Guideline 5.1.2

Guideline 5.1.2(i) - Privacy: Missing App Tracking Transparency Before Tracking

Medium RiskMedium DifficultyTypical Fix: 2-8 hours0 Reports
Also known as:App tracks users without presenting ATT promptApp accesses advertising identifier before obtaining tracking authorizationTracking begins before user grants ATT permissionApp uses fingerprinting or alternative tracking without ATT consentNSUserTrackingUsageDescription not set or not descriptive enough

Our Take

Apple is rejecting your app because it tracks users across other companies' apps or websites without first prompting them through the App Tracking Transparency (ATT) framework. Since iOS 14.5, any app that accesses the device's advertising identifier (IDFA) or uses any form of cross-app/cross-site tracking must present the ATT prompt and obtain the user's explicit permission before tracking begins. This rejection means your app is either: (1) accessing the IDFA without calling `ATTrackingManager.requestTrackingAuthorization()` first, (2) tracking users through alternative fingerprinting methods without ATT consent, or (3) including an ad SDK that begins tracking before ATT authorization is obtained. Importantly, 'tracking' under Apple's definition is broader than just IDFA access. It includes sharing user data with data brokers, using device signals for fingerprinting, linking user or device data with third-party data for advertising purposes, or sharing a list of advertising identifiers with ad networks. If your app does any of these, ATT is required.

Resolution Guide

01

**Add ATT prompt before tracking** — Call `ATTrackingManager.requestTrackingAuthorization()` on a relevant screen before any tracking begins. Best practice: show it after onboarding, not on first launch (cold prompts get lower acceptance).


02

**Gate tracking on authorization** — Check the result of the ATT prompt. Only access IDFA and initialize tracking SDKs if the status is `.authorized`. If denied, disable all tracking.


03

**Add NSUserTrackingUsageDescription** — In Info.plist, add the `NSUserTrackingUsageDescription` key with a user-friendly message explaining why tracking permission is needed. Example: 'This identifier will be used to deliver personalized ads to you.'


04

**Defer ad SDK initialization** — Move ad network SDK initialization to after ATT authorization is granted. Most ad SDKs (AdMob, Facebook Audience Network, Unity Ads) support deferred initialization based on ATT status.


05

**Update App Privacy labels** — If tracking is denied, ensure your app stops all cross-app tracking. Update your App Privacy labels to reflect 'Data Used to Track You' if tracking is enabled.

Prevention

  • Implement ATT from the start if your app includes any advertising or attribution SDKs
  • Test the ATT flow on a device (not simulator) to verify timing
  • Check Apple's definition of 'tracking' — it's broader than just IDFA access
  • Example Rejection Email

    From:Apple App Review Team
    Subject:Guideline 5.1.2 - Guideline 5.1.2(i) - Privacy: Missing Ap
    Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing Your app accesses the device's advertising identifier or tracks users without first obtaining permission through the App Tracking Transparency framework. Specifically, your app uses the AppTrackingTransparency framework but does not present the tracking authorization request to users before collecting tracking data. Alternatively, your app tracks users through fingerprinting or other means without obtaining ATT authorization. Next Steps: Please update your app to: 1. Present the App Tracking Transparency prompt before accessing the IDFA or engaging in any tracking. 2. Only track users who have granted permission (ATTrackingManager.AuthorizationStatus.authorized). 3. Ensure the NSUserTrackingUsageDescription key in Info.plist clearly explains why tracking permission is being requested.

    Consider Appealing

    Appeal only if your app does not actually track users and the reviewer misidentified the behavior. Provide a technical explanation of what data your app accesses and how it does not meet Apple's definition of tracking. Otherwise, implement ATT and resubmit.

    Generate Appeal

    Before & After

    Before — Rejected

    Ad SDK initializes in AppDelegate and begins collecting IDFA immediately on launch; no ATT prompt is shown

    After — Approved

    ATT prompt appears after onboarding; ad SDK initialization is deferred to ATT callback; IDFA is only accessed when status is .authorized; if denied, contextual ads are shown instead

    What changed: ATT authorization must precede any IDFA access or cross-app tracking. Deferred SDK initialization is the standard pattern.

    Community Solutions · 0

    Sign in to share your solution.

    More Guideline 5 (Legal) rejections

    View all Guideline 5 rejections