{"id":1531,"date":"2026-06-21T09:00:00","date_gmt":"2026-06-21T14:00:00","guid":{"rendered":"https:\/\/tolinku.com\/blog\/?p=1531"},"modified":"2026-03-07T03:49:32","modified_gmt":"2026-03-07T08:49:32","slug":"privacy-changes-deep-linking","status":"publish","type":"post","link":"https:\/\/tolinku.com\/blog\/privacy-changes-deep-linking\/","title":{"rendered":"Privacy Changes and Their Impact on Deep Linking"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Privacy changes over the past few years have reshaped how deep linking and attribution work. Apple&#39;s App Tracking Transparency (ATT), Google&#39;s Privacy Sandbox, cookie deprecation in browsers, and evolving regulations like GDPR and state privacy laws all affect how deep links track user journeys from web to app.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The good news: deep linking itself (opening the right content in the right app) is unaffected by privacy changes. What has changed is the attribution layer that sits on top of deep links. This guide explains what changed, what still works, and how to adapt. For deep linking fundamentals, see <a href=\"https:\/\/tolinku.com\/blog\/deep-linking-and-privacy\/\">deep linking and privacy<\/a>. For deferred deep linking under ATT, see <a href=\"https:\/\/tolinku.com\/blog\/deferred-linking-and-att\/\">deferred deep linking and ATT<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Privacy Changes Affect Deep Linking<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Apple App Tracking Transparency (ATT)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Introduced in iOS 14.5, <a href=\"https:\/\/developer.apple.com\/documentation\/apptrackingtransparency\" rel=\"nofollow noopener\" target=\"_blank\">ATT<\/a> requires apps to ask permission before tracking users across apps and websites. The impact on deep linking:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>What still works:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Universal Links open the correct app and screen.<\/li>\n<li>First-party data (your own app, your own website) is unaffected.<\/li>\n<li>Deep link parameters (product ID, campaign name) pass through normally.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>What broke:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cross-app attribution without user consent.<\/li>\n<li>IDFA-based fingerprinting for deferred deep links.<\/li>\n<li>Matching a web click to an app install using device identifiers.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The opt-in rate for ATT is roughly 25-35% globally. For the 65-75% who decline, traditional attribution methods do not work.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Google Privacy Sandbox<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Google&#39;s <a href=\"https:\/\/privacysandbox.com\/\" rel=\"nofollow noopener\" target=\"_blank\">Privacy Sandbox<\/a> replaces third-party cookies with privacy-preserving APIs:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Old Method<\/th>\n<th>Privacy Sandbox Replacement<\/th>\n<\/tr>\n<\/thead>\n<tbody><tr>\n<td>Third-party cookies<\/td>\n<td><a href=\"https:\/\/developer.chrome.com\/docs\/privacy-sandbox\/topics\/\" rel=\"nofollow noopener\" target=\"_blank\">Topics API<\/a><\/td>\n<\/tr>\n<tr>\n<td>Cross-site tracking<\/td>\n<td><a href=\"https:\/\/developer.chrome.com\/docs\/privacy-sandbox\/attribution-reporting\/\" rel=\"nofollow noopener\" target=\"_blank\">Attribution Reporting API<\/a><\/td>\n<\/tr>\n<tr>\n<td>Fingerprinting<\/td>\n<td><a href=\"https:\/\/developer.chrome.com\/docs\/privacy-sandbox\/user-agent\/\" rel=\"nofollow noopener\" target=\"_blank\">User-Agent reduction<\/a><\/td>\n<\/tr>\n<\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">For deep linking, the most relevant change is the Attribution Reporting API, which provides aggregate attribution data instead of user-level tracking.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Browser Cookie Changes<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Safari (ITP), Firefox (ETP), and Chrome (Privacy Sandbox) all restrict third-party cookies:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Browser<\/th>\n<th>Status<\/th>\n<\/tr>\n<\/thead>\n<tbody><tr>\n<td>Safari<\/td>\n<td>Third-party cookies blocked since 2020 (ITP)<\/td>\n<\/tr>\n<tr>\n<td>Firefox<\/td>\n<td>Third-party cookies blocked by default (ETP)<\/td>\n<\/tr>\n<tr>\n<td>Chrome<\/td>\n<td>Third-party cookies being phased out via Privacy Sandbox<\/td>\n<\/tr>\n<\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This affects deferred deep linking services that relied on cookies to match a web click to an app install.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Regulations<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Regulation<\/th>\n<th>Region<\/th>\n<th>Deep Link Impact<\/th>\n<\/tr>\n<\/thead>\n<tbody><tr>\n<td>GDPR<\/td>\n<td>EU\/EEA<\/td>\n<td>Consent required for tracking; deep link routing is fine<\/td>\n<\/tr>\n<tr>\n<td>CCPA\/CPRA<\/td>\n<td>California<\/td>\n<td>Opt-out rights for tracking; deep link routing unaffected<\/td>\n<\/tr>\n<tr>\n<td>DMA<\/td>\n<td>EU<\/td>\n<td>Interoperability requirements may affect platform APIs<\/td>\n<\/tr>\n<tr>\n<td>State privacy laws<\/td>\n<td>US (multiple)<\/td>\n<td>Various consent and opt-out requirements<\/td>\n<\/tr>\n<\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Impact on Deferred Deep Linking<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">The Attribution Problem<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Deferred deep linking matches a web click to a subsequent app install. Before privacy changes, this worked via:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>IDFA\/GAID matching:<\/strong> Record the device ID on the web click, match it after install.