Didomi - Developers documentation
  • Introduction
  • SDKs
    • Introduction
    • Web SDK
      • Getting started
      • Tags and vendors management
        • Tags management
          • Events & Variables
            • Deprecated
            • Custom events
          • Tag managers
            • Adobe Launch/DTM
            • Eulerian
            • Google Tag Manager
              • Configure the Didomi / GTM integration
              • Didomi's GTM template
            • Tealium
            • Other tag managers
        • Custom Didomi <script> tags
        • Third-party integrations
          • Google Ad Manager / AdSense
            • GDPR via Non-Personalized Ads
              • Share consent and load/refresh ads
              • Share consent without loading or refreshing ads
            • US states laws
          • Google Consent Mode V2
          • Kameleoon
          • Piano Analytics (AT Internet)
          • Prebid
            • GDPR via IAB TCF
            • US states laws
          • Salesforce DMP (Krux)
        • IAB frameworks
        • Programmatic API
      • Configuration
        • Bots (SEO & Performance tools)
        • Configuration by URL
        • Cookies and storage
        • Custom domains for events
        • Notice
          • Behavior
          • Interactions
          • Look and feel
        • Preferences
        • Theme
      • AB tests
      • Custom domain
        • Domain delegation
        • Reverse proxy
      • Share consents between domains
      • Share consents across devices
      • Pass user choices in query string
      • Serve Didomi assets from your domain
      • Reference
        • API
          • Deprecated
        • Events
      • Performance
    • Mobile and TV SDKs
      • Android and Android TV
        • Setup
        • Logging
        • Reference
          • API
            • Deprecated
          • Events
        • Versions
      • iOS and tvOS
        • Setup
        • Logging
        • App Tracking Transparency (iOS 14.5+)
        • Reference
          • API
            • Deprecated
          • Events
        • Versions
      • Unity
        • Setup
        • Reference
        • Versions
        • Troubleshooting
      • React Native
        • Setup
        • Reference
          • Deprecated
        • Versions
      • Flutter
        • Setup
        • Reference
        • Versions
      • Consent notice
        • Getting started
        • Customize the notice
        • Customize the preferences popup
        • Customize the theme & UI
        • Load notice by ID
      • Third-party SDKs
      • Share consents across devices
      • Share consent with WebViews
      • Google Consent Mode v2
      • FAQ
    • AMP SDK
      • Blocking Behaviors
        • Load immediately on page load
        • Load only after consent (positive or negative)
        • Load only after positive consent
      • Consent status for vendors
    • Didomi Consent String
      • Didomi Consent String Structure
      • Purposes & Vendors Numerical IDs
      • Consent String Examples
      • Decoding tools
    • Help & Support
  • API
    • Introduction
      • Authentication
      • Errors
      • Pagination
      • Filters
      • Caching
      • Rate limiting
      • Quotas
      • Translations
    • Data Manager
      • Regulations
      • Configuration Tree
      • Purposes
        • Purposes & Vendors Numerical IDs
      • Preferences Library
      • User Rights
    • Widgets
      • Consent notices
        • Notices
        • Configurations
        • Multi-Regulation Configurations
          • Migration of Existing Notices and API Updates
        • Deployments
        • Tutorials
          • Create and publish a consent notice
          • Create and publish a multi-regulation consent notice
      • Privacy widgets
        • Create a widget
        • Retrieve widgets
        • Edit a widget
          • Content & Design
            • Themes & Shapes
            • Components
              • auth
              • dsar_form
              • footer
              • header
              • preference
              • preference_value
              • save
              • section
              • sections
            • Options
          • Purposes & preferences
          • Settings
        • Deploy a Widget
          • Use your own subdomain
          • Use your own domain
          • Implement an embeddable widget on your website
        • Authentication
          • Manage authentication providers
          • Authenticate your end-user
        • Archive a widget
        • Headless widgets
          • Public Methods
          • Custom elements
          • Custom events
          • Event listeners
        • Tutorial
          • Launch a Preference Center from a mobile app
    • Compliance Reports
      • Properties
      • Reports
      • CSV format reference
      • Websites
    • Consents and Preferences
      • Events
        • Generate IAB TCF consent string
      • Links
      • Proofs
      • Tokens
      • Secrets
      • Users
      • Tutorial
        • Collect and operate data
    • Privacy Requests
      • Requests
      • Notes
      • Links
      • Emails
  • Integrations
    • Introduction
      • Quotas
    • Generic integrations
      • Batch export
        • Destinations
          • AWS S3 Bucket (owned by Didomi)
          • GCP Storage Bucket
        • Exported data
          • Notices consents
        • Logs
      • Webhooks
      • Batch import
      • Analytics export
        • Destinations
          • AWS S3 Bucket (owned by Didomi)
          • GCP Storage Bucket
    • Third-party apps
      • CMP integrations
        • Didomi-mParticle integration for your CMP
        • Deploy Didomi’s SDK for your Adobe Commerce website
      • Preference Management Platform integrations
        • Actito
        • Adobe Campaign Classic
        • Adobe Experience Cloud
        • Adobe Marketo Engage
        • Adobe Source Connector
        • Braze
        • Dotdigital
        • Hubspot
        • Mailchimp
        • Microsoft Dynamics 365
        • Salesforce Marketing Cloud
        • Salesforce Sales & Service Cloud
        • Selligent
        • Brevo (ex Sendinblue)
    • Tutorials
      • Configure a HTTP webhook
      • Configure a batch export
      • Configure an analytics export
    • Emailing
      • Configurations
        • Actito Email
        • Actito SMS
        • Adobe Campaign Classic
        • Adobe Campaign Standard
      • Emails
        • Templates
        • Manage your templates
Powered by GitBook
On this page
  • ATT tracking permission
  • When and how to ask for the ATT permission?
  • Can I use only ATT or only the Didomi CMP?
  • Does the Didomi SDK use the IDFA and require ATT permission?
  • How does the ATT permission (or the lack thereof) impact third-party SDKs?
  • Is ATT permission compliant with GDPR/CCPA/IAB TCF/CNIL/AEPD/BfDI/...?
  • What happens if the customer gives consent in the Didomi CMP but rejects the ATT permission? (or the other way around)
  • Why did Apple reject my app because of how I am asking for ATT permission?
  • Integrate the CMP notice and ATT permission
  • Show the CMP notice then the ATT permission if the user gives consent in the CMP notice
  • Show the ATT permission then the CMP notice if the user accepts the ATT permission
  1. SDKs
  2. Mobile and TV SDKs
  3. iOS and tvOS

