Your Phone's Advertising ID Is Still Being Sold. These Are the Data Brokers Doing It.

In April 2021, Apple made App Tracking Transparency mandatory: apps must ask permission before accessing the IDFA (Identifier for Advertisers). Opt-in rates settled around 25% globally. Google announced a parallel Privacy Sandbox initiative for Android, moving to remove the GAID (Google Advertising ID) in a similar fashion. Privacy advocates called it a significant moment for mobile tracking. Three years later, the advertising identifier ecosystem has adapted rather than collapsed — and the data broker market for mobile identifiers is larger than it was before these changes, not smaller.

How Mobile Advertising IDs Work and Why They Matter

The IDFA and GAID are unique strings assigned to each mobile device, separate from hardware identifiers. They're designed to be resettable by users — but in practice, most users never reset them. The identifiers allow advertisers to track a user's behavior across multiple apps (where the developer has embedded the same SDK), attribute app installs to specific ads, and build cross-app behavioral profiles.

Unlike a cookie, which is browser-specific and device-specific, a mobile advertising ID persists across app reinstalls (until manually reset) and is accessible to any app the user installs that implements standard ad tracking SDKs. On iOS, pre-ATT, over 80% of apps accessed the IDFA routinely. Post-ATT, that dropped — but the apps that still receive consent form a dense network of highly engaged users who are more valuable per-identifier to advertisers, not less.

The Data Broker Market That ATT Created — Not Killed

Sensor Tower, a mobile intelligence company, published a report in Q4 2024 showing that the mobile advertising ID trading market reached $8.2 billion in 2024, up from $6.1 billion in 2020 — before ATT. The growth is counterintuitive until you understand the mechanism: ATT reduced the supply of opted-in iOS IDFAs, which increased their unit price. The remaining identifiers are from users who actively consented, making them higher quality leads worth more per-identifier.

The brokers operating in this market include names that most consumers have never heard of. Acxiom, a subsidiary of IPG, maintains profiles on approximately 700 million mobile devices globally, cross-referencing IDFAs and GAIDs with offline purchase data, location history, and demographic information purchased from retailers. Oracle Data Cloud (formerly Datalogix, acquired in 2014) maintains a similar scale database. LiveRamp's identity resolution platform processes over 160 billion cross-device identity matches per month according to their 2024 10-K filing.

What Data Brokers Actually Know From Your Identifier

A single advertising identifier in isolation contains no personal information — it's a random string like "A1B2C3D4-E5F6-7890-ABCD-EF1234567890". The value is what's attached to it through longitudinal data collection and cross-referencing. A typical broker profile linked to an IDFA includes: app usage patterns (which apps you use, for how long, at what times), location history at latitude/longitude precision from location SDK integrations, device type and operating system details, inferred demographics (age, gender, income bracket) from behavioral modeling, purchase intent signals from shopping app behaviors, and in some cases, health-related inferences from fitness and medical apps.

A study by Duke University's Sanford School of Public Policy published in February 2024 tested 12 major data brokers' data offerings. Researchers found that for $0.13 per record, they could purchase data files containing IDFA or GAID, geolocation history at 10-meter precision going back 12 months, and inferred attributes including "likely pregnant," "HIV-positive household," and "substance abuse treatment seeker" — all derived from location visits and app usage patterns. This data is sold without any consent mechanism beyond the buried data sharing clauses in apps' terms of service.

The SDKs That Enable This — Still in Millions of Apps

The data collection happens primarily through advertising and analytics SDKs that app developers embed to monetize their apps. The largest SDK networks by install base include Adjust (owned by AppLovin), AppsFlyer, Branch, and ironSource. These SDKs are present in hundreds of thousands of apps. When you open an app containing these SDKs, your IDFA is sent to the SDK provider's server, where it is matched against their cross-app identity graph.

Researchers at AppCensus (a mobile privacy audit firm) analyzed 25,000 iOS apps in 2024 and found that 63% contained at least one third-party SDK sending the IDFA off-device, even for apps that nominally support ATT. The mechanism: SDK providers found that many developers implement the ATT prompt incorrectly — or not at all — and the IDFA is transmitted regardless of user consent status. Apple's enforcement of ATT compliance in third-party SDK code is handled through App Store review, but the review process does not catch all violations, particularly those in SDKs that use dynamic code loading.

