My iOS app got rejected because the app includes a GDPR prompt and an App Tracking Transparency permission request

[Nikunj Gabani]

Guideline 5.1.1 - Legal - Privacy - Data Collection and Storage

We still noticed your app includes a GDPR prompt and an App Tracking Transparency permission request, but they are implemented in a way that might confuse the user. 

Specifically, your app shows the App Tracking Transparency permission request after the user has already requested you not to track on the GDPR prompt. 

In addition to App Tracking Transparency, it is important to include all disclosures required by local laws and regulations wherever your app is distributed. These disclosures should be implemented in a way that is clear and respects the user's choices, regardless of the order in which they are presented to the user. 

Next Steps

If the user denies permission to track once, do not ask them to allow tracking again. All tracking activity should stop the first time the user denies permission to track.

What should I do?

[Mobile Ads SDK Forum Advisor]

Hi Nikunj,

Thank you for reaching out to us. In looking over your concerns, we would ask if it is possible to get a screenshot of the 2 screens that Apple is saying are causing this issue. At the same time we would suggest making sure that you are on the current version of the Funding Choices. Also when looking at the GDPR screen check to see if there are 2 buttons, if so then it is possible you are using an older version or one that has not been updated with changes that fix that.

Regards,

William Pescherine Mobile Ads SDK Team

ref:_00D1U1174p._5004Q2Kcnpe:ref

[Nikunj Gabani]

Hi, I have sent you SS by replying to author,

Please look into it and let me know what can I do to get my app approved

[Mobile Ads SDK Forum Advisor]

Hi Nikunj,

Thank you for the screenshots. We are asking if you can also share with us via  the "Reply to author" button with a simple sample app that shows this very same behavior so that we can look at it on our end. Also when looking at the screenshots, it would appear that what is causing the rejection is the IDFA message that looks to be getting called.

[Nikunj Gabani]

I have also done the appeal of the app rejection, but they replied like this,

-----------------------------------------------------------------------------------------------
Thank you for your patience as we considered your appeal.

The App Review Board determined that the original rejection feedback was valid. Your app does not comply with:

Guideline 5.1.1 - Legal - Privacy - Data Collection and Storage

We continue to find that your app shows the App Tracking Transparency permission request after the user has already requested you not to track on the GDPR prompt. While we appreciate that these may be two different mechanisms, to the user they both request tracking in order to display relevant ads.

To resolve this issue, it would be appropriate to revise the app flow so that if the user denies permission to track once, they will not be asked to allow tracking again. All tracking activity should stop the first time the user denies permission to track.

For additional information, please refer to the previous messages you received in Resolution Center. You may also review the App Store Review Guidelines to learn more about this issue.

We appreciate your efforts to resolve this issue and look forward to reviewing your revised submission.
-----------------------------------------------------------------------------------------------

So I want to know these things,

1. Does it require to show GDPR prompt to the user even if the user has given their decision in Apple's ATT framework?

2. If we need to show the GDPR prompt to the user, then what will be the sequence of the dialogs?
i. Apple's ATT framework -> GDPR prompt
OR
ii. GDPR prompt -> Apple's ATT framework

Thanks

--

---
You received this message because you are subscribed to the Google Groups "Google Mobile Ads SDK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-admob-ads...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-admob-ads-sdk/3XNzO000000000000000000000000000000000000000000000QWJXFG00yRhq9_rtRZmms03e1vrJlA%40sfdc.net.

--

Regards,

Nikunj Gabani

[Nikunj Gabani]

For the solution of this, 

What should I do?

1. First show Apple's ATT dialog to get the user's decision of tracking them, whether the user allows to track or denied it, show EU Consent dialog to them

OR

2. First show Apple's ATT dialog to get the user's decision of tracking them, if the user denies to track them, do not show EU Consent dialog to them, If the user allows to track them, show EU Consent dialog to them

Please share your thoughts

Thanks

[Mobile Ads SDK Forum Advisor]

Hi Nikunj,

Thank you for reaching out to us. Below are my responses to you inquiries.

