Why you need a CMP alongside Apple ATT

August 26, 2021

A graphic of a blue and purple gradient background.

Earlier this year, Apple launched iOS 14.5 and introduced its App Tracking Transparency (ATT) requirements. Apple requires apps to use an ATT prompt to request permission from end users before tracking them and/or using an Identifier for Advertisers (IDFA). Considered the third-party cookie of mobile apps, IDFA is a familiar term for publishers, marketers, and app developers as it has been heavily relied upon to track end users across applications. Up until now, it’s fueled the personalization of third-party ads, analytics, measurement, and attribution.   

These prompts are used in conjunction with the OneTrust consent management platform (CMP) to provide a unified consent experience to users. Additionally, OneTrust offer ATT pre-prompt functionally to educate the end user about the value of opting in for personalization reasons.  

Do I need a CMP in addition to App Tracking Transparency (ATT) to be compliant? 

Simply put, yes. The GDPR applies to applications that target or collect personal data from end users in the EU or EEA. GDPR consent must be freely given, specific, informed, unambiguous and able to be revoked. App Tracking Transparency does not fulfill all of the obligations to become compliant with GDPR and the ePrivacy directive. For example, the ATT prompt does not provide the user with granular choices. There are other activities, such as in-house analytics, that do not fit Apple’s definition of Tracking but may still require consent under the GDPR.  

If you are targeting California residents, the CCPA requires businesses to give consumers certain information in a notice at collection, which must list categories of personal information and purposes for how the information will be used. It must additionally include a link to the businesses’ privacy policy with a “Do Not Sell” link for consumers to opt out of the sale of personal information.  

OneTrust’s CMP enables businesses to scan for SDKs and IDFA, understand how apps are sharing data with other third-parties, configure a UI and pre-prompt to collect consent when needed, and build a centrally located, historical consent database to comply with regulations.  

With a pre-prompt, ATT prompt and CMP, what should be the order of prompts? 

Apple insists that the App Tracking Transparency prompt be surfaced before the OneTrust CMP banner. Prior to showing the user the ATT prompt, however, a pre-prompt can be displayed to give more details as to what the application is about to ask for. OneTrust provides pre-prompts out-of-the-box for this use case. 

If CMP categories are dependent on the result of the user’s response to ATT (via purpose linking,) the CMP will open the ATT prompt after a selection on the banner if the user hasn’t already seen the prompt in their app journey. 


Image of 4 phone screens showing a user opening consent preference center


Best practices for ATT pre-prompts 

The pre-prompt is to educate the end user rather than offering a choice  

This is most easily achieved by making sure that your pre-prompt’s call to action is something that doesn’t indicate a choice, such as “Continue.” Having a “Not Now” and/or “Accept” button is often grounds for rejection during the App Store Review Process. 

If the end user asks the app not to track, the application cannot ask them to change that choice 

The ATT prompt can only be shown once. OneTrust includes logic to only show the pre-prompt if the ATT prompt hasn’t ever been seen before to help ensure that end users are not prompted multiple times. Explicitly requesting that a user change their consent after it has already been indicated is also a reason that applications get rejected during the review process. 

Purpose linking 

It’s very likely that one or more of the categories in your CMP preference center fall under the definition of Tracking. In order to allow an end user to make granular tracking choices while still respecting their response to the ATT prompt, OneTrust provides out-of-the-box purpose linking. If an end user sets ATT, OneTrust will automatically update settings for linked categories even though there may be multiple. 

For more information or additional best practices for your mobile app CMP or pre-prompt, get in touch with our team or request a demo today!  

You may also like


Consent & Preferences

Compliant omni-channel automation: How to be a responsible marketer?

Join this webinar and learn how to create a compliant privacy-first marketing program that respects customer consent across multiple channels.

October 12, 2023

Learn more


Consent & Preferences

Honoring consent throughout the data lifecycle

Watch our webinar and learn how consent can enrich your data while helping you build a brand your customers can trust.

October 04, 2023

Learn more


Consent & Preferences

Adobe + OneTrust: How to market responsibly with consent-based experiences

Join Adobe and OneTrust as we discuss best practices for deploying consent-based marketing campaigns and privacy-first experiences.

August 29, 2023

Learn more