Earlier this year, Apple launched iOS 14.5 and introduced its App Tracking Transparency (ATT) requirements. Apple requires apps to use an ATT prompt to request permission from end users before tracking them and/or using an Identifier for Advertisers (IDFA). Considered the third-party cookie of mobile apps, IDFA is a familiar term for publishers, marketers, and app developers as it has been heavily relied upon to track end users across applications. Up until now, it’s fueled the personalization of third-party ads, analytics, measurement, and attribution.
These prompts are used in conjunction with the OneTrust consent management platform (CMP) to provide a unified consent experience to users. Additionally, OneTrust offer ATT pre-prompt functionally to educate the end user about the value of opting in for personalization reasons.
Do I need a CMP in addition to App Tracking Transparency (ATT) to be compliant?
Simply put, yes. The GDPR applies to applications that target or collect personal data from end users in the EU or EEA. GDPR consent must be freely given, specific, informed, unambiguous and able to be revoked. App Tracking Transparency does not fulfill all of the obligations to become compliant with GDPR and the ePrivacy directive. For example, the ATT prompt does not provide the user with granular choices. There are other activities, such as in-house analytics, that do not fit Apple’s definition of Tracking but may still require consent under the GDPR.
If you are targeting California residents, the CCPA requires businesses to give consumers certain information in a notice at collection, which must list categories of personal information and purposes for how the information will be used. It must additionally include a link to the businesses’ privacy policy with a “Do Not Sell” link for consumers to opt out of the sale of personal information.
OneTrust’s CMP enables businesses to scan for SDKs and IDFA, understand how apps are sharing data with other third-parties, configure a UI and pre-prompt to collect consent when needed, and build a centrally located, historical consent database to comply with regulations.
With a pre-prompt, ATT prompt and CMP, what should be the order of prompts?
Apple insists that the App Tracking Transparency prompt be surfaced before the OneTrust CMP banner. Prior to showing the user the ATT prompt, however, a pre-prompt can be displayed to give more details as to what the application is about to ask for. OneTrust provides pre-prompts out-of-the-box for this use case.
If CMP categories are dependent on the result of the user’s response to ATT (via purpose linking,) the CMP will open the ATT prompt after a selection on the banner if the user hasn’t already seen the prompt in their app journey.