1. Does it require to show GDPR prompt to the user even if the user has given their decision in Apple's ATT framework?

- Yes

2. If we need to show the GDPR prompt to the user, then what will be the sequence of the dialogs?
i. Apple's ATT framework -> GDPR prompt
OR
ii. GDPR prompt -> Apple's ATT framework

- you may need to display the IDFA explainer message before the iOS ATT alert.

1. First show Apple's ATT dialog to get the user's decision of tracking them, whether the user allows to track or denied it, show EU Consent dialog to them
OR
2. First show Apple's ATT dialog to get the user's decision of tracking them, if the user denies to track them, do not show EU Consent dialog to them, If the user allows to track them, show EU Consent dialog to them

- The approach is to show EU Consent dialog, then iOS ATT alert.

For more information, you may want to check our HC article regarding this.

Regards,

Teejay Wennie Pimentel Mobile Ads SDK Team

ref:_00D1U1174p._5004Q2Kcnpe:ref

[Nikunj Gabani]

Hi,

Thanks for your reply

- you may need to display the IDFA explainer message before the iOS ATT alert.

But the issue is with the EU Consent dialog and ATT dialog, even if I add IDFA explainer message before the iOS ATT alert it will not resolve the issue

- The approach is to show EU Consent dialog, then iOS ATT alert.

Then how could I restrict Apple's ATT dialog to not show if the user denies permission to track once in the EU consent dialog?

--

---
You received this message because you are subscribed to the Google Groups "Google Mobile Ads SDK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-admob-ads...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-admob-ads-sdk/eAnwQ000000000000000000000000000000000000000000000QWUJPZ00lkah7JhsQ02HmmgVv2sbgQ%40sfdc.net.

--

Regards,

Nikunj Gabani

[Mobile Ads SDK Forum Advisor]

Hi Nikunj,

Thank you for the response. I have been looking more into this as well as taking your questions into account. From the feedback I have seen from our team regarding issues similar to this, I would start with this. The way we would expect the consents to go should be, GDPR > EU Consent > ATT. The only time you should be hitting the ATT is if consent is given and one a clean install. The Funding Choice should also be working along this line of progress for the approvals. On top of that the ATT should only be showing if consent is given from the EU form.

Regards,

William Pescherine Mobile Ads SDK Team

ref:_00D1U1174p._5004Q2Kcnpe:ref

[Nikunj Gabani]

Thank you for your clarification.

Can you please let me know when and what steps do I need to take? 

--

---
You received this message because you are subscribed to the Google Groups "Google Mobile Ads SDK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-admob-ads...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-admob-ads-sdk/LPEi1000000000000000000000000000000000000000000000QWV0PW00Bv9KIpnzRfq-bLpR5l_j7g%40sfdc.net.

--

Regards,

Nikunj Gabani

[Mobile Ads SDK Forum Advisor]

Hi Nikunj,

We recommend checking our implementation guide below.

• GDPR/EU Consent - https://developers.google.cn/admob/ump/ios/quick-start
• ATT - https://developers.google.cn/admob/ios/ios14#request

Regards,

Teejay Wennie Pimentel Mobile Ads SDK Team

ref:_00D1U1174p._5004Q2Kcnpe:ref

[Nikunj Gabani]

Thank you for your reply.

We have already checked and confirmed the below guides.

GDPR/EU Consent - https://developers.google.cn/admob/ump/ios/quick-start
ATT - https://developers.google.cn/admob/ios/ios14#request

But still, the issue is there, So what else changes should I make do? so I can get the approval of the app update from Apple?

--

---
You received this message because you are subscribed to the Google Groups "Google Mobile Ads SDK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-admob-ads...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-admob-ads-sdk/YGaa3000000000000000000000000000000000000000000000QWWDTQ002PDapm23RgyFTwma85pNIw%40sfdc.net.

--

Regards,

Nikunj Gabani

[Mobile Ads SDK Forum Advisor]

Hello Nikunj,

Thank you for your response.

