Table of Contents
Q: Can I gate functionality on agreeing to allow tracking, or incentivize users to agree to allow tracking in the app tracking transparency prompt?
A: No, per the App Store Review Guidelines: 3.2.2 (vi).
Q: Can I explain to users why I would like permission to track them before I show the tracking permission prompt?
A: Yes, so long as you are transparent to users about your use of the data in your explanation. Per the App Store Review Guidelines: 5.1.1 (iv), apps must respect the user’s permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access.
Q: If I have not received permission from a user via the tracking permission prompt, can I use an identifier other than the IDFA (for example, a hashed email address or hashed phone number) to track that user?
A: No. You will need to receive the user’s permission through the AppTrackingTransparency framework to track that user.
Q: If a user provides permission for tracking via a separate process on our website, but declines permission in the app tracking transparency prompt, can I track that user across apps and websites owned by other companies?
A: Developers must get permission via the app tracking transparency prompt for data that’s collected in the app and used for tracking. Data collected separately, outside of the app and not related to the app, is not in scope.
Q: Can I fingerprint or use signals from the device to try to identify the device or a user?
A: No. Per the Apple Developer Program License Agreement, you may not derive data from a device for the purpose of uniquely identifying it. Examples of user or device data include, but are not limited to: properties of a user’s web browser and its configuration, the user’s device and its configuration, the user’s location, or the user’s network connection. Apps that are found to be engaging in this practice, or that reference SDKs (including but not limited to Ad Networks, Attribution services and Analytics) that are, may be rejected from the App Store.
Q: I have integrated an SDK from another company. Am I responsible for the data collection and tracking of users of my app by that company?
A: Yes. Developers are responsible for all code included in their apps. If you are unsure about the data collection and tracking practices of code used in your app that you didn’t write, we suggest contacting the developer of the SDK.
Q: I have integrated single sign-on functionality provided by another company. Am I responsible for the data collection and tracking practices of that company?
A: Yes. Developers are responsible for all code included in their app, including single sign-on (SSO) functionality provided by third parties. If the user will be subject to tracking as a result of SSO functionality included in your app, you must use the app tracking transparency prompt to obtain permission from that user first.
Q: What kind of company constitutes a data broker?
A: Data brokers are defined by law in some jurisdictions. In general, a data broker is a company that regularly collects and sells, licenses, or otherwise discloses to third parties the personal information of particular end-users with whom the business does not have a direct relationship.
Q: What identifiers or data are governed by the “tracking” policy?
A: Any user or device level identifier that is used to join data from your app with data from third parties (including SDKs used in your app) for purposes of advertising or ad measurement or sharing with a data broker. This includes, but is not limited to, the device’s advertising identifier, session ID, fingerprint IDs, and device graph identifiers. If your app receives or shares any of these identifiers for the above listed purposes, you must use the AppTrackingTransparency framework to obtain user consent.