Skip to content
Tolinku
Sign In Start Free
Tolinku
Sign In Start Free
Deep Linking · · 7 min read

Privacy Considerations for Deferred Deep Linking

By Tolinku Staff
|
Tolinku deferred deep linking dashboard screenshot for deep linking blog posts

Deferred deep linking inherently involves connecting a web click to an app open across an app install. That connection requires some form of user identification, whether it is a deterministic token, a device fingerprint, or a platform API. Each method has privacy implications, and the regulatory landscape has tightened significantly since GDPR (2018), CCPA (2020), and Apple's App Tracking Transparency (2021).

This guide covers the privacy challenges specific to deferred deep linking, how regulations like GDPR and ATT apply, and how to build deferred linking flows that respect user privacy while still delivering users to the right content. For the technical foundations, see how deferred deep linking works. For accuracy tradeoffs across matching methods, see deferred linking accuracy.

What Data Does Deferred Linking Collect?

Different matching methods collect different data:

Deterministic Methods

Google Play Install Referrer: No personal data is collected by the developer. Google passes the referrer string (which the developer set) through the Play Store. The data flow is Google-to-app, not web-to-app. The referrer string should contain only your deep link context (path, campaign ID), not personal identifiers.

Clipboard matching: The developer's web page writes a token to the clipboard. The app reads it back. The token itself is under the developer's control. Privacy concern: reading the clipboard accesses whatever the user last copied, which could be sensitive (passwords, personal messages). iOS 14+ shows a paste notification for this reason.

Probabilistic Methods

Device fingerprinting collects device attributes:

  • IP address (personal data under GDPR)
  • User agent string (browser, OS, device model)
  • Screen resolution
  • Language preference
  • Timezone
  • Accept-Language and Accept-Encoding headers

Under GDPR Article 4, an IP address is personal data. A device fingerprint (combination of attributes that uniquely identifies a device) is also personal data under Recital 30 of the GDPR. This means fingerprint-based deferred linking requires a lawful basis under GDPR.

GDPR and Deferred Linking

Lawful Basis

GDPR requires a lawful basis for processing personal data. For deferred deep linking, the two relevant bases are:

Legitimate interest (Article 6(1)(f)): You can argue that deferred linking serves both the user's interest (landing on the right content) and the developer's interest (better user experience, higher conversion). This requires a Legitimate Interest Assessment (LIA) documenting:

  • The purpose (routing users to correct content after install)
  • The necessity (no less invasive way to achieve this on iOS)
  • The balancing test (user benefit vs. privacy impact)

Consent (Article 6(1)(a)): Explicitly ask the user before performing fingerprint-based matching. This is the safest approach legally but creates friction: you need consent before the matching happens, which means prompting the user on first app open before you know if they even came from a deferred link.

ePrivacy Directive

The ePrivacy Directive (and the upcoming ePrivacy Regulation) governs the storage of and access to information on a user's device. Clipboard-based deferred linking involves both writing to and reading from the device clipboard, which may fall under ePrivacy's consent requirements for device storage access.

The Directive's Article 5(3) requires consent for storing or accessing information on a user's device, with exceptions for what is "strictly necessary" to provide a service the user has requested. Whether deferred deep linking qualifies as "strictly necessary" is debatable; a user can still use the app without it.

Practical GDPR Compliance

For most implementations:

  1. Document your processing in your privacy policy. Describe what data is collected, why, and for how long.
  2. Minimize data collection. If you use fingerprinting, collect only the attributes you need for matching. Delete match data after the attribution window closes (e.g., 24 hours).
  3. Set short retention periods. There is no reason to keep deferred link match data beyond a few days. Match it or discard it.
  4. Honor opt-outs. If a user opts out of tracking or analytics, do not perform fingerprint-based matching. Deterministic methods (Install Referrer, clipboard with consent) can still work.

Apple's App Tracking Transparency (ATT)

Does ATT Apply to Deferred Linking?

App Tracking Transparency (iOS 14.5+) requires user permission before an app can "track" the user across apps and websites. Apple's definition of tracking, from the App Store Review Guidelines:

"Tracking" refers to the act of linking user or device data collected from your app with user or device data collected from other companies' apps, websites, or offline properties for targeted advertising or advertising measurement purposes.

Key question: is deferred deep linking "tracking"?

If you use fingerprinting to connect a web click (on your website) to an app open (in your app), for routing purposes only (not advertising): Apple's guidelines suggest this is a gray area. The data comes from your own properties (your website, your app), which is "first-party" data. ATT is primarily about cross-company tracking.

If you use fingerprinting to attribute installs to ad campaigns run by third parties: This is clearly tracking under ATT. You need the user's permission via the ATT prompt.