For us to further investigate this and provide more context to your questions, could you please provide us your simple sample app with minimum modification with your implementation? You can send it via Reply privately to author option or send it directly to mobileads...@gmail.com. Once provided, we will share it to the rest of the team for investigation.

Regards,

Princess Pamela Pineda Mobile Ads SDK Team

 

ref:_00D1U1174p._5004Q2Kcnpe:ref

[Nikunj Gabani]

Thank you for your reply.

I am thinking to remove UMP SDK from the app, and to use EU consent (legacy) dialog to take consent from European Economic Area (EEA) users, which gives the consent status from the dialog, If users select the option "No, see ads that are less relevant", then don't show Apple's ATT prompt to them, and if they select the option "Yes, continue to see relevant ads", then show Apple's ATT prompt to them

EU consent (legacy) dialog:

https://developers.google.com/admob/ios/eu-consent

So please share your suggestion for this process, could we do this and get approval from the Apple app review team for our rejected app?

[Nikunj Gabani]

Also, I have reviewed some other apps which use Apple's ATT prompt to take consent from the user to track them.

But they are not displaying EU consent dialog to users.

So Can you let me know that will it be ok, if we use only Apple's ATT prompt and not the EU consent dialog for European Economic Area (EEA) users too?

[Mobile Ads SDK Forum Advisor]

Hello Nikunj,

Thank you for your response.

With regard to the consent link that you provided, please be informed that is now deprecated in favor of the User Messaging Platform SDK, which is IAB compliant, so we would not recommend to use it anymore.

As per your app being rejected, it's hard for us to debug further as we don't have a full visibility of your implementation. We would need a project (or at least a sample project) in order to actually make any progress in diagnosing this. You can send it via Reply privately to author option or send it directly to mobileads...@gmail.com. Once provided, we will share it to the rest of the team for investigation.

For the use case wherein apps which use Apple's ATT prompt to take consent from the user to track them, but they are not displaying EU consent dialog to users, technically, this is possible. However, we cannot comment if this is permissible on Apple's implementation policy. That said, we would recommend to reach out to Apple developer support regarding this.

[Nikunj Gabani]

Hello there,

I have shared a source code of the implementation of UMP and ATT dialogs via Reply privately to author option.

Please check it out and let me know if I am doing anything wrong with the code.

[Mobile Ads SDK Forum Advisor]

Hi Nikunj,

I work with Pamela and will assist you. Thank you for sending us the code for your project. You are manually calling for an IDFA prompt if you successfully called for a GDPR prompt. This is why the IDFA prompt comes up regardless of whether the user consented to the GDPR prompt or not. UMPConsentStatus.obtained will return true when user doesn't consent, the user pressing the "Do not consent" button is the status that was obtained. If the user doesn't interact with the form then UMPConsentStatus.obtained would be false.

I just tested the recommended flow in our guide and what occurs on first time opening the app in the EU is the GDPR screen comes up first. If user presses "Do not consent" then the IDFA prompt doesn't come up. If user presses something else then the ATT explainer message comes up, then the system ATT dialog prompt comes up. If the user isn't in the EU then the ATT explainer message comes up, then the system ATT dialog prompt comes up. This flow of consent has been tested and Apple didn't reject it. It appears you prefer a different flow. To assist you further, could you elaborate on what you want different than our recommended flow?

Regards,

Aryeh Baker Mobile Ads SDK Team

ref:_00D1U1174p._5004Q2Kcnpe:ref

[Nikunj Gabani]

Hi there,

I have got your point and I removed the manual calling for an IDFA prompt, and submitted a new build for review, and Apple rejected the app with the given reason,

---------------------------------------------------------------------------
Guideline 2.1 - Information Needed


We're looking forward to completing our review, but we need more information to continue. Your app uses the AppTrackingTransparency framework, but we are unable to locate the App Tracking Transparency permission request.

Specifically, we tapped on the Consent button and accepted all data access, but were unable to find the App Tracking Transparency permission request afterwards.

Since you indicated in App Store Connect that you collect data in order to track the user, we need to confirm that App Tracking Transparency has been correctly implemented.

