ATT consent may satisfy the ePrivacy Directive (placing or retrieving device-specific info), but does not satisfy the GDPR. The law is clear that processing activities must each be specified, and the ATT bundles all things into their definition of 'tracking'. So if you use IDFA for ads and measurement, those should be 2 separate consents. If you add email - ad retargeting on top of that, it's a 3rd consent. For whatever reason, Apple has ignored the efforts of CMPs to offer apps these choices for years and provided no tools to integrate with the ATT - so there is a legal need for EU apps to have both a CMP in addition to the ATT to be truly compliant.