Mobile Advertising ID (MAID) data sits at the core of cross-device graphs, location analytics, and mobile attribution. It is also among the most scrutinized categories — FTC 2024 actions reset the procurement bar. Before licensing a MAID feed, work through five diligence questions. GSDSI's MAID Feed and Global Mobility are designed to clear this bar. Pair with MAID graph diligence, privacy-safe location buying, and seed match testing.
Request SDK version distribution and whether any sources are sideloaded, OEM-bundled, or web-only. Each path carries different consent and retention expectations. Federal buyers add OSINT / CAI diligence when feeds support government use cases.
Which apps or SDKs generate signals? Without a source-app list you cannot test the consent chain. A vendor who will not disclose sources is a first-order red flag. Request category-level source maps, subprocessor roles, and whether any sources are child-directed or sensitive-category heavy.
Map sources to your permitted-use matrix before any sample transfer. If the feed will join audience targeting or risk and fraud workflows, legal should sign off on source categories first.
Look for TCF-compliant consent management — not a checkbox buried in a 40-page policy. Request a consent-architecture diagram: user-facing opt-in → downstream permission for commercial feed inclusion. Cross-read consent TCF vs partner CMP for broker posture.
Ask for opt-in rates by major app category and how they trend post-ATT. Declining opt-in without panel methodology updates is a drift risk.
Feeds range from near-real-time to weeks stale. For CTV attribution and cross-channel measurement, intra-day to 24-hour latency is typical. For backtesting, 24–72 hours may suffice. Ten-plus days undermines optimization.
Contract median and P95 delays, refresh cadence, and remedies when SLAs miss. Tie freshness specs to enterprise pilot checklist acceptance.
Total device counts matter less than representativeness. Request DMA, state, and country tables. Urban-only panels break suburban retail reads. Compare coverage to U.S. Census anchors for sanity checks.
Run a seed match on your priority geographies before national rollout. See geo-panel audit for panel math.
Apple ATT already reshaped iOS panels. Google Privacy Sandbox will narrow Android MAID targeting over time. Ask for iOS vs Android split, methodology change logs, backup signals (CTV, web identity), and a written contingency if MAIDs deprecate further.
Vendors that treat these five questions as routine close faster. Defensive or vague answers on sourcing and consent tell you about supply durability. Scope POI data when visits are the outcome layer.
Add a sixth operational question in 2026: how do you propagate opt-outs and deletion requests from source apps to licensed exports within contractual SLAs? MAID feeds fail audits when deletion works in marketing slides but not in daily files. Request a tabletop: submit a test opt-out and trace removal timestamps across downstream aggregates.
Insist on incident playbooks: what happens when a source app is removed from app stores, when a CMP vendor changes strings, or when a regulator inquiries about a category. Playbooks matter as much as coverage tables in 2026 procurement. GSDSI documents incident contacts in sourcing methodology and buyer pilots via contact.
Federal and enterprise buyers cross-walk MAID diligence to state broker registration diligence and FTC sensitive location thresholds when location fields ride along with device IDs. Treat the MAID license as an identity program, not a single CSV — graph refresh, exclusions, and subprocessors belong in one packet.
Ask for subprocessor and reseller maps when MAID data passes through aggregators. Each hop needs notice and deletion flow-down. FTC location orders focused on opaque chains — treat maps as mandatory.
Request redacted sample deletion certificates from prior pilots. Certificates beat policy PDFs. If none exist, run your own deletion test before enterprise rollout.
Compare MAID feeds to identity graph products: feeds supply identifiers; graphs supply resolution. Document which system wins when mappings conflict in your warehouse.
Budget for panel attrition in 2026–2027 scenarios. Vendors diversified into CTV and web identity score higher on resilience than single-lane mobile SDK shops.
Run a latency drill: submit a synthetic event or request a timestamped sample path from collection to delivery. Vendors that cannot produce timestamps per row are not ready for attribution SLAs. Pair drill results with CTV attribution requirements when TV is in the mix.
Ask whether location fields are optional modules or bundled by default. Bundled location without exclusions is a 2026 red flag under FTC-sensitive-place precedent. If location ships, require polygon exclusions and precision caps in writing before the MAID license starts.
Enterprise security questionnaires often duplicate these five questions — maintain one master answer library tied to MAID Feed specs so sales engineering does not improvise under deadline.
When MAID is combined with Global Mobility, require a joint exclusion map and a joint deletion SLA — two licenses with two deletion paths create operational gaps.
Procurement teams can embed these five questions as mandatory rows in the master data RFP template so every identity, mobility, and attribution vendor answers the same way. Standard answers speed legal review and make bake-offs comparable. Attach the RFP scorecard so latency and governance weights sit beside sourcing responses.
Operationally, assign a single owner for vendor evidence, refresh calendars, and committee scorecards so procurement, legal, and analytics do not maintain three conflicting versions of the same feed specs. The owner publishes monthly status: match stability, schema version, open incidents, and upcoming methodology reviews. That rhythm prevents the six-week surprise where production diverges from the pilot without anyone noticing. Tie the owner’s checklist to pilot process and sourcing methodology so external auditors and enterprise buyers see the same story in diligence packets and on the public site.
Operationally, assign a single owner for vendor evidence, refresh calendars, and committee scorecards so procurement, legal, and analytics do not maintain three conflicting versions of the same feed specs. The owner publishes monthly status: match stability, schema version, open incidents, and upcoming methodology reviews. That rhythm prevents the six-week surprise where production diverges from the pilot without anyone noticing. Tie the owner’s checklist to pilot process and sourcing methodology so external auditors and enterprise buyers see the same story in diligence packets and on the public site.
Operationally, assign a single owner for vendor evidence, refresh calendars, and committee scorecards so procurement, legal, and analytics do not maintain three conflicting versions of the same feed specs. The owner publishes monthly status: match stability, schema version, open incidents, and upcoming methodology reviews. That rhythm prevents the six-week surprise where production diverges from the pilot without anyone noticing. Tie the owner’s checklist to pilot process and sourcing methodology so external auditors and enterprise buyers see the same story in diligence packets and on the public site.
Operationally, assign a single owner for vendor evidence, refresh calendars, and committee scorecards so procurement, legal, and analytics do not maintain three conflicting versions of the same feed specs. The owner publishes monthly status: match stability, schema version, open incidents, and upcoming methodology reviews. That rhythm prevents the six-week surprise where production diverges from the pilot without anyone noticing. Tie the owner’s checklist to pilot process and sourcing methodology so external auditors and enterprise buyers see the same story in diligence packets and on the public site.