Skip to main content

AppTrackingTransparency (ATT) and CMPs

Richard van der Velde
Updated

Background information

Apple’s App Tracking Transparency (ATT) framework and GDPR/ePrivacy Consent Management Platforms (CMP) are separate consent mechanisms that work for different use cases. Apps need ATT consent for in-app tracking and Apple's Identifier for Advertizing (IDFA), while they can use a CMP for compliance legally and with TCF for Ad Monetization.

While companies should always assess the applicable legal requirements in their Jurisdiction, as well as Apple’s policies, we try to outline it below, as this is a frequently asked question by customers.

Background/Issue

Since iOS 14.5, Apple has required of Apps, that they get the user’s permission through ATT in order to track users or access their device’s IDFA.

This has provided misunderstandings for the Apps segment, because it has been unclear what relationship there was between consent requirements for GDPR/ePrivacy and TCF, and the Apple ATT standard. Because the difference in consent rate for Apple ATT and CMPs are very different, this is important for apps. The TCF consent signal for App Publishers working with Ad Monetization can be very important to their monetization.

Apple’s definition of tracking, under ATT

“Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.”

Apple’s guidelines

Apps are allowed to show the CMP, and Apple does not specify in its guidelines or FAQs whether the CMP should be shown before or after the ATT prompt.

If showing the CMP after the ATT prompt, and the user rejected ATT, Apple is stating that the CMP should not ask for consent for what Apple defines as tracking again. However, Apple’s definition of tracking differs from GDPR, ePrivacy, and TCF. Therefore, showing the (TCF) CMP remains a valid use case. It is important that the app publisher respects the lack of access to the Apple IDFA and does not attempt to bypass this.

When there is no permission, it is not possible to access the Apple IDFA.

From Apple’s FAQ (March, 2025)

  • “if using user or device level identifiers (such as IDFA) for purposes of advertising, ad measurement or sharing with a data broker, consent must be obtained through AppTrackingTransparency (ATT)”
  • You can include "screens" to comply with government regulations (such as ePrivacy and GDPR). However, your app must always respect the user’s response to the AppTrackingTransparency prompt, even if their response to other prompts conflicts. Guideline 5.1.1 (iv) states: “Apps must respect the user’s permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access.”… You can use third-party Consent Management Platforms to add these permission requests, as long as no tracking takes place from such use.

This is primarily governed by Apple’s App Review Guidelines section 5.1

How do the CMP and ATT intersect?

  1. Apple’s guidelines allow the use of CMPs and emphasize that apps remain responsible for legal compliance. ATT is a distinct framework and does not replace compliance with legal requirements.
  2. Apple is not specifically requiring if the CMP message is shown before or after the ATT prompt.
  3. A common approach is to show the CMP first, then ATT, and to not run any tracking technology until after both prompts, which shall establish legal basis.
  4. There is no “communication” between the CMP and ATT - so both exist independently from each other, and with the potential limits imposed by the other element.

Location permissions through Apple and TCF

A frequently asked question concerns the combination of TCF’s Special Feature 1 (SF1), 'Use precise Geolocation data,' and Apple’s 'Location permission'. It is important to remember that Apple’s permissions and consents are not linked with the CMP, and therefore they work independently.

In this case, these outcomes could be expected:

  1. Consent to Location Permission and TCF's use of precise geolocation data can be used for consented purposes and is available through the App.
  2. Consent to only TCF's use of precise geolocation data has user consent but is not accessible in the app without the app permission, and therefor would not be available.
  3. Consent to only the Location Permission = It can be used only for the purposes governed by Apple’s policies, but not for TCF or as a legal basis.

Comments

0 comments

Please sign in to leave a comment.