Be Cautious App Developers: ATT ≠ GDPR
Getting user consent through ATT may not satisfy the requirements for privacy laws like GDPR. For some this is obvious. But if it’s not obvious to you, you’re not alone.
Real quick, what’s ATT?
Apple’s new AppTrackingTransparency (ATT) framework. Per Apple requirements, all apps on the App Store must now use the AppTrackingTransparency framework to request users’ permission to track them or to access the IDFA (advertising identifier). ATT arrived with iOS 14.5 after lengthy anticipation, and its requirements apply to all apps on the App Store as of April 26, 2021.
And what’s GDPR?
The General Data Protection Regulation, arguably the most famous privacy and security law in the world. The GDPR is a legal framework that aims to protect the data privacy of individuals who live in the European Union (EU) and European Economic Area (EEA), and it imposes obligations onto organizations located anywhere (even outside Europe), so long as they target or collect data related to people in the EU.
According to Apple, ATT is meant to make the process of privacy protection more intuitive to consumers. So ATT’s and GDPR’s aims may share some similarities, but app developers should cautiously keep in mind that:
- The requirements of ATT and GDPR are NOT the same
- Complying with one DOES NOT guarantee your app is compliant with the other
- It’s ultimately YOUR responsibility to make sure your app is compliant with both.
No Means No, But Does Yes Mean Yes?
One of the most important aspects of GDPR with respect to mobile apps is consent. Under GDPR, you must have a lawful basis to process personal data – and consent is a great one.
GDPR consent must be “freely given, specific, informed, and unambiguous.” For consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used, and why. The user must also be informed about his or her right to withdraw consent anytime. Plus, the consent needs to be bound to specific purposes which must then be sufficiently explained.
ATT is specifically focused on helping apps ask permission to “track” users or access their device’s advertising identifier. An example app-tracking authorization request looks like this:
Apple gives app developers that little bit of text in the middle – the NSUserTrackingUsageDescription (“Your data will be used to deliver personalized ads to you” in the example image) – to inform the user why the app is requesting permission to use data for tracking.
That’s not a ton of space to nail all the GDPR requirements of specific, informed, and unambiguous consent.
When you take into account other privacy laws like California’s CCPA, that in some cases might require an in-app just-in-time notice “containing a summary of the categories of personal information being collected and a link to the full notice at collection” – it gets even trickier for the ATT framework to cover all the bases.
There are tons of common use cases for which an app might want to process personal data – like adding the user’s email to your drip campaign, informing in-app functionality, or wireless analytics monetization – that don’t fall under “tracking”. There are also use cases Apple would consider tracking that it would be very difficult to specifically and unambiguously describe by GDPR measures using only the ATT prompt. And that’s why even apps that have started displaying the ATT prompt to users still continue to show in-app notice or pre-prompt screens similar to these:
What Apps Should Keep in Mind
Apple might want to control how certain permissions are requested (prepare to have your update rejected if you try to use words like Accept/Agree instead of Continue/Next on your pre-prompts), but claiming “Apple said so” will not make your app GDPR compliant.
There’s still considerable industry uncertainty surrounding how even Apple themselves will interpret the ATT guidelines, how apps will choose to display the ATT prompt, and how users will respond after they’ve seen these prompts for the umpteenth thousandth time.
Unfortunately, uncertainty is not an excuse for inaction, so apps should not take Apple’s word for privacy law compliance, and not take privacy law’s word for platform compliance.
As an app developer juggling ATT, GDPR, CCPA, and more, it’s likely in your best interest to:
- Consult with legal counsel
- Gain your own first-hand familiarity with Apple’s, GDPR’s, and CCPA’s guidelines
- Include your own “pre-prompt” custom messaging before a permission alert to elegantly walk the tightrope between Apple’s and GDPR’s requirements
- Consider diversifying your app into additional revenue sources, such as tracking-free monetization
- When in doubt, always ask.
In Summary
I am not a lawyer and this is not legal advice. I’m also not the European Commission, or California’s Attorney General. And neither is Apple, and vice versa all the way round.
The ultimate aim is to create a safe and trusted experience for your users, and provide them with the transparency they deserve, so they can enjoy a more valuable experience with the app they love (but rules are rules, so be aware of what they are, and navigate with care along the way).