App Tracking Transparency (iOS 14.5+)

PreviousLoggingNextReference

Last updated 10 months ago

Starting with iOS 14.5 (April 2021) and the (ATT) framework, Apple requires that your app provides transparency on the data that it uses and on the third parties that will track the user in your app.

Tracking and the use of the IDFA are subject to permission being obtained from the user. "Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers." (from ).

ATT tracking permission

At the moment, the Didomi SDK does not ask for the user permission for tracking in the ATT framework and it is the responsibility of the app to do so and to decide how the Didomi CMP and the ATT permission should coexist.

When and how to ask for the ATT permission?

To be fully compliant with both Apple and GDPR requirements, you must ask for the user permission through ATT AND ask for user consent through the CMP. Apple's ATT is not compliant with the IAB TCF or with GDPR requirements at the moment so that it cannot be used as the only consent-collection mechanism and must be used in conjunction with the Didomi CMP.

Recommended solutions

We recommend two options to combine the CMP and ATT:

Implementation
Pros/Cons

Ask permission via ATT then collect consent from the CMP if and only if the user has given permission via ATT

This implementation allows the users to only be asked once if they do not give consent in ATT. It still requires users to be asked twice (ATT then CMP) for users who give consent but there is no way around this at the moment.

The main drawback of this solution is that a user who does not give consent to ATT is assumed to also not give consent to the CMP even though ATT and the CMP deal with different purposes and vendors. Your app would be extrapolating user choices from ATT (tracking via IDFA) to all other purposes. Whether that is acceptable or not is an app-specific choice.

In our experience, this implementation is the one that is the most accepted by Apple. This is our recommended implementation.

Collect consent from the CMP then ask permission via ATT

The main advantage of this implementation is that it allows the user to make different choices between the ATT tracking and other CMP purposes and vendors. It still requires users to be asked twice (CMP then ATT) but there is no way around this at the moment.

The ATT permission can also be collected at a later point in the user experience but your third-party vendors might not be able to operate if the IDFA is not available until the user has given permission.

