Guideline 5.1.2
Guideline 5.1.2(i) - Privacy: Missing App Tracking Transparency Before Tracking
Our Take
Apple is rejecting your app because it tracks users across other companies' apps or websites without first prompting them through the App Tracking Transparency (ATT) framework. Since iOS 14.5, any app that accesses the device's advertising identifier (IDFA) or uses any form of cross-app/cross-site tracking must present the ATT prompt and obtain the user's explicit permission before tracking begins. This rejection means your app is either: (1) accessing the IDFA without calling `ATTrackingManager.requestTrackingAuthorization()` first, (2) tracking users through alternative fingerprinting methods without ATT consent, or (3) including an ad SDK that begins tracking before ATT authorization is obtained. Importantly, 'tracking' under Apple's definition is broader than just IDFA access. It includes sharing user data with data brokers, using device signals for fingerprinting, linking user or device data with third-party data for advertising purposes, or sharing a list of advertising identifiers with ad networks. If your app does any of these, ATT is required.
Resolution Guide
**Add ATT prompt before tracking** — Call `ATTrackingManager.requestTrackingAuthorization()` on a relevant screen before any tracking begins. Best practice: show it after onboarding, not on first launch (cold prompts get lower acceptance).
**Gate tracking on authorization** — Check the result of the ATT prompt. Only access IDFA and initialize tracking SDKs if the status is `.authorized`. If denied, disable all tracking.
**Add NSUserTrackingUsageDescription** — In Info.plist, add the `NSUserTrackingUsageDescription` key with a user-friendly message explaining why tracking permission is needed. Example: 'This identifier will be used to deliver personalized ads to you.'
**Defer ad SDK initialization** — Move ad network SDK initialization to after ATT authorization is granted. Most ad SDKs (AdMob, Facebook Audience Network, Unity Ads) support deferred initialization based on ATT status.
**Update App Privacy labels** — If tracking is denied, ensure your app stops all cross-app tracking. Update your App Privacy labels to reflect 'Data Used to Track You' if tracking is enabled.
Prevention
Example Rejection Email
Consider Appealing
Appeal only if your app does not actually track users and the reviewer misidentified the behavior. Provide a technical explanation of what data your app accesses and how it does not meet Apple's definition of tracking. Otherwise, implement ATT and resubmit.
Before & After
Ad SDK initializes in AppDelegate and begins collecting IDFA immediately on launch; no ATT prompt is shown
ATT prompt appears after onboarding; ad SDK initialization is deferred to ATT callback; IDFA is only accessed when status is .authorized; if denied, contextual ads are shown instead
What changed: ATT authorization must precede any IDFA access or cross-app tracking. Deferred SDK initialization is the standard pattern.
Community Solutions · 0
Sign in to share your solution.
More Guideline 5 (Legal) rejections
- Guideline 5 - Legal: Remove Watermark Feature
- Guideline 5.1.1 - Data Collection and Storage: Incomplete Privacy Manifest
- Guideline 5.1.1 - Data Collection and Storage: Missing Purpose Strings
- Guideline 5.1.1 - Data Collection and Storage: Privacy Manifest Missing
- Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch
- Guideline 5.1.1 - Data Collection and Storage: Privacy Policy