Skip to content
Tolinku
Tolinku
Sign In Start Free
Deep Linking · · 5 min read

Privacy Changes and Their Impact on Deep Linking

By Tolinku Staff
|
Tolinku deep linking fundamentals dashboard screenshot for deep linking blog posts

Privacy changes over the past few years have reshaped how deep linking and attribution work. Apple's App Tracking Transparency (ATT), Google's Privacy Sandbox, cookie deprecation in browsers, and evolving regulations like GDPR and state privacy laws all affect how deep links track user journeys from web to app.

The good news: deep linking itself (opening the right content in the right app) is unaffected by privacy changes. What has changed is the attribution layer that sits on top of deep links. This guide explains what changed, what still works, and how to adapt. For deep linking fundamentals, see deep linking and privacy. For deferred deep linking under ATT, see deferred deep linking and ATT.

What Privacy Changes Affect Deep Linking

Apple App Tracking Transparency (ATT)

Introduced in iOS 14.5, ATT requires apps to ask permission before tracking users across apps and websites. The impact on deep linking:

What still works:

  • Universal Links open the correct app and screen.
  • First-party data (your own app, your own website) is unaffected.
  • Deep link parameters (product ID, campaign name) pass through normally.

What broke:

  • Cross-app attribution without user consent.
  • IDFA-based fingerprinting for deferred deep links.
  • Matching a web click to an app install using device identifiers.

The opt-in rate for ATT is roughly 25-35% globally. For the 65-75% who decline, traditional attribution methods do not work.

Google Privacy Sandbox

Google's Privacy Sandbox replaces third-party cookies with privacy-preserving APIs:

Old Method Privacy Sandbox Replacement
Third-party cookies Topics API
Cross-site tracking Attribution Reporting API
Fingerprinting User-Agent reduction

For deep linking, the most relevant change is the Attribution Reporting API, which provides aggregate attribution data instead of user-level tracking.

Safari (ITP), Firefox (ETP), and Chrome (Privacy Sandbox) all restrict third-party cookies:

Browser Status
Safari Third-party cookies blocked since 2020 (ITP)
Firefox Third-party cookies blocked by default (ETP)
Chrome Third-party cookies being phased out via Privacy Sandbox

This affects deferred deep linking services that relied on cookies to match a web click to an app install.

Regulations

Regulation Region Deep Link Impact
GDPR EU/EEA Consent required for tracking; deep link routing is fine
CCPA/CPRA California Opt-out rights for tracking; deep link routing unaffected
DMA EU Interoperability requirements may affect platform APIs
State privacy laws US (multiple) Various consent and opt-out requirements

Impact on Deferred Deep Linking

The Attribution Problem

Deferred deep linking matches a web click to a subsequent app install. Before privacy changes, this worked via:

  1. IDFA/GAID matching: Record the device ID on the web click, match it after install.
  2. Fingerprinting: Use IP address, user-agent, screen size, and timestamps to probabilistically match.
  3. Cookie matching: Store a cookie on the web visit, read it after install.

All three methods are now restricted or broken.

What Still Works

First-party context passing: The deep link URL itself can carry context that does not require cross-app tracking:

https://links.yourapp.com/products/shoes?ref=blog-post-123&campaign=summer

When the user installs and opens the app, the deferred deep link passes these parameters to the app. No cross-app tracking is involved; the parameters travel with the link itself.

Clipboard-based matching: Some deferred deep linking implementations use the clipboard. The web page copies a token to the clipboard; the app reads it on first launch. Apple restricted clipboard access in iOS 16 (users see a paste permission prompt), making this less reliable.

App Store referrer (Android): Google Play's Install Referrer API passes referral data through the install. This is first-party data from Google and is privacy-compliant:

val referrerClient = InstallReferrerClient.newBuilder(context).build()
referrerClient.startConnection(object : InstallReferrerStateListener {
    override fun onInstallReferrerSetupFinished(responseCode: Int) {
        if (responseCode == InstallReferrerResponse.OK) {
            val response = referrerClient.installReferrer
            val referrerUrl = response.installReferrer
            // referrerUrl contains UTM parameters from the deep link
            handleDeferredDeepLink(referrerUrl)
        }
    }
    override fun onInstallReferrerServiceDisconnected() {}
})

SKAdNetwork (Apple)

Apple's SKAdNetwork provides aggregate attribution data without user-level tracking. It tells you that a campaign drove installs, but not which specific user came from which specific click.

For deep linking, SKAdNetwork does not help with deferred deep linking (routing the user to specific content after install). It only provides aggregate campaign measurement.

1. Prioritize First-Party Data

Build your attribution on data you own:

  • UTM parameters in deep links: ?utm_source=email&utm_campaign=summer
  • Server-side user matching: If the user logs in on the web and then logs in on the app, match via your own user ID.
  • QR code tracking: Each QR code has a unique URL that you control.
  • Referral codes: User-shared codes that track attribution without device tracking.

2. Use Platform-Provided Attribution

Both Apple and Google provide privacy-compliant attribution:

Platform API Data Level Privacy
Apple SKAdNetwork 4.0 Aggregate No user-level data
Google Play Install Referrer User-level First-party Google data
Google Attribution Reporting API Aggregate No cross-site tracking

For users who do consent (ATT opt-in, cookie consent), you can still use traditional attribution:

import AppTrackingTransparency

func requestTrackingPermission() {
    ATTrackingManager.requestTrackingAuthorization { status in
        switch status {
        case .authorized:
            // Full attribution with IDFA
            enableFullAttribution()
        case .denied, .restricted:
            // First-party attribution only
            enableFirstPartyAttribution()
        case .notDetermined:
            break
        @unknown default:
            break
        }
    }
}

4. Server-Side Attribution

Move attribution logic from the client to the server:

// Server receives the deep link click
app.get('/link/:token', async (req, res) => {
  const clickId = generateClickId();
  const { ip, userAgent, referrer } = req;

  // Store click context (privacy-compliant, first-party data)
  await storeClick({
    clickId,
    token: req.params.token,
    timestamp: Date.now(),
    referrer,
    campaign: req.query.utm_campaign,
    source: req.query.utm_source
  });

  // Pass clickId through the install flow
  const appStoreUrl = buildAppStoreUrl({
    clickId, // Android: passed via install referrer
    campaign: req.query.utm_campaign
  });

  res.redirect(appStoreUrl);
});

The New Model

Before privacy changes:
  Click → Track device ID → Install → Match device ID → Attribute

After privacy changes:
  Click → Pass context via URL → Install → Read context from referrer/link → Attribute

The shift is from identifier-based matching to context-based matching. The deep link URL carries the attribution data directly, without relying on cross-app device identifiers.

Your deep link landing pages need consent management for GDPR and similar regulations:

  • Show a consent banner on the landing page (not an interstitial that blocks content).
  • Store consent preferences.
  • Only fire tracking pixels and analytics after consent.
  • The deep link itself (routing to the app) does not require consent since it is a functional feature, not tracking.

Tolinku and Privacy

Tolinku uses first-party data for deep link attribution. When a user clicks a Tolinku deep link, the attribution context travels with the URL parameters through the install flow, not through third-party cookies or device identifiers. Configure your attribution parameters in the Tolinku dashboard.

For more on privacy and deep linking, see deep linking and privacy. For the broader strategy, see the future of mobile deep linking.

Get deep linking tips in your inbox

One email per week. No spam.

Ready to add deep linking to your app?

Set up Universal Links, App Links, deferred deep linking, and analytics in minutes. Free to start.