AGS Logo Small

Be Cautious App Developers: ATT ≠ GDPR

by

Be cautious app developers ATT ≠ GDPR

Getting user consent through ATT may not satisfy the requirements for privacy laws like GDPR. For some this is obvious. But if it’s not obvious to you, you’re not alone.

Real quick, what’s ATT?

Apple’s new AppTrackingTransparency (ATT) framework. Per Apple requirements, all apps on the App Store must now use the AppTrackingTransparency framework to request users’ permission to track them or to access the IDFA (advertising identifier). ATT arrived with iOS 14.5 after lengthy anticipation, and its requirements apply to all apps on the App Store as of April 26, 2021.

And what’s GDPR?

The General Data Protection Regulation, arguably the most famous privacy and security law in the world. The GDPR is a legal framework that aims to protect the data privacy of individuals who live in the European Union (EU) and European Economic Area (EEA), and it imposes obligations onto organizations located anywhere (even outside Europe), so long as they target or collect data related to people in the EU.

According to Apple, ATT is meant to make the process of privacy protection more intuitive to consumers. So ATT’s and GDPR’s aims may share some similarities, but app developers should cautiously keep in mind that:

  • The requirements of ATT and GDPR are NOT the same
  • Complying with one DOES NOT guarantee your app is compliant with the other
  • It’s ultimately YOUR responsibility to make sure your app is compliant with both.

No Means No, But Does Yes Mean Yes?

One of the most important aspects of GDPR with respect to mobile apps is consent. Under GDPR, you must have a lawful basis to process personal data – and consent is a great one.

GDPR consent must be “freely given, specific, informed, and unambiguous.” For consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used, and why. The user must also be informed about his or her right to withdraw consent anytime. Plus, the consent needs to be bound to specific purposes which must then be sufficiently explained.

ATT is specifically focused on helping apps ask permission to “track” users or access their device’s advertising identifier. An example app-tracking authorization request looks like this:

ATT ≠ GDPR. ATT prompt example

Apple gives app developers that little bit of text in the middle – the NSUserTrackingUsageDescription (“Your data will be used to deliver personalized ads to you” in the example image) – to inform the user why the app is requesting permission to use data for tracking.

That’s not a ton of space to nail all the GDPR requirements of specific, informed, and unambiguous consent.

When you take into account other privacy laws like California’s CCPA, that in some cases might require an in-app just-in-time notice “containing a summary of the categories of personal information being collected and a link to the full notice at collection” – it gets even trickier for the ATT framework to cover all the bases.

Devan McCannel, ATT ≠ GDPR_pull-quote_1

There are tons of common use cases for which an app might want to process personal data – like adding the user’s email to your drip campaign, informing in-app functionality, or wireless analytics monetization – that don’t fall under “tracking”. There are also use cases Apple would consider tracking that it would be very difficult to specifically and unambiguously describe by GDPR measures using only the ATT prompt. And that’s why even apps that have started displaying the ATT prompt to users still continue to show in-app notice or pre-prompt screens similar to these:

In-app notice _ pre-prompt examples

What Apps Should Keep in Mind

Apple might want to control how certain permissions are requested (prepare to have your update rejected if you try to use words like Accept/Agree instead of Continue/Next on your pre-prompts), but claiming “Apple said so” will not make your app GDPR compliant.

There’s still considerable industry uncertainty surrounding how even Apple themselves will interpret the ATT guidelines, how apps will choose to display the ATT prompt, and how users will respond after they’ve seen these prompts for the umpteenth thousandth time.

Devan McCannel, ATT ≠ GDPR_pull-quote_2

Unfortunately, uncertainty is not an excuse for inaction, so apps should not take Apple’s word for privacy law compliance, and not take privacy law’s word for platform compliance.

As an app developer juggling ATT, GDPR, CCPA, and more, it’s likely in your best interest to:
  • Consult with legal counsel
  • Gain your own first-hand familiarity with Apple’s, GDPR’s, and CCPA’s guidelines
  • Include your own “pre-prompt” custom messaging before a permission alert to elegantly walk the tightrope between Apple’s and GDPR’s requirements
  • Consider diversifying your app into additional revenue sources, such as tracking-free monetization
  • When in doubt, always ask.

ATT, GDPR, CCPA comparison table

In Summary

I am not a lawyer and this is not legal advice. I’m also not the European Commission, or California’s Attorney General. And neither is Apple, and vice versa all the way round.

The ultimate aim is to create a safe and trusted experience for your users, and provide them with the transparency they deserve, so they can enjoy a more valuable experience with the app they love (but rules are rules, so be aware of what they are, and navigate with care along the way).

Devan McCannel

Devan McCannel, Head of App Partnerships, Tutela

Devan McCannel is Head of App Partnerships at Tutela, a Canadian company that helps app publishers earn ad-free revenue while respecting user privacy. Tutela helps apps and their users by finding areas with slow network speeds and then working with telecom companies to make sure improvements are focused on where they’re needed most. Outside of that you might find Devan training for ultramarathons (if it’s not too cold), cycling (if the Tour de France is on), or social distancing in beautiful Victoria, BC.
LinkedIn | Tutela Website

More App Growth Articles:

Why Transparency Should Be a Top Priority for Product and Marketing Teams

Why Transparency Should Be a Top Priority for Product and Marketing Teams

Read Article
App Growth Summit App Screenshot

Download The AGS Event Hub App

Connect, Organize and Network - All in One Place

Apple App Store Logo Google Play Logo

App Growth Summit Testimonials

Gonzalo Juarez

"The App Growth Summit is one of the most focused events I've ever participated in. It focuses on all the necessary topics you need to know to build or continue with your app business. It is by far one of the most useful conferences for mobile apps out there."

Gonzalo Juarez, eTips
Nicoline Strom-Jensen

"From start to finish I had a great experience being a speaker for AGS. The communication was just the right amount and the information shared in preparation was detailed and organized. The day of the event I felt prepared and supported. It was my first time speaking at a conference and I had a great deal of fun. It was an honor to participate and I would highly recommend speaking at AGS!"

Nicoline Strom-Jensen, Adjust