<\/li>\n<li><strong>Fingerprinting:<\/strong> Use IP address, user-agent, screen size, and timestamps to probabilistically match.<\/li>\n<li><strong>Cookie matching:<\/strong> Store a cookie on the web visit, read it after install.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">All three methods are now restricted or broken.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What Still Works<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>First-party context passing:<\/strong> The deep link URL itself can carry context that does not require cross-app tracking:<\/p>\n\n\n\n<pre><code>https:\/\/links.yourapp.com\/products\/shoes?ref=blog-post-123&amp;campaign=summer\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">When the user installs and opens the app, the deferred deep link passes these parameters to the app. No cross-app tracking is involved; the parameters travel with the link itself.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Clipboard-based matching:<\/strong> Some deferred deep linking implementations use the clipboard. The web page copies a token to the clipboard; the app reads it on first launch. Apple restricted clipboard access in iOS 16 (users see a paste permission prompt), making this less reliable.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>App Store referrer (Android):<\/strong> Google Play&#39;s <a href=\"https:\/\/developer.android.com\/google\/play\/installreferrer\/igetinstallreferrerservice\" rel=\"nofollow noopener\" target=\"_blank\">Install Referrer API<\/a> passes referral data through the install. This is first-party data from Google and is privacy-compliant:<\/p>\n\n\n\n<pre><code class=\"language-kotlin\">val referrerClient = InstallReferrerClient.newBuilder(context).build()\nreferrerClient.startConnection(object : InstallReferrerStateListener {\n    override fun onInstallReferrerSetupFinished(responseCode: Int) {\n        if (responseCode == InstallReferrerResponse.OK) {\n            val response = referrerClient.installReferrer\n            val referrerUrl = response.installReferrer\n            \/\/ referrerUrl contains UTM parameters from the deep link\n            handleDeferredDeepLink(referrerUrl)\n        }\n    }\n    override fun onInstallReferrerServiceDisconnected() {}\n})\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">SKAdNetwork (Apple)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Apple&#39;s <a href=\"https:\/\/developer.apple.com\/documentation\/storekit\/skadnetwork\" rel=\"nofollow noopener\" target=\"_blank\">SKAdNetwork<\/a> provides aggregate attribution data without user-level tracking. It tells you that a campaign drove installs, but not which specific user came from which specific click.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For deep linking, SKAdNetwork does not help with deferred deep linking (routing the user to specific content after install). It only provides aggregate campaign measurement.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Adapting Your Deep Link Strategy<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Prioritize First-Party Data<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Build your attribution on data you own:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>UTM parameters in deep links:<\/strong> <code>?utm_source=email&amp;utm_campaign=summer<\/code><\/li>\n<li><strong>Server-side user matching:<\/strong> If the user logs in on the web and then logs in on the app, match via your own user ID.<\/li>\n<li><strong>QR code tracking:<\/strong> Each QR code has a unique URL that you control.<\/li>\n<li><strong>Referral codes:<\/strong> User-shared codes that track attribution without device tracking.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. Use Platform-Provided Attribution<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Both Apple and Google provide privacy-compliant attribution:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform<\/th>\n<th>API<\/th>\n<th>Data Level<\/th>\n<th>Privacy<\/th>\n<\/tr>\n<\/thead>\n<tbody><tr>\n<td>Apple<\/td>\n<td>SKAdNetwork 4.0<\/td>\n<td>Aggregate<\/td>\n<td>No user-level data<\/td>\n<\/tr>\n<tr>\n<td>Google<\/td>\n<td>Play Install Referrer<\/td>\n<td>User-level<\/td>\n<td>First-party Google data<\/td>\n<\/tr>\n<tr>\n<td>Google<\/td>\n<td>Attribution Reporting API<\/td>\n<td>Aggregate<\/td>\n<td>No cross-site tracking<\/td>\n<\/tr>\n<\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">3. Implement Consent-Based Tracking<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">For users who do consent (ATT opt-in, cookie consent), you can still use traditional attribution:<\/p>\n\n\n\n<pre><code class=\"language-swift\">import AppTrackingTransparency\n\nfunc requestTrackingPermission() {\n    ATTrackingManager.requestTrackingAuthorization { status in\n        switch status {\n        case .authorized:\n            \/\/ Full attribution with IDFA\n            enableFullAttribution()\n        case .denied, .restricted:\n            \/\/ First-party attribution only\n            enableFirstPartyAttribution()\n        case .notDetermined:\n            break\n        @unknown default:\n            break\n        }\n    }\n}\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">4. Server-Side Attribution<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Move attribution logic from the client to the server:<\/p>\n\n\n\n<pre><code class=\"language-javascript\">\/\/ Server receives the deep link click\napp.get(&#39;\/link\/:token&#39;, async (req, res) =&gt; {\n  const clickId = generateClickId();\n  const { ip, userAgent, referrer } = req;\n\n  \/\/ Store click context (privacy-compliant, first-party data)\n  await storeClick({\n    clickId,\n    token: req.params.token,\n    timestamp: Date.now(),\n    referrer,\n    campaign: req.query.utm_campaign,\n    source: req.query.utm_source\n  });\n\n  \/\/ Pass clickId through the install flow\n  const appStoreUrl = buildAppStoreUrl({\n    clickId, \/\/ Android: passed via install referrer\n    campaign: req.query.utm_campaign\n  });\n\n  res.redirect(appStoreUrl);\n});\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Privacy-First Deep Link Architecture<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">The New Model<\/h3>\n\n\n\n<pre><code>Before privacy changes:\n  Click \u2192 Track device ID \u2192 Install \u2192 Match device ID \u2192 Attribute\n\nAfter privacy changes:\n  Click \u2192 Pass context via URL \u2192 Install \u2192 Read context from referrer\/link \u2192 Attribute\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The shift is from identifier-based matching to context-based matching. The deep link URL carries the attribution data directly, without relying on cross-app device identifiers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Consent Management<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Your deep link landing pages need consent management for GDPR and similar regulations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Show a consent banner on the landing page (not an interstitial that blocks content).<\/li>\n<li>Store consent preferences.<\/li>\n<li>Only fire tracking pixels and analytics after consent.<\/li>\n<li>The deep link itself (routing to the app) does not require consent since it is a functional feature, not tracking.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Tolinku and Privacy<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/tolinku.com\/features\/deep-linking\">Tolinku<\/a> uses first-party data for deep link attribution. When a user clicks a Tolinku deep link, the attribution context travels with the URL parameters through the install flow, not through third-party cookies or device identifiers. Configure your attribution parameters in the <a href=\"https:\/\/tolinku.com\/docs\/concepts\/deep-linking\/\">Tolinku dashboard<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For more on privacy and deep linking, see <a href=\"https:\/\/tolinku.com\/blog\/deep-linking-and-privacy\/\">deep linking and privacy<\/a>. For the broader strategy, see <a href=\"https:\/\/tolinku.com\/blog\/future-mobile-deep-linking\/\">the future of mobile deep linking<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Navigate privacy regulation changes affecting deep linking. ATT, Privacy Sandbox, cookie deprecation, and their impact on link attribution.<\/p>\n","protected":false},"author":2,"featured_media":1530,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Privacy Changes and Their Impact on Deep Linking","rank_math_description":"Navigate privacy regulation changes affecting deep linking. ATT, Privacy Sandbox, cookie deprecation, and their impact on link attribution.","rank_math_focus_keyword":"privacy changes deep linking","rank_math_canonical_url":"","rank_math_facebook_title":"","rank_math_facebook_description":"","rank_math_facebook_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-privacy-changes-deep-linking.png","rank_math_facebook_image_id":"","rank_math_twitter_title":"","rank_math_twitter_description":"","rank_math_twitter_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-privacy-changes-deep-linking.png","footnotes":""},"categories":[11],"tags":[106,28,402,20,128,69,36,401],"class_list":["post-1531","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-deep-linking","tag-att","tag-attribution","tag-cookies","tag-deep-linking","tag-gdpr","tag-mobile-development","tag-privacy","tag-privacy-sandbox"],"_links":{"self":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/comments?post=1531"}],"version-history":[{"count":4,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1531\/revisions"}],"predecessor-version":[{"id":2625,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1531\/revisions\/2625"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media\/1530"}],"wp:attachment":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media?parent=1531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/categories?post=1531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/tags?post=1531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}