Apple guidelines

  • Do not show the CMP after a user denies an ATT permission request. Apple considers that the CMP is asking the user to reconsider their decision in the ATT permission request. Similarly, avoid showing any message asking the user to reconsider their decision even if it is not the Didomi CMP.

  • If you show the ATT permission request after the CMP, do not allow the CMP to be closed without the user agreeing or disagreeing. If the CMP is allowed to be closed, this would delay the permission request which Apple does not accept after showing a custom message before the alert.

Can I use only ATT or only the Didomi CMP?

To the user, the CMP notice and the iOS ATT permissions alert might look like the app asking for the same permission twice with a slightly different UI. This is confusing and disappointing.

However, that is not true from a legal perspective:

  • The Didomi CMP covers the legal definition of collecting consent and helps with IAB TCF compliance as well.

Unfortunately, at the moment, these two definitions are not aligned. ATT's permission is not detailed enough to be considered legal under GDPR or compliant with the IAB TCF. As a result, the ATT's permission cannot be used alone without a CMP. For apps to be compliant with GDPR and Apple's guidelines, the app developers are forced to use disappointing combinations of consent notices / ATT permission which leads to increased user confusion and poor user experience.

Didomi is in discussions with Apple, the IAB, and European DPAs to try to find common grounds in the long term.

Does the Didomi SDK use the IDFA and require ATT permission?

Didomi uses its own random user ID that is specific to every app that the SDK is embedded in. This ID is not used for any user tracking and is only used for the purpose of consent management.

If an older version of the SDK is used on an iOS version that requires ATT then:

  • Consent will still be collected as usual and will be TCF compliant

  • Analytics in the Didomi Console will be correctly reported

  • Individual proof of consent will not be available as some users will not have an individual user ID

How does the ATT permission (or the lack thereof) impact third-party SDKs?

This depends on third-party SDKs. Third-party SDKs that rely on the IDFA (advertising or analytics SDKs, for instance), will require the IDFA and might stop working if the user denies consent in the ATT prompt.

Check with your third-party SDK providers how they behave in that case and what they expect from the app.

Is ATT permission compliant with GDPR/CCPA/IAB TCF/CNIL/AEPD/BfDI/...?

ATT is an Apple-specific solution to collecting user consent to "tracking" with its own definition of what constitutes tracking and, more importantly, how consent should be collected and what valid consent is.

On its own, ATT is not compliant with the IAB TCF specifications and is unlikely to be considered a compliant way of collecting consent for data processing under GDPR or CCPA. It cannot be used as a replacement to a CMP for GDPR, CCPA, or IAB TCF compliance at the moment.

What happens if the customer gives consent in the Didomi CMP but rejects the ATT permission? (or the other way around)

The two are independent.

If the user rejects ATT, the behavior of apps and third-party SDKs that rely on IDFA will be impacted. The impact depends on what those apps and third-party SDKs are doing and needs to be assessed directly by the app developer with the SDK providers.

Why did Apple reject my app because of how I am asking for ATT permission?

We have seen Apple accept and reject apps for all combinations of ATT and CMP. We have also seen Apple accept and reject two apps with the same ATT/CMP configuration, or reject then accept a given app without any modifications.

It is hard to give definitive answers and guidelines at the moment as there is some unpredictability in Apple's validation process. It is likely that Apple is still fine-tuning its guidelines and acceptance criteria as ATT is a recent feature.

We will keep updating this page with more recommendations on how to integrate ATT and CMP consent notices.

Integrate the CMP notice and ATT permission

Show the CMP notice then the ATT permission if the user gives consent in the CMP notice

This sample shows how to:

  • Show the Didomi consent notice

  • Show the ATT permission request if and only if:

    • The iOS version is >= 14

    • The user gave consent to at least one purpose in the Didomi consent notice

The CMP consent notice will always be displayed and the ATT permission will not show if the user denies consent to all purposes in the Didomi consent notice. The ATT status will remain notDetermined.

import UIKit
import AdSupport
import AppTrackingTransparency

class ViewController: UIViewController {
    override func viewDidAppear(_ animated: Bool) {
        super.viewDidAppear(animated)
        
        let didomiEventListener = EventListener()
        didomiEventListener.onConsentChanged = { event in
            // The consent status of the user has changed
            if #available(iOS 14, *) {
                if ATTrackingManager.trackingAuthorizationStatus == .notDetermined && Didomi.shared.getCurrentUserStatus().purposes.values.first(where: { $0.enabled }) != nil {
                    // Show the ATT permission request if the user has not made an ATT choice before AND the user gave consent to at least one purpose in the Didomi CMP
                    ATTrackingManager.requestTrackingAuthorization { status in }
                }
            }
        }
        Didomi.shared.addEventListener(listener: didomiEventListener)
        
