ATT and GDPR Are Not the Same Thing
Apple's App Tracking Transparency framework, introduced with iOS 14.5 in April 2021, requires apps to ask permission before tracking users across other apps and websites. The prompt is binary: allow or deny. GDPR, by contrast, is a legal framework that governs all personal data processing within the EU and EEA, covering far more than just tracking.
Confusing these two systems is common. Both involve asking users for permission. Both use opt-in models. But they differ in scope, legal standing, granularity, and enforcement.
ATT is a platform-level technical control created by Apple. It determines whether an app can access the Identifier for Advertisers (IDFA) on a user's device. GDPR is legislation passed by the European Parliament that applies to any organisation processing personal data of people in the EU, regardless of where that organisation is based. One is a company policy enforced through App Store review; the other is law enforced by data protection authorities with the power to issue fines up to 4% of global annual turnover under Article 83.
Getting this distinction wrong has real consequences for app developers and website owners alike.
What ATT Actually Controls
ATT governs access to the IDFA - a unique device-level identifier that enables cross-app and cross-site tracking on iOS. When a user taps "Ask App Not to Track", the app receives a string of zeros instead of the real IDFA. The app can no longer link its data with data collected by third-party apps or websites for advertising purposes.
Apple defines "tracking" specifically. It covers linking user or device data collected from your app with data from other companies' apps, websites, or offline properties for targeted advertising or advertising measurement. It also covers sharing user or device data with data brokers.
ATT does not cover first-party data collection within your own app. If your app collects analytics data and keeps it in-house without linking it to third-party data, ATT does not apply to that activity. This is a much narrower scope than GDPR.
What GDPR and the ePrivacy Directive Require
GDPR applies to all processing of personal data - not just tracking, not just advertising. Under Article 7, consent must be freely given, specific, informed, and unambiguous. Users must understand exactly what they are consenting to, which controller is processing their data, and for what purposes.
The ePrivacy Directive adds another layer. Article 5(3) requires consent before storing or accessing information on a user's device - this covers cookies, local storage, session storage, and device identifiers like the IDFA itself.
Where ATT offers a single binary prompt, GDPR requires granular consent by purpose. A user should be able to accept analytics tracking while rejecting advertising tracking. ATT provides no mechanism for this distinction. An app operating under GDPR therefore needs a separate consent management layer that handles purpose-specific consent, even if ATT is already implemented.
Side-by-Side Comparison
| Aspect | App Tracking Transparency | GDPR / ePrivacy |
|---|---|---|
| Type | Platform policy (Apple) | Legislation (EU/EEA) |
| Scope | Cross-app/cross-site tracking via IDFA on iOS | All personal data processing by any means |
| Consent model | Binary (Allow / Ask App Not to Track) | Granular, purpose-specific |
| Legal bases | N/A - only consent | Six legal bases under Article 6 |
| Covers first-party analytics | No | Yes, if personal data is processed |
| Enforcement | App Store rejection | DPA fines up to 4% of global turnover |
| Geographic reach | All iOS users globally | People in the EU/EEA (regardless of company location) |
| Withdrawal of consent | Via iOS Settings per app | Must be as easy as giving consent |
| Information requirements | Short prompt with optional custom string | Full transparency: controller identity, purposes, recipients, retention |
Why ATT Alone Fails GDPR Compliance
The ATT prompt does not satisfy GDPR's informed consent standard. GDPR requires that users know the identity of each data controller, the specific purposes of processing, the categories of data involved, and the retention periods. ATT's single-sentence prompt cannot convey all of this.
ATT also ignores the concept of legal bases beyond consent. Under GDPR, processing can be lawful under legitimate interest, contractual necessity, or legal obligation - none of which ATT accounts for. An app might have a legitimate interest basis for certain analytics under GDPR while still needing ATT consent for IDFA access. These are separate determinations.
The IAB Transparency and Consent Framework (TCF) adds yet another requirement. Apps serving programmatic advertising in the EU need TCF v2 consent strings that encode granular vendor-level permissions. ATT's binary signal cannot produce a valid TCF consent string.
ATT Opt-In Rates and Their Impact
When ATT launched in 2021, global opt-in rates sat at roughly 16%. By mid-2022, that figure had climbed to around 25%, with gaming apps achieving closer to 30%. The upward trend has continued as developers have improved their pre-permission messaging and onboarding flows.
