Skip to content

feat(audience-sdk): tighten attribution consent tiers - idfa/gaid/installReferrer to Full-only (SDK-331)#756

Merged
nattb8 merged 1 commit intomainfrom
feat/sdk-331-tighten-attribution-consent
May 8, 2026
Merged

feat(audience-sdk): tighten attribution consent tiers - idfa/gaid/installReferrer to Full-only (SDK-331)#756
nattb8 merged 1 commit intomainfrom
feat/sdk-331-tighten-attribution-consent

Conversation

@nattb8
Copy link
Copy Markdown
Collaborator

@nattb8 nattb8 commented May 8, 2026
edited
Loading

Summary

  • Re-tiers idfa, gaid, and installReferrer from CanTrack() (Anonymous+Full) to CanIdentify() (Full-only) - these are cross-app / campaign-source identifiers, same privacy class as userId
  • State-class properties attStatus, gaidLimitAdTracking, and skanRegistered remain at CanTrack() (Anonymous+Full) - they are non-identifying flags
  • The install_referrer_received sent-marker is not written when consent is Anonymous, so a later upgrade to Full fires the event on the next launch
  • Resolves the HIGH-severity consent finding Cursor flagged on the SDK-310 PR (intentionally deferred to this coordinated sweep)

Test plan

  • All existing attribution tests pass (updated consent tier)
  • New strip tests confirm attStatus/gaidLimitAdTracking ship at Anonymous while idfa/gaid are absent
  • New install-referrer Anonymous test confirms no event and no sent-marker at Anonymous
  • Upgrade test confirms event fires on first Full launch after an Anonymous launch

Closes SDK-331

🤖 Generated with Claude Code

@nattb8 nattb8 requested review from a team as code owners May 8, 2026 04:08
@nattb8 nattb8 force-pushed the feat/sdk-331-tighten-attribution-consent branch from 469039a to dc01e55 Compare May 8, 2026 04:35
@nattb8 nattb8 changed the title feat(audience-sdk): tighten attribution consent tiers — idfa/gaid/installReferrer to Full-only (SDK-331) feat(audience-sdk): tighten attribution consent tiers - idfa/gaid/installReferrer to Full-only (SDK-331) May 8, 2026
cursor[bot]
cursor Bot reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Comment thread src/Packages/Audience/Runtime/ImmutableAudience.cs
@nattb8 @claude
feat(audience-sdk): tighten attribution consent - idfa/gaid/installRe…
176076a 
…ferrer to Full-only (SDK-331)

idfa, gaid, and installReferrer are cross-app / campaign-source
identifiers in the same privacy class as userId. Previously they shipped
at Anonymous+Full (CanTrack); this sweep re-tiers them to Full-only
(CanIdentify), matching the existing userId gate.

State-class properties (attStatus, gaidLimitAdTracking, skanRegistered)
are non-identifying and remain at Anonymous+Full unchanged.

The install_referrer_received sent-marker is intentionally not written
when consent is Anonymous, so a later upgrade to Full can fire the event
on the next launch.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@nattb8 nattb8 force-pushed the feat/sdk-331-tighten-attribution-consent branch from dc01e55 to 176076a Compare May 8, 2026 04:53
@nattb8 nattb8 merged commit 4017213 into main May 8, 2026
91 of 108 checks passed
@nattb8 nattb8 deleted the feat/sdk-331-tighten-attribution-consent branch May 8, 2026 06:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@ImmutableJeffrey ImmutableJeffrey ImmutableJeffrey approved these changes

Assignees

No one assigned

Labels

feature

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nattb8 @ImmutableJeffrey