        // Show the Didomi notice
        Didomi.shared.setupUI(containerController: self)
    }
}

Show the ATT permission then the CMP notice if the user accepts the ATT permission

This sample shows how to:

  • Show the ATT permission request if iOS >= 14

  • Show the Didomi consent notice if and only if:

    • The iOS version is < 14

The ATT permission request will always be displayed if it is not restricted. The Didomi consent notice will only be displayed if the user accepts the ATT permission OR the ATT permission cannot be displayed for any reason (restricted or iOS < 14).

import UIKit
import AdSupport
import AppTrackingTransparency

class ViewController: UIViewController {
    override func viewDidAppear(_ animated: Bool) {
        super.viewDidAppear(animated)
        
        if #available(iOS 14, *) {
            ATTrackingManager.requestTrackingAuthorization { status in
                switch status {
                    case .authorized:
                        // Show the Didomi CMP notice to collect consent from the user
                        Didomi.shared.setupUI(containerController: self)
                    case .denied:
                        // The user denied ATT permission, deny user consent for all purposes/vendors in the Didomi CMP as well
                        Didomi.shared.setUserDisagreeToAll()
                    case .restricted:
                        // ATT is restricted on the device so the user was not asked for a choice (https://developer.apple.com/documentation/apptrackingtransparency/attrackingmanager/authorizationstatus/restricted)
                        // Show the Didomi CMP notice to collect consent from the user
                        Didomi.shared.setupUI(containerController: self)
                    case .notDetermined:
                        // This is not supposed to happen
                        // Show the Didomi CMP notice to collect consent from the user
                        Didomi.shared.setupUI(containerController: self)
                }
            }
        } else {
            // Show the Didomi CMP notice to collect consent from the user as iOS < 14 (no ATT available)
            Didomi.shared.setupUI(containerController: self)
        }
    }
}

Your app must follow for disclosing the data collected by your app and asking for the user's permission for tracking. Permission for tracking on iOS can be asked by calling the ATTrackingManager.requestTrackingAuthorization function in your app.

According to , you must display the ATT tracking permission alert before trying to use the IDFA from the iOS device. If permission is not asked or if the user denies permission, the IDFA will not be available to your app and embedded third-party SDKs. Third-party SDKs might not be able to function properly in that case.

Apple also provides some . The public guidelines lack specificity and we have seen Apple reject apps for various reasons. We recommend being careful about the following points:

If you show the ATT permission request after the CMP, always show the ATT permission irrespective of the user choice in the CMP. Apple consider the CMP as "custom messaging before the ATT alert" in that case and ATT must always be displayed. (See "Displaying Custom Messaging Before the Alert" on )

Please read our section on for code samples.

ATT is Apple's specific solution to collecting the user permission for Apple's definition of tracking: "Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers." (from )

Since version 1.48.2 () of our SDK, the Didomi SDK does not use the IDFA in any way and does not require the ATT permission. We recommend updating to that SDK version as soon as possible.

We have listed recommendations and guidelines from the Apple validation processes that our clients have been through in . Following the guidelines will strongly avoiding rejection.

Feel free to reach out to our Support team at to discuss your specific app if needed.

The user has not made an ATT permission choice before and the choice is not restricted ()

The user accepted the ATT permission OR ATT is restricted ()

Apple's guidelines
Apple's guidelines
guidelines on how the ATT permission should be integrated
https://developer.apple.com/design/human-interface-guidelines/ios/app-architecture/accessing-user-data/
integrating the CMP notice and ATT permission
https://developer.apple.com/app-store/user-privacy-and-data-use/
https://developers.didomi.io/cmp/mobile-sdk/ios/versions#1-48-2-april-2021
When and how to ask for the ATT permission?
support@didomi.io
https://developer.apple.com/documentation/apptrackingtransparency/attrackingmanager/authorizationstatus/restricted
https://developer.apple.com/documentation/apptrackingtransparency/attrackingmanager/authorizationstatus/restricted
App Tracking Transparency
Apple's guidelines
Tracking permission on iOS 14