Re: Ad/marketing attribution, that's not necessary correct. If the data point that gets sent back to Facebook is a GUID type string that matches the GUID that got generated when you first clicked the Facebook ad for the app and doesn't include data about you specifically, I believe that's fine. I don't myself have up-to-date information what data Facebook receives via its SDK but I suspect it is GPDR compliant through such methods.
> matches the GUID that got generated when you first clicked the Facebook ad
Knowing Facebook, that GUID would surely be bound to the user, still leaking to Facebook that the user is now using the app.
An ad campaign ID (same for all ads of this format in this campaign) sent to the app developer (which can then aggregate them on their side and send the daily aggregated data to Facebook) would be better.
In the eyes of the law, how is storing and sending the guid later different from storing and sending a cookie?
Edit: the GPDR link specifically says identifier numbers are personal information, and I don’t see a carve out for allowing targeted marketing campaigns to use them to measure/improve targeting performance.
Sorry, use of the term GUID confused things - I meant that if an identifier string is generated when you click on the ad, and the purpose is to simply see if that identifier completes the app install and first use - that's not against GPDR. (In my head GUID means "unique identifier string".) Storing the GUID tells you nothing other than some device clicked on an ad and some device did or did not complete the app install.
GPDR specifically allows for anonymized/aggregated data on app usage or marketing feedback: https://gdpr.eu/eu-gdpr-personal-data/