Next Steps

Please explain where we can find the App Tracking Transparency permission request in your app. The request should appear before any data is collected that could be used to track the user.

If your app does not track users, please update your app privacy information in App Store Connect. You must have the Account Holder or Admin role to update app privacy information.

Resources

- Tracking is linking data collected from your app with third-party data for advertising purposes, or sharing the collected data with a data broker. Learn more about tracking.
- See Frequently Asked Questions about the new requirements for apps that track users.
- Review developer documentation for App Tracking Transparency.
---------------------------------------------------------------------------


Please give me your suggestion to resolve this issue

Thanks

[Mobile Ads SDK Forum Advisor]

Hello Nikunj,

Thank you for your response.

It seems that you didn't received my colleague response to you. As we reviewed the response that Apple has given to you, it seems that it indicates that there still missing on your implementation for ATT on permission request. As this is being occured, we would suggest that you follow the guide that previously mentioned by my colleague to better check the implementation for your application before submitting it again.

Regards,

Princess Pamela Pineda Mobile Ads SDK Team

 

ref:_00D1U1174p._5004Q2Kcnpe:ref

[Nikunj Gabani]

Hello,

Thank you for your response.

I already made the changes as you suggested and then submitted the app for review, then apple rejected the app again with the previous message,

Also, I have sent you the implementation code of my app by replying privately to the author.

Please check and let me know if any changes are needed.

Thanks

[Mobile Ads SDK Forum Advisor]

Hi Nikunj,

Thank you for all the information. To be able to look more into this, we will need a full simple sample app with your implementation so as to be able to run tests against how you are doing this. As well as compare it to what Apple is saying. it would appear that there might be something that you are doing that is not included with what you have shown us so that is why we would like to see the full app. You can remove any business logic.

Regards,

William Pescherine Mobile Ads SDK Team

ref:_00D1U1174p._5004Q2Kcnpe:ref

[Nikunj Gabani]

Hello,

Thank you for your response.

The file which I sent to you has all the implementation code of the UMP SDK of my app, there are no other changes added from my side, I have only removed the business logic from the file
So I request you to check it out and let me know if any changes are needed.

Thanks

--

---
You received this message because you are subscribed to the Google Groups "Google Mobile Ads SDK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-admob-ads...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-admob-ads-sdk/ZmqF7000000000000000000000000000000000000000000000QXMW1M00sL9wCPgWQl-t8GZY3yENQg%40sfdc.net.

--

Regards,

Nikunj Gabani

[Mobile Ads SDK Forum Advisor]

Hello Nikunj,

Thank you for your response.

As we mentioned already the possible guide to fix your implementation, and still Apple rejecting it. We will raise it to the rest of the team for further investigation.

Regards,

Princess Pamela Pineda Mobile Ads SDK Team

 

ref:_00D1U1174p._5004Q2Kcnpe:ref

[Nikunj Gabani]

Hello,

I have found that cause of the issue, we have unpublished IDFA message from the funding choices as Apple previously rejected the app because of the explainer message before the ATT dialog.

Now I have enabled and published IDFA message in the funding choices, and the flow is as below,

Non-EEA Users: IDFA Explainer -> Apple ATT

EEA Users: EU Consent Dialog -> Consent -> Apple ATT

EEA Users: EU Consent Dialog -> Manage(Do not Consent) 

But for the last option EEA Users: EU Consent Dialog -> Manage(Do not Consent),

When again I open the app it is displaying these dialogs:

IDFA Explainer -> Apple ATT

Can you please explain it to me?

Thanks

[Mobile Ads SDK Forum Advisor]

Hello Nikunj,

Thank you for reaching out.

Our team have started looking into the issue and will provide you with an update accordingly.

In the meantime, please do not hesitate to reach out if you have any questions.


Regards,
Joshua

ref:_00D1U1174p._5004Q2Kcnpe:ref

[Nikunj Gabani]

Hello,

Thank you for your response.