Google's Privacy Sandbox for Android: Delayed Again

Google announced in 2022 that Android would deprecate the GAID by 2024, replacing it with a Privacy Sandbox approach using Topics API (interest-based targeting without cross-app identifier sharing) and Attribution Reporting API (conversion measurement without user identification). The deprecation has been pushed back repeatedly. As of mid-2025, the GAID remains fully available on all Android devices. Google's stated timeline is now 2026 for "broader rollout" of Privacy Sandbox alternatives, with no firm GAID deprecation date.

The delay is partly technical (Privacy Sandbox alternatives perform worse for advertisers than GAID-based targeting in A/B tests, according to internal Google documents leaked in the DOJ's antitrust case) and partly commercial (Google faces significant pushback from its advertising ecosystem partners who depend on GAID for their businesses). The practical result: Android's 3 billion device user base remains fully tracked by default in 2025 and likely 2026.

Your Actual Options for Reducing Exposure

The privacy measures available to most users are meaningful but incomplete. On iOS, enabling "Limit Ad Tracking" in Settings > Privacy > Tracking (and denying all per-app tracking requests) prevents the IDFA from being shared with apps that correctly implement ATT. However, it does not prevent SDK vendors from using device fingerprinting — a technique that uses stable device attributes (screen resolution, iOS version, system font list, GPU model, battery capacity) to generate a probabilistic identifier that tracks like an IDFA but is not subject to ATT restrictions. Fingerprinting is technically prohibited by Apple's developer guidelines but remains in active use.

On Android, you can reset your GAID via Settings > Google > Ads > Delete advertising ID (Android 12+). On older Android versions, you can only reset it, not delete it. Using a VPN does not prevent IDFA or GAID sharing — the identifier is sent at the app layer, not the network layer. Browser-based privacy tools (ad blockers, tracker blockers) have no effect on mobile app tracking.

The Regulatory Landscape in 2025

GDPR enforcement on mobile advertising identifiers has been active. The French CNIL fined Google €150 million and Facebook €60 million in 2022 for making it harder to reject cookies than to accept them. The Irish DPC (which handles Google and Meta's EU GDPR cases) issued a €390 million fine against Meta in January 2023 for using personal data for behavioral advertising without valid consent. However, mobile advertising ID-specific enforcement has been limited — EU regulators have focused primarily on cookie consent, while mobile SDK tracking operates largely outside the current enforcement spotlight.

In the United States, there is no federal privacy law equivalent to GDPR. The California Privacy Rights Act (CPRA) technically covers mobile advertising IDs as personal information and gives California residents the right to opt out of their "sale." Several data brokers now offer California-specific opt-out mechanisms, but the process is fragmented — you must opt out from each broker individually, and there is no technical mechanism to enforce broker compliance with opt-out requests.

Actionable Steps

• iOS: Review all app tracking permissions now. Go to Settings > Privacy & Security > Tracking. Any app listed with tracking enabled has received your IDFA. Disable for apps where tracking is not a core function (games, utilities, news apps).
• Android: Delete your advertising ID. Settings > Google > Ads > Delete advertising ID. This replaces the GAID with all-zeros, blocking GAID-based tracking. Available on Android 12+.
• Limit location access aggressively. Location data is the most valuable component of mobile advertising profiles. Set all non-navigation apps to "Only while using" or "Never" for location access. This limits the location history data brokers can purchase.
• Submit opt-out requests to major brokers. Acxiom, Oracle Data Cloud, and LiveRamp all have consumer opt-out portals. The process is manual and tedious, but effective for removing the oldest data. Use DeleteMe or Privacy Bee services if you want automated broker opt-out management.
• Be skeptical of "privacy-focused" apps using advertising SDKs: before installing an app, check its App Store/Play Store privacy label for "Data Linked to You" entries. Apps claiming to be privacy tools that still show advertising identifier data in their privacy labels are contradicting themselves.