provide stability and make informed buying decisions, for the next two weeks we’ll be relying on two sources:

  1. Marketing Efficiency Rating (MER) as our North Star
  2. Google Analytics purchase-data captured from UTMs

Google Analytics data will not be affected by Facebook’s changes. We’ll be looking at last-click attribution. And that means, lower ROAS than Facebook’s 28-day default attribution.

To adjust targets, we’ve pulled month-by-month 2020 data from Google Analytics and Facebook for all our clients as well as our in-house brands.

To help you do the same, we’ve replicated that template and created a video tutorial …
Facebook and Google Analytics template, plus video walkthrough for iOS 14 changes to Facebook Ad Manager
Access the Facebook + Google Analytics Template and video instructions

Record-breaking CPMs. Rising acquisition costs. Shipaggedon.

Just when 2020 seemed put to bed — and 2021’s ecommerce future beamed bright — enter … back-to-back days of full-page ads from the world’s sixth most valuable company targeting the third:

Facebook’s Full-Page Ads Against Apple iOS 14 Privacy Update from 12-16-2020 and 12-17-2020 — We're standing up to Apple for small businesses everywhere and Apple vs. the free internet
Above: Facebook’s newspaper ads attacking Apple’s iOS 14 privacy changes; Below: The Verge, Adweek, Bloomberg & The New York Times

News on Facebook's Ads Attacking Apple's iOS14 Privacy and Data Update

For ecommerce businesses whose growth strategies hinge on direct-to-consumers relationships, the crux of the matter isn’t so much politics and PR; but rather, performance.

Is the sky falling? In a word: No. In five: No … at least, not yet.

If we’re tracking correctly (pun intended), iOS 14’s new privacy policy will dramatically affect app developers’ ability to measure and monetize advertising as well as “those that optimize, target, and report on web events.”

How severely this will impact the Facebook Pixel remains to be seen. Especially the relationship between in-app activity on iOS devices and onsite activity by shoppers.

Below, we’ve summarized the most-pressing issues into three questions:
  1. What Is Apple’s iOS 14 Privacy and Data Use Update?
  2. How Will iOS 14’s New Policy Affect Facebook Advertising?
  3. What Do You Need to Do as an Ecommerce Brand to Prepare?

☝️ If you’d like to jump straight to the action, simply click the linked text above. There’s also a list of resources at the end to consult for yourself.

Please consider this a living document. We’ll be updating the sources and steps as we prepare our in-house DTC brands alongside our clients.

What Is Apple’s iOS 14 Privacy and Data Use Update?

In short, the controversy surrounds three acronyms:

  • IDFA
  • SKAd Network
  • ATT

First, Identifier for Advertisers (IDFA) is a unique Apple ID assigned to every device that persists across a user’s applications. On Android devices, it’s known as the Google Play Services ID (GPS ADID). Both are brand-specific subsets of MAIDs (Mobile Advertising Identifiers).

Think of IDFAs as the user-to-app equivalents of cookies-to-browsers or pixels-to-shoppers. On Apple devices, IDFAs track, target, and personalize in-app advertising.

Second, SKAd Network refers to how Apple’s SDK (software development kit) — the set of tools governing how applications get created, run, and managed — interacts with advertising. Once iOS 14’s privacy updates go into effect, app installs as the result of in-app advertising will be mediated by Apple’s SKAd Network.

That’s a mouthful. Luckily, it applies predominately to app developers and not ecommerce advertisers.

Moving forward, the SKAd Network will provide click-through attribution for Publisher ID, Campaign ID, and Conversion Value (set by the advertiser). It will exclude view-through attribution for apps as well as click-through attribution for browser, email, and non-in-app ads.

As a result, Facebook will have significantly less insight into the apps its audience installs and runs. By extension, so will business owners and marketers.

Third, App Tracking Transparency (ATT) — or, “AppTrackingTransparency Framework” — is a new and universal prompt that will appear on all apps to all users.

For ecommerce business, ATT lies at the heart of the issue.

Apple iOS 14 ATT Prompt — App Tracking Transparency Framework

Apple’s “User Privacy & Data”

Examples of tracking include, but are not limited to:

  • Displaying targeted advertisements in your app based on user data collected from apps and websites owned by other companies.
  • Sharing device location data or email lists with a data broker.
  • Sharing a list of emails, advertising IDs, or other IDs with a third-party advertising network that uses that information to retarget those users in other developers’ apps or to find similar users.
  • Placing a third-party SDK in your app that combines user data from your app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes. For example, using an analytics SDK that repurposes the data it collects from your app to enable targeted advertising in other developers’ apps.