So I just want to ask you one thing,

Will it be ok if I submit the app for review with this process?

Non-EEA Users: IDFA Explainer -> Apple ATT

EEA Users: EU Consent Dialog -> Consent -> Apple ATT

EEA Users: EU Consent Dialog -> Manage(Do not Consent) 

But for the last option EEA Users: EU Consent Dialog -> Manage(Do not Consent),

When again I open the app it is displaying these dialogs:

IDFA Explainer -> Apple ATT

Thanks

[Mobile Ads SDK Forum Advisor]

Hello Nikunj,

Thanks for the follow-up.

Are you using Privacy & messaging to gather consent for GDPR?

At the bottom of this article, it mentions that if you aren't using Privacy & messaging to gather consent for GDPR, your users will always see the IDFA explainer message immediately before the iOS ATT alert.

To create a message and gather consent for the General Data Protection Regulation (GDPR), you need to go to the AdMob UI then to the Privacy & messaging page, select GDPR option and create a GDPR message.

If it still doesn’t work as expected, would you please provide your App ID (by following these steps) or app store link so we can take a look into your settings?

Thanks,
Joshua

 

ref:_00D1U1174p._5004Q2Kcnpe:ref

[Nikunj Gabani]

Hello there,

I have provided the App ID and app store link via the Reply privately to author option.

Also, I have provided a detailed description of the exact issue.

Please check it out

[Mobile Ads SDK Forum Advisor]

Hello Nikunj,

Thank you for the detailed explanation and sending us more info.

For your information, this article explains about the structure of a GDPR message. In the "Manage your data" page, if the user has made no changes to this page, all purposes where the publisher was requesting consent will remain unconsented and any purposes they were disclosing as legitimate interest will remain opted in. 

So I believe your question is, why the IDFA Explainer Message is showing instead of the GDPR consent message when the user opens the app again?

We are going to look into your code and will provide you an update.

[Nikunj Gabani]

Hi

Yes my question is, why the IDFA Explainer Message is showing when the user opens the app again as user already gave his choice by selecting manage options in GDPR prompt?

--

---
You received this message because you are subscribed to the Google Groups "Google Mobile Ads SDK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-admob-ads...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-admob-ads-sdk/6TfaF000000000000000000000000000000000000000000000QXT0KU003viaVrHFSkWxV7HvCgOvaw%40sfdc.net.

--

Regards,

Nikunj Gabani

[Nikunj Gabani]

Hello there,

Could we schedule a call for a detailed discussion and get the solution as soon as possible? as it has been more than a month since my app is in the rejected state, and I need to make it live on priority.

Thanks

[Mobile Ads SDK Forum Advisor]

Hello Nikunj,

Thank you for waiting.

Regarding the user journey in the video you uploaded, it is working as intended.

The IDFA Explainer Message is showing because IDFA is a separate flow from GDPR and they are not interoperable, so we don't apply the user's GDPR consent decision to the ATT consent prompt.

Please let me know if you have any questions.


Regards,

[Nikunj Gabani]

Hi,

So as you said,  This is a good user experience if we show the IDFA Explainer Message and Apple's ATT prompt again when the user opens the app even user already gave his choice by selecting manage options in the GDPR prompt previously?

So my question is,
How is it a good user experience if we ask users to give consent again and again when users don't want to allow to track them?

Please share possible solutions for this issue

Thanks

--

---
You received this message because you are subscribed to the Google Groups "Google Mobile Ads SDK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-admob-ads...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-admob-ads-sdk/usWNK000000000000000000000000000000000000000000000QXY2Y000cLOcBginSWeCr1TTo41e_g%40sfdc.net.

--

Regards,

Nikunj Gabani

[Mobile Ads SDK Forum Advisor]

Hello Nikunj,

Thank you for following up.

As previously mentioned, IDFA is a separate consent flow from GDPR, so they are not interoperable and we don't apply the user's GDPR consent decision to the ATT consent prompt.

We have specific guidance from the EU on GDPR consent and same from Apple on ATT consent, and they cannot be served by a single user decision right now.