Apps that contextualise the tracking request - explaining what the user gains by allowing tracking - report opt-in rates between 40% and 70%. Apps that show the system prompt without preparation see rates below 20%.
The financial impact is significant. Apps with opt-in rates below 30% lose an estimated 58% of advertising revenue on average. This has accelerated the shift towards first-party data strategies, server-side tagging, and conversion modelling to fill measurement gaps.
Regulatory Pushback Against ATT
ATT has drawn scrutiny from competition authorities rather than privacy regulators. Italy's AGCM fined Apple 98.6 million euros in December 2025, finding that the ATT framework imposed excessively burdensome conditions on third-party app developers while giving Apple's own advertising services preferential treatment.
France's competition authority issued a 150 million euro fine in March 2025 over similar concerns. Germany's Federal Cartel Office reached a preliminary decision in February 2025 that Apple abused its market position through ATT. Investigations are also ongoing in Poland and Romania.
The core complaint across these cases is not that ATT asks for consent - it is that Apple applies a stricter consent standard to third-party apps than to its own services. Apple has warned it may stop offering ATT in the EU if regulatory pressure continues, though no withdrawal has been announced.
Practical Implementation for App Developers
If your app operates in the EU, you need both ATT and a GDPR-compliant consent mechanism. The typical flow works as follows:
- Show a GDPR-compliant consent dialogue first, covering all data processing purposes with granular opt-in controls
- If the user consents to advertising/tracking purposes, trigger the ATT prompt
- Only activate cross-app tracking if both the GDPR consent and ATT permission are granted
- Store and respect consent records for both frameworks independently
For websites rather than apps, ATT is irrelevant. Websites operate in browsers, not the iOS app environment, and cannot access the IDFA. Website owners need a cookie banner that handles GDPR cookie consent and, depending on their audience, CCPA opt-out requirements.
Handling the "Double Consent" Problem
Users in the EU who encounter both a GDPR consent dialogue and an ATT prompt may experience consent fatigue. This is the "double consent" problem that Italian regulators cited in their enforcement action against Apple. The practical solution is to integrate the two flows so the user experiences a single, coherent consent journey rather than two disconnected prompts.
Pre-permission screens - shown before the ATT system prompt - can explain why tracking permission is being requested and what value the user receives. This approach both improves opt-in rates and better satisfies GDPR's informed consent requirement.
Frequently Asked Questions
Does App Tracking Transparency replace the need for a cookie consent banner?
No. ATT only controls access to the IDFA within iOS apps. Websites do not use the IDFA and are not affected by ATT. Even within apps, ATT does not satisfy GDPR's requirement for granular, purpose-specific consent.
Do I need ATT consent if my app only collects first-party analytics?
If your analytics data stays within your app and is not linked with third-party data for advertising or shared with data brokers, ATT does not apply. You may still need GDPR consent for processing personal data through analytics.
Can ATT consent count as GDPR consent for tracking purposes?
Not on its own. GDPR consent must be specific, informed, and granular by purpose. The ATT prompt is binary and does not identify individual data controllers or processing purposes in the detail GDPR requires.
What happens if a user allows ATT but rejects GDPR tracking consent?
You must respect the more restrictive choice. If GDPR consent for advertising is denied, you cannot use the IDFA for advertising even if ATT access is granted. Both permissions must be active for cross-app tracking to be lawful in the EU.
Is Apple removing ATT in the EU due to regulatory fines?
Apple has warned it may stop offering ATT in the EU but has not confirmed any withdrawal. The fines from Italy, France, and Germany relate to competition law concerns about unequal treatment of Apple's own services, not to the concept of asking for tracking consent.
Does ATT apply to Android apps?
No. ATT is an Apple-only framework for iOS, iPadOS, and tvOS. Android uses the Google Advertising ID (GAID), which has its own opt-out mechanism but does not use a mandatory pre-tracking prompt like ATT.
Take Control of Your Cookie Compliance
Whether your users arrive through a browser or a native app, consent management remains your responsibility. Kukie.io detects and categorises the cookies and trackers on your website, helping you present visitors with clear, lawful choices that satisfy GDPR requirements.