The following use cases are not considered tracking, and do not require user permission through the AppTrackingTransparency framework:

  • When user or device data from your app is linked to third-party data solely on the user’s device and is not sent off the device in a way that can identify the user or device.
  • When the data broker with whom you share data uses the data solely for fraud detection, fraud prevention, or security purposes, and solely on your behalf. For example, using a data broker solely to prevent credit card fraud.

How Will iOS 14’s New Policy Affect Facebook Advertising?

The full roll-out of iOS 14’s new privacy settings is less-than definitive.

In “early 2021,” iOS Apps that collect data for “personalized advertising” will begin displaying Apple’s ATT prompt. This will be an additional layer of privacy atop the current Tracking settings requiring users to either opt-in or opt-out:

Apple's App Tracking Transparency Prompt

When a similar prompt was introduced by iOS 13 regarding geographic information, opt-in rates to allow sharing “with apps when they’re not in use” plummeted from 100% to below 50%.

Facebook’s statements reflect similar projections: “In testing we’ve seen more than a 50% drop in Audience Network publisher revenue”; and, “Our studies show, without personalized ads powered by their own data, small businesses could see a cut of over 60% of website sales from ads.”

In context, it’s crucial to point out that Facebook’s figures are preliminary estimates that may mix ecommerce with SDK implications (i.e., app revenue).

Equally unknown, is how hyperbolic Facebook is being to drum up fear in a PR war to make Apple the enemy. That leaves one final question …

What Do You Need to Do as an Ecommerce Brand?

1. Verify Your Domain in Facebook Business Manager

Verifying your domain is the first, most-immediate, and most-pressing step. To track activity from iOS users after the ATT prompt, Facebook will introduce “Aggregated Event Measurement.”

Facebook’s “Domain Verification”

As a best practice, we recommend all advertisers verify their domain(s) to ensure they have authority to configure the conversion events tracked on their domains.

However, it’s not only recommended but required that businesses verify their domain if the domain has pixels owned by multiple businesses or personal ad accounts.

If these domains are not verified, the advertiser will not be able to edit the domains conversion event configuration.

It’s so critical, I created a video walkthrough on exactly how to go through the verification process yourself:


  1. Enter your Facebook Business Manager Settings
  2. On the left-hand menu, expand Brand Safety > Domains
  3. Select your domain from the available list or click “Add” if it doesn’t automatically populate

Verify Domain in Facebook Ad Manager Business Settings

  1. Follow any of the three verification processes — DNS Verification, HTML File Upload, or Meta-tag Verification
  2. For simplicity, select the Meta-tag Verification tab and copy the “meta name=” by clicking the text
  3. Open your Shopify admin and go: Online Store > Themes > Actions > Edit Code

Shopify Admin Edit Code in Theme

  1. Within Layout, open theme.liquid, search for <head>, and anywhere before </head> … paste the “meta name=” text from Facebook
  2. Save the theme, return to Facebook, refresh, and (lastly) click “Verify”
Two notes about error messages …

First, if you don’t use the Meta-tag method inside Shopify and verification fails, ensure that you’ve set it “at the effective top level domain plus one (eTLD+1 ).”

Effective top level domain plus one

Second, you might also get an error related to your Facebook Pixel. For now, rest assured that you can ignore this message as the rollover to Event Manager and Business Manager continue.

New Domain Sending Data - Facebook Pixel Error from Events Manager

2. Pre-Select Eight “Conversion Events” per Domain & Prioritize

In total, Facebook will be limited to eight conversion events for each domain. Those events will be ranked manually within Ads Manager: that is, prioritized for tracking and optimization.

This feature has yet to be released. Rather, it’s a preemptive measure.

Through private conversions with Facebook, we’ve been assured that the highest priority event (i.e., Purchases) will be tracked — even for users that opt-out of ATT. For users that opt-in, you’ll still be limited to eight.

This presents two thorny challenges. Number one: remarketing. Number two: custom conversions for ecommerce sites with robust analytics.

With both, one-size-fits advice fails.

Instead, we’ve begun working with our clients to triage their event priorities around seasonal factors and consolidate custom conversions as needed.

Lastly, ensure your product catalog feed for DPAs (Dynamic Product Ads) is set-up correctly and prepare for management through one conversion event per catalog.

3. Enable Value Optimization & Only Set Your Own in Two Cases

Value optimization (VO) is a key ingredient in Facebook’s ad platform. Essentially, VO predicts the revenue value of individual users based on numerous factors brought together through machine learning. Facebook then applies that estimate at scale to “bid for your highest value customers.”

