What App Tracking Transparency Actually Changed, Five Years On

On 26 April 2021, iOS 14.5 made the App Tracking Transparency prompt mandatory. If you wanted the device advertising identifier (the IDFA), you had to ask for it, in Apple's words, with Apple's modal, and most users were going to say no.

The forecasts at the time were close to apocalyptic. Single-digit opt-in. The end of paid user acquisition on iOS for anyone who wasn't a platform. A measurement blackout that would push budget to Android and to Google's owned inventory.

Five years on, the picture is both more boring and more interesting than that. Opt-in didn't crater to single digits. It's climbed, slowly, every year. But the thing that did break, broke for good, and the teams that adapted fastest were the ones who stopped trying to recover the old signal and started building a new one.

The number everyone got wrong

The opt-in rate did not collapse. It went up.

Adjust's benchmark puts global iOS ATT opt-in at roughly 38% in Q1 2026, up from about 35% a year earlier. Walk it back further and the line is almost monotonic: roughly 34% in Q2 2023, 34.5% in Q2 2024, 35% in Q2 2025. The "initial volatility" Adjust describes settled into a slow, steady rise.

It's higher in the categories you'd expect and a few you wouldn't:

The mechanism behind most of that gain isn't a change of heart. It's the pre-prompt: the priming screen apps show before Apple's modal, explaining what the user gets if they say yes. Apps that earn the opt-in ask for it on their own terms first. Apps that fire Apple's modal cold on launch still get floor-scraping rates. The 38% average hides a wide spread, and a lot of that spread is implementation.

So the first thing ATT changed is the thing nobody priced in: a meaningful, growing minority of your iOS users will hand you the IDFA if you ask well. Roughly six in ten still won't.

That asymmetry is the whole story. A growing minority will opt in. A shrinking majority won't. Everything downstream has to work for both.

What actually broke

For that opted-out majority, the IDFA returns a string of zeros. And the IDFA was never interesting on its own. It was interesting because it was a stable, deterministic key you could join across surfaces: this impression, that click, this install, those in-app events, all the same device. ATT didn't degrade that join. It removed it.

Concretely, the things that stopped working:

• Deterministic, user-level attribution for opted-out installs. You can no longer say "this install came from that exact ad" for the majority of iOS users, not with a device ID. You're left with modeling, probabilistic methods (which Apple's policy frowns on), or Apple's own framework.
• Retargeting and lookalike audiences keyed on the IDFA. Building a custom audience of "users who did X" and pushing it to an ad network for exclusion or expansion broke the moment the identifier went dark for most users.
• Granular post-install measurement at the ad-network level. The networks optimize on conversions they can see. Take away the device-level join and the conversions they can see get coarser, slower, and more aggregated.

Apple's consolation prize was SKAdNetwork. It is privacy-preserving by construction, and it pays for that with everything attribution people care about:

There's also a "crowd anonymity" threshold that can null out the conversion value entirely when a campaign is too small. SKAN tells you something. It does not tell you what a deterministic pipeline used to.

What quietly kept working

Here's the part that got less airtime, because it didn't make a good headline: a lot of signal was never inside ATT's blast radius.

• Your own events on your own users. ATT governs cross-app and cross-website tracking using Apple's identifiers. It does not stop your app from recording that a user signed up, started a trial, or converted, and tying that to a user ID you assigned. Your first-party event stream is intact. The question is whether anything downstream can act on it.
• Android's Install Referrer. Different operating system, different rules. The Play Install Referrer still hands you a deterministic, Google-signed string that ties an install back to the campaign that drove it. Roughly half your users were never on iOS in the first place, and that half didn't change.
• Deterministic deep links. Universal Links on iOS and App Links on Android route a known click to a known destination without an advertising identifier anywhere in the path. If the click is yours, the attribution is yours.
• Server-to-server conversion APIs. This is the big one. Meta's Conversions API, Google Ads' conversion imports and Enhanced Conversions, and TikTok's Events API all let you send conversions from your server instead of from the device. The join moves from "match these two device IDs" to "match this hashed email or click ID we both already have." It's a different model, and it's the one that scaled.

What the MMP category did with it

The mobile measurement partners (MMPs) responded the way you'd expect a category to respond to its core join key disappearing: they rebuilt around the replacement Apple offered. AppsFlyer, Adjust, Branch, and Singular all re-architected with SKAdNetwork as a system of record, bolting modeling and heuristics on top to make the delayed, aggregated postbacks usable for daily decisions.

In 2021, with opt-in expected in the single digits, that was the rational bet. SKAN was going to be most of what you had on iOS, so you built for SKAN.

At 38% opt-in and climbing, plus a mature set of server-side conversion APIs that didn't exist in their current form four years ago, the bet looks different. SKAN is one input now, not the foundation. But re-pointing a pipeline that was rebuilt around aggregated postbacks toward first-party server-side signal is not a config change. It's the kind of thing that's easier to design for from the start than to retrofit.

Where this leaves you in 2026

The honest summary of five years of ATT: the signal didn't disappear, it relocated. It moved off the device, where Apple controls the identifier, and onto your server, where you control the event. The teams getting clean iOS measurement today are the ones who treat their first-party event stream as the source of truth and feed it back to the ad networks through the conversion APIs, with SKAN as supporting evidence rather than the headline.

That's the shape SignalSeal is built around: ingest the conversions you already trust (including revenue events from RevenueCat and Superwall), and fan them out to Meta, Google Ads, and TikTok in real time, server to server. We don't treat SKAdNetwork as the system of record, because for most apps in 2026 it shouldn't be.

ATT was supposed to be the end of mobile attribution. It was the end of a particular, lazy way of doing it. The work didn't go away. It just moved somewhere you actually control.