Privacy changes over the past few years have reshaped how deep linking and attribution work. Apple's App Tracking Transparency (ATT), Google's Privacy Sandbox, cookie deprecation in browsers, and evolving regulations like GDPR and state privacy laws all affect how deep links track user journeys from web to app.
The good news: deep linking itself (opening the right content in the right app) is unaffected by privacy changes. What has changed is the attribution layer that sits on top of deep links. This guide explains what changed, what still works, and how to adapt. For deep linking fundamentals, see deep linking and privacy. For deferred deep linking under ATT, see deferred deep linking and ATT.
What Privacy Changes Affect Deep Linking
Apple App Tracking Transparency (ATT)
Introduced in iOS 14.5, ATT requires apps to ask permission before tracking users across apps and websites. The impact on deep linking:
What still works:
- Universal Links open the correct app and screen.
- First-party data (your own app, your own website) is unaffected.
- Deep link parameters (product ID, campaign name) pass through normally.
What broke:
- Cross-app attribution without user consent.
- IDFA-based fingerprinting for deferred deep links.
- Matching a web click to an app install using device identifiers.
The opt-in rate for ATT is roughly 25-35% globally. For the 65-75% who decline, traditional attribution methods do not work.
Google Privacy Sandbox
Google's Privacy Sandbox replaces third-party cookies with privacy-preserving APIs:
| Old Method | Privacy Sandbox Replacement |
|---|---|
| Third-party cookies | Topics API |
| Cross-site tracking | Attribution Reporting API |
| Fingerprinting | User-Agent reduction |
For deep linking, the most relevant change is the Attribution Reporting API, which provides aggregate attribution data instead of user-level tracking.
Browser Cookie Changes
Safari (ITP), Firefox (ETP), and Chrome (Privacy Sandbox) all restrict third-party cookies:
| Browser | Status |
|---|---|
| Safari | Third-party cookies blocked since 2020 (ITP) |
| Firefox | Third-party cookies blocked by default (ETP) |
| Chrome | Third-party cookies being phased out via Privacy Sandbox |
This affects deferred deep linking services that relied on cookies to match a web click to an app install.
Regulations
| Regulation | Region | Deep Link Impact |
|---|---|---|
| GDPR | EU/EEA | Consent required for tracking; deep link routing is fine |
| CCPA/CPRA | California | Opt-out rights for tracking; deep link routing unaffected |
| DMA | EU | Interoperability requirements may affect platform APIs |
| State privacy laws | US (multiple) | Various consent and opt-out requirements |
Impact on Deferred Deep Linking
The Attribution Problem
Deferred deep linking matches a web click to a subsequent app install. Before privacy changes, this worked via:
- IDFA/GAID matching: Record the device ID on the web click, match it after install.
- Fingerprinting: Use IP address, user-agent, screen size, and timestamps to probabilistically match.
- Cookie matching: Store a cookie on the web visit, read it after install.
All three methods are now restricted or broken.
What Still Works
First-party context passing: The deep link URL itself can carry context that does not require cross-app tracking:
https://links.yourapp.com/products/shoes?ref=blog-post-123&campaign=summer
When the user installs and opens the app, the deferred deep link passes these parameters to the app. No cross-app tracking is involved; the parameters travel with the link itself.
Clipboard-based matching: Some deferred deep linking implementations use the clipboard. The web page copies a token to the clipboard; the app reads it on first launch. Apple restricted clipboard access in iOS 16 (users see a paste permission prompt), making this less reliable.
App Store referrer (Android): Google Play's Install Referrer API passes referral data through the install. This is first-party data from Google and is privacy-compliant:
val referrerClient = InstallReferrerClient.newBuilder(context).build()
referrerClient.startConnection(object : InstallReferrerStateListener {
override fun onInstallReferrerSetupFinished(responseCode: Int) {
if (responseCode == InstallReferrerResponse.OK) {
val response = referrerClient.installReferrer
val referrerUrl = response.installReferrer
// referrerUrl contains UTM parameters from the deep link
handleDeferredDeepLink(referrerUrl)
}
}
override fun onInstallReferrerServiceDisconnected() {}
})
SKAdNetwork (Apple)
Apple's SKAdNetwork provides aggregate attribution data without user-level tracking. It tells you that a campaign drove installs, but not which specific user came from which specific click.
For deep linking, SKAdNetwork does not help with deferred deep linking (routing the user to specific content after install). It only provides aggregate campaign measurement.
Adapting Your Deep Link Strategy
1. Prioritize First-Party Data
Build your attribution on data you own:
- UTM parameters in deep links:
?utm_source=email&utm_campaign=summer - Server-side user matching: If the user logs in on the web and then logs in on the app, match via your own user ID.
- QR code tracking: Each QR code has a unique URL that you control.
- Referral codes: User-shared codes that track attribution without device tracking.
2. Use Platform-Provided Attribution
Both Apple and Google provide privacy-compliant attribution:
| Platform | API | Data Level | Privacy |
|---|---|---|---|
| Apple | SKAdNetwork 4.0 | Aggregate | No user-level data |
| Play Install Referrer | User-level | First-party Google data | |
| Attribution Reporting API | Aggregate | No cross-site tracking |
3. Implement Consent-Based Tracking
For users who do consent (ATT opt-in, cookie consent), you can still use traditional attribution:
import AppTrackingTransparency
func requestTrackingPermission() {
ATTrackingManager.requestTrackingAuthorization { status in
switch status {
case .authorized:
// Full attribution with IDFA
enableFullAttribution()
case .denied, .restricted:
// First-party attribution only
enableFirstPartyAttribution()
case .notDetermined:
break
@unknown default:
break
}
}
}
4. Server-Side Attribution
Move attribution logic from the client to the server:
// Server receives the deep link click
app.get('/link/:token', async (req, res) => {
const clickId = generateClickId();
const { ip, userAgent, referrer } = req;
// Store click context (privacy-compliant, first-party data)
await storeClick({
clickId,
token: req.params.token,
timestamp: Date.now(),
referrer,
campaign: req.query.utm_campaign,
source: req.query.utm_source
});
// Pass clickId through the install flow
const appStoreUrl = buildAppStoreUrl({
clickId, // Android: passed via install referrer
campaign: req.query.utm_campaign
});
res.redirect(appStoreUrl);
});
Privacy-First Deep Link Architecture
The New Model
Before privacy changes:
Click → Track device ID → Install → Match device ID → Attribute
After privacy changes:
Click → Pass context via URL → Install → Read context from referrer/link → Attribute
The shift is from identifier-based matching to context-based matching. The deep link URL carries the attribution data directly, without relying on cross-app device identifiers.
Consent Management
Your deep link landing pages need consent management for GDPR and similar regulations:
- Show a consent banner on the landing page (not an interstitial that blocks content).
- Store consent preferences.
- Only fire tracking pixels and analytics after consent.
- The deep link itself (routing to the app) does not require consent since it is a functional feature, not tracking.
Tolinku and Privacy
Tolinku uses first-party data for deep link attribution. When a user clicks a Tolinku deep link, the attribution context travels with the URL parameters through the install flow, not through third-party cookies or device identifiers. Configure your attribution parameters in the Tolinku dashboard.
For more on privacy and deep linking, see deep linking and privacy. For the broader strategy, see the future of mobile deep linking.
Get deep linking tips in your inbox
One email per week. No spam.