GDPR has been around for a while and asking for consent to track data is a feature we now build into most apps and websites. However, in the recent iOS 14 tracking update, Apple has rolled out AppTrackingTransparency (ATT), a framework that places even higher demands on businesses wanting to track user data.
The new ATT framework asks the user permission to track data you want to collect on a ‘need to use’ basis. If, for example, you’d like to track the user on a specific page, iOS only asks permission when the user accesses this page. If a user does not give you permission to track personal data in the ATT dialog, you will not be allowed to track certain data.
Once we have permission, we can for example track a user’s advertisement interactions and use some of their personal data to personalize ads. However, under the GDPR, we still must respect the consent the user has (or has not) given. A user could permit tracking of certain data in ATT, but not, for some reason, consent to the use of this data in our GDPR permission form. The reverse is also true. If we have consent, but we don’t have permission to track, we still need to prevent tracking, as we are not permitted to track the user’s data.
In summary: to be able to track user data, we need both permission and consent. This makes getting the consent and permission flow right in our app very important. If we don’t, we might end up getting our app rejected, as Apple checks these scenarios carefully to protect their users’ privacy.
What does the new iOS tracking framework mean for your app?
It is up to the developer to incorporate consent and permission into the user experience in a way that benefits both the user and the distributor of the app. The first thing we could do is offer the user some convenient options when it comes to GDPR. Many users choose to just consent to all trackers at once, so we should offer that option. In addition, there should be options to deny all tracking or defer making a choice to a later time.
Even though only a small percentage of your users will choose to evaluate every tracker individually, you have no choice but to offer this option too.
So, for your app, there are four scenarios:
- The user hasn’t made a choice
- The user has denied any tracking
- The user has given consent to track everything
- The user has chosen a subset that is allowed to be tracked
It’s important to choose the correct flow in your application for every scenario:
The user has denied everything or hasn’t made a choice
These scenarios are similar, because when the user hasn’t made a choice, we do not have active consent, so we cannot track any data. It is up to the distributor and developer to decide whether they want to ask the user for consent again.
AppTrackingTransparency doesn’t come into play in these scenarios. No consent has been given, so none of your trackers should perform any tracking yet, and user permission is not needed.
In both these scenarios, we must disable all trackers that report user data. When a user changes their privacy settings inside the app, we need to update each tracker’s settings dynamically. Although this can sometimes be a challenge with older apps, most trackers do provide this functionality. Even if it is sometimes well-hidden in the depths of the documentation.
The user has given consent to track everything
This is your distributor’s optimal scenario. The user feels secure enough with your app that they will allow you to track their data. This is also where Apple’s AppTrackingTransparency comes into play. Whether you need operating system-level permission for tracking depends on what you want to track and where it is stored. Any data that is used to build a profile, shared with a third party or used to identify an individual user requires AppTrackingTransparancy permission. Data that is tracked anonymously only requires GDPR consent.
While for GDPR you can properly inform your user and ask for legal consent, Apple’s AppTrackingTransparancy will display the same popup for all apps and unambiguously asks whether the user would like to share their data with third parties.
When a user fails to select ‘Allow’, this might mean that iOS will not let you use your Advertiser Identifier (ADID), meaning you cannot track certain data, even though you have legal consent from your user to do so.
The user has chosen a subset that is allowed to be tracked
This is where things get slightly more complex. Depending on the chosen subset, some trackers might need to be configured to send specific data only or no data at all, while other trackers will be allowed to function as normal. It’s important to store what subset is chosen for future use and to keep in mind that these choices might change along the way as the user reconfigures their settings. Depending on what tracker has been allowed to track, you might be confronted with Apple’sAppTrackingTransparency again.
IOS tracking and consent: just another hoop to jump through...
GDPR took quite a lot of work to implement and made data collection harder. Now, with the iOS update, we get yet another hoop to jump through if we want to collect user data. And it will probably not be the last one. But, if you know what you need to do, it is still possible to combine both data collection and an optimal user experience with legal compliance and solid technological implementation.
Want to learn more about our mobile development services? Check out our most beloved mobile development projects.