If your app collects user data and shares it with third parties for tracking across apps or websites, you must use Apple’s App Tracking Transparency (ATT) framework.
The ATT framework shows a system prompt asking users for permission to track them. It also lets your app check the user’s tracking authorization status.
ATT does not equal GDPR compliance
ATT only covers Apple’s platform rules. It does not make your app compliant with privacy laws like the General Data Protection Regulation (GDPR).
To meet legal requirements, you also need a mobile consent solution (MSC).
In short:
- ATT handles Apple’s app store requirements.
- A mobile consent solution helps you comply with legal frameworks like GDPR and ePrivacy.
What happens when a user denies tracking in ATT
If the user declines tracking via the ATT prompt, iOS blocks access to the device’s advertising identifier.
This identifier is a unique, device-level ID used to:
- Track user behavior across apps (even when users aren’t logged in)
- Serve personalized ads
Advertisers use it to build profiles and deliver targeted advertising.
How to implement ATT and mobile consent solution together
Since both ATT and MCS are triggered by the developer, it’s up to them to implement the flow correctly. That is:
- Show the MCS (consent popup) first. This allows users to choose whether they agree to analytics or marketing purposes.
- Trigger the ATT prompt only if needed.
- Set the required system key. You must add the
NSUserTrackingUsageDescriptionkey to your app’sInfo.plist.
Without it:
- The app will crash when trying to show the ATT dialog.
- The App Store will reject your submission.