For merchants that already use VO, existing values will be automatically moved from Business Manager to Event Manager and “assigned based on historical data.”

The vast majority of Common Thread Collective clients — as well as our own in-house brands — run their advertising from a CBO (Campaign Budget Optimized) center of gravity.

If you use CBO with VO already enabled, no action is needed. Only if you’re bidding manually or if your ad account is brand new should you anticipate setting VO yourself.

4. Establish Historical & Seasonal Benchmarks for Attribution

Already, the ecommerce world was preparing for the end of Facebook’s 28-day attribution window. iOS 14 has pressed home the need to collect, store, and evaluate existing data all the more.

To understand the total impact of your ads, either download the still-available 1-day, 7-day, 28-day performance directly from Ad Manager or use a program like Supermetics to pull those same ranges directly into a Google Sheet.

In addition, you’ll need to anchor that data in a source unaffected by Facebook’s changes. We’ve chosen Google Analytics’ last-click attribution.

Facebook and Google Analytics template, plus video walkthrough for iOS 14 changes to Facebook Ad Manager
Access the Facebook + Google Analytics Template and video instructions

5. Invest Now (Not Later) in Retention & DTC Diversification

We’ve covered diversification before. Always with a warning.

Typically, what ecommerce owners and marketers mean is: “Let’s find a channel that generates the same or better returns than Facebook and Instagram at the same or better volume.”

To be blunt, such channels don’t exist.

For years, Facebook’s Pixel has sat on virtually every ecommerce storefront online; all the while, tracking in-app behavior. That data is Facebook’s moat. Not monthly active users, not usage time; purchase data.

iOS 14’s privacy update may finally signal an end to Facebook’s hegemony.

That doesn’t mean a wholesale shift in customer acquisition. It does mean the dog days of customer retention, Google, and DTC’s hesitancy toward Amazon are over.

By way of summary and in anticipation of 2021 …

First, the almighty email just got a whole hell of a lot more almighty: onsite email and SMS capture, ecommerce email marketing that’s simultaneously relational and profitable, plus accelerating customer lifetime value.

Second, demand-generating opportunities on Google — including Google Shopping, Google Ads, and YouTube — must be as aggressively pursued as demand capture. The same can be said for other ad platforms, though none are immune from the challenges iOS 14 (see TikTok’s statement on Apple’s IDFA Guidelines).

Pinterest’s update sent via email

We have an update for the iOS14 updates and how they will affect Pinterest:

Consistent with the advertising industry, we expect to see a gradual decline in IDFA availability for use in measurement and targeting capabilities following the release of iOS14. As this is an evolving topic, we will continue to monitor for other potential impacts that result from these changes.

We are investigating alternative opportunities to leverage more of the identifiers available to us as well as investing in alternative sources of signal and measurement. In the meantime, our recommendation is to start using emails in place of IDFAs as the next best replacement for audience list targeting and mobile measurement. We will continue to keep you updated as we develop more capabilities to strengthen our conversion visibility and improve our targeting and measurement solutions.

For advertisers that rely on IDFAs for audience list targeting or mobile measurement, we recommend replacing IDFAs with emails and leveraging our Conversion API or Conversion Upload solutions to pass through mobile conversion events. Since Apple’s changes affect only iOS users, you can continue to utilize existing methodology for Android audience list targeting and mobile measurement.

Third, knee-jerk reticence toward Amazon ought to be reevaluated by DTC operators.

The Ultimate Hedge: Not PR, Performance

In the end, the final protection from downside resides in the nature of Facebook’s auction system. Driven by supply-and-demand, if performance dwindles, so too does price.

The system itself is built to require equilibrium.

Less success (performance and efficiency) translates into less spend. Less spend, lower CPMs. Lower CPMs, lower cost per acquisition. And lower costs … drive the platform back to a point where it enables meaningful scale.

If the sky does fall, that’s the hedge. Less data will certainly hurt Facebook’s wallet, but not necessarily yours.


Resource on iOS 14 and Ecommerce

    Want Attribution Certainty Amid the Ad Reporting Chaos?

    Then grab the Facebook + Google Analytics Template & Video! 📊 It’s the very same process we’re using with our clients and our own in-house brands …

      We won’t send you spam. Unsubscribe at any time.


      Taylor Holiday is the CEO of Common Thread Collective. A former professional baseball player who lucked into entrepreneurship over a decade ago, Taylor lives in Southern California with his amazing wife and three kids — “who are my world.” He’d love to connect with you on Twitter or LinkedIn.