If you use deterministic methods (clipboard, Install Referrer): These do not involve fingerprinting or cross-company data sharing. They are less likely to be considered tracking under ATT, but Apple's interpretation of clipboard access has tightened with each iOS release.

ATT and Clipboard Access

On iOS 16+, reading the clipboard triggers a system permission prompt. This is not the ATT prompt; it is a separate clipboard access prompt. But the combined UX of asking for paste permission and then potentially asking for ATT permission creates a poor first-launch experience.

Consider sequencing:

  1. App opens for the first time.
  2. Show an in-app explanation screen: "We'd like to take you to the content you were looking at."
  3. Trigger clipboard read (iOS shows paste permission prompt).
  4. If clipboard matching succeeds, route the user. Skip ATT prompt for now.
  5. If clipboard matching fails and you need fingerprint matching, show the ATT prompt (if your fingerprinting counts as tracking).

Apple's Enforcement

Apple has rejected apps that circumvent ATT using fingerprinting. If your deferred linking relies on fingerprinting and you do not show the ATT prompt, you risk App Store rejection. The safer approach: use deterministic methods (clipboard, deep link parameters) and treat fingerprinting as a last resort that requires ATT consent.

CCPA / CPRA

The California Consumer Privacy Act (as amended by CPRA) gives California residents the right to opt out of the "sale" or "sharing" of personal information. Under CPRA, "sharing" includes using personal information for cross-context behavioral advertising.

For deferred deep linking:

  • IP addresses and device identifiers are personal information under CCPA.
  • If you use deferred link data for advertising attribution (not just routing), it may constitute "sharing" under CPRA.
  • If you only use deferred link data for routing users to content (no ad attribution), it is less likely to be considered sharing.

Practical steps:

  • Honor the Global Privacy Control (GPC) signal. If the user's browser sends GPC=1, do not perform fingerprint-based matching.
  • Include deferred linking data processing in your CCPA/CPRA disclosures.
  • Allow users to opt out via your app's privacy settings.

Privacy-Friendly Deferred Linking Approaches

Approach 1: Platform APIs Only

Use only platform-provided deterministic APIs:

  • Android: Play Install Referrer API. No fingerprinting needed.
  • iOS: Clipboard with paste permission (iOS 16+). No fingerprinting.

This approach has the cleanest privacy profile. The tradeoff: lower match rates on iOS when users deny paste permission.

If your web property and app are both first-party:

  1. Collect device attributes at click time (on your website).
  2. On first app open, ask for consent before matching.
  3. If consent is granted, send device attributes to your server for matching.
  4. Delete match data after the attribution window.

This approach requires a consent mechanism in your app's first-launch flow.

Approach 3: Contextual Matching (No Personal Data)

Instead of identifying the device, pass context through the install flow:

  • Use UTM parameters in the app store URL to preserve campaign context (does not identify the user).
  • Use the Play Install Referrer to pass a deep link path (deterministic, no fingerprinting).
  • Accept that iOS installs without clipboard matching will lose deep link context.

This is the most privacy-conservative approach. Users who install from a deferred link on iOS may land on the home screen rather than the specific content, but no personal data is collected.

Data Minimization Checklist

When implementing deferred deep linking, minimize your privacy footprint:

  • Collect only the data you need for matching. If IP + user agent gives you sufficient accuracy, do not also collect screen resolution, language, and timezone.
  • Set a short match window (1-24 hours). Delete unmatched click data when the window expires.
  • Do not log or store matched data beyond what is needed for the routing action. Once the user is routed, the match data has served its purpose.
  • Do not share deferred link match data with third parties unless explicitly consented to.
  • Store match data in memory or short-lived cache, not in a permanent database.
  • Use server-side matching rather than client-side, so the app never sees the raw fingerprint data from other users' clicks.

Tolinku's Approach

Tolinku's deferred deep linking is designed with privacy in mind. The platform uses deterministic methods (Play Install Referrer on Android, clipboard matching on iOS) as the primary matching strategy, with configurable fallback behavior. Match data is retained only for the configured attribution window and is automatically purged afterward.

For the technical details of matching methods, see fingerprinting vs. deterministic matching. For related privacy topics, see data privacy in deep linking. For the full deferred linking setup, see the Tolinku deferred deep linking documentation.

ATT compliance data protection Deep Linking Deferred Deep Linking GDPR iOS mobile-development Privacy

Get deep linking tips in your inbox

One email per week. No spam.

In this article

Ready to add deep linking to your app?

Set up Universal Links, App Links, deferred deep linking, and analytics in minutes. Free to start.

Start Free View Documentation

Related articles