iOS14: Should both ATT prompt and GDPR consent be shown to collect first party data?

+4 votes

We were planning to not show the ATT prompt as the IDFA is irrelevant now and we rely on fingerprinting and 1st party data (emails). 

For the 1st party data, we were planning to collect opt-in consent as part of GDPR. 

I've seen the part below on Apple's site and I'm wondering if now we have to show both? Any advice would be more than welcome. 

From FAQ section here - https://developer.apple.com/app-store/user-privacy-and-data-use/

If I have not received permission from a user via the tracking permission prompt, can I use an identifier other than the IDFA (for example, a hashed email address or hashed phone number) to track that user?
No. You will need to receive the user’s permission through the AppTrackingTransparency framework to track that user.
by (160 points)

2 Answers

+1 vote
Keep in mind that ATT applies to advertising tracking. If you want to collect a user's email for the purposes of eg. internal analytics or promotion (like sending them a welcome email, or sending them a special offer) then you're really only bound by GDPR constraints. Exposing the user to a GDPR consent form is probably more of a necessity than exposing them to an ATT prompt: you can skip the ATT prompt altogether if you don't plan to collect data for the purposes of ad tracking.

Note that fingerprinting is not allowed under iOS14 guidelines if the user has not opted into ATT.
by (15.2k points)
Doesn't sending a user a promotion by email constitute a form of "advertising" where the identity is used also require ATT consent?
by (150 points)
ATT consent is only required when the collected email "is linked to data from other companies for targeted advertising or advertising measurement purposes." So you can email the users directly no problem, but you can't upload their email to Facebook to create lookalikes or retargeting campaigns. The boundary of "sharing with other companies" is the key distinction here.
by (230 points)
ATT consent may satisfy the ePrivacy Directive (placing or retrieving device-specific info), but does not satisfy the GDPR. The law is clear that processing activities must each be specified, and the ATT bundles all things into their definition of 'tracking'.  So if you use IDFA for ads and measurement, those should be 2 separate consents. If you add email - ad retargeting on top of that, it's a 3rd consent. For whatever reason, Apple has ignored the efforts of CMPs to offer apps these choices for years and provided no tools to integrate with the ATT - so there is a legal need for EU apps to have both a CMP in addition to the ATT to be truly compliant.
by (100 points)
0 votes

It depends on how you plan on using the email address collected for the user. The ATT guidelines require ATT permission for "tracking", and:

Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.

So if you are using the email address just to send them email or keep track of their data internally, that seems fine, but if you are  linking the email with data collected from other companies then you need ATT approval. 

If you are planning on uploading email addresses to Facebook or other ad companies for lookalikes or retargeting purposes, or basically giving the email address to any company outside your system, then you are in ATT territory.

Hope this helps!

by (230 points)

Related questions

Ask a Question
Mobile Dev Memo Slack Team
Recent Mobile Dev Memo Posts