URGENT: Apple App Rejected - UMP SDK Using both GDPR & IDFA/ATT Causing Rejection

[JF47]

Although we have used the UMP SDK for a while, today our update was rejected by Apple because, as far as I understand the rejection, the GDPR consent was declined by the user, but the IDFA prompt was still shown afterwards - which Apple claims is "confusing". 

The full text of the reject is as follows:

*****************

Rejection Reasons:
5.1.1 Legal: Privacy - Data Collection and Storage

Guideline 5.1.1 - Legal - Privacy - Data Collection and Storage

We noticed your app includes a GDPR prompt and an App Tracking Transparency permission request, but they are implemented in a way that might confuse the user.

Specifically, your app shows the App Tracking Transparency permission request after the user has already requested you not to track on the GDPR prompt.

In addition to App Tracking Transparency, it is important to include all disclosures required by local laws and regulations wherever your app is distributed. These disclosures should be implemented in a way that is clear and respects the user's choices, regardless of the order in which they are presented to the user.

Next Steps

If the user denies permission to track once, do not ask them to allow tracking again within the same permission request flow. There should be no tracking activity until the user grants permission to track.

If your app shows the GDPR prompt before showing the App Tracking Transparency permission request, there is no need to modify the wording of the GDPR prompt.

*****************

Our code looks almost identical to the documentation for the UMP SDK (using Unity), and just calls the "ConsentInformation.Update(request, OnConsentInfoUpdated);" as it should. After a form is completed, it calls it again, as was documented as best practices to see if there are other forms needed, and this is when it will display the IDFA prompt. This is fine if the user did consent under the GDPR message, as they should also need the IDFA message in that case. It should NOT do that when GDPR consent is declined.

This problem is similar to this: https://groups.google.com/g/google-admob-ads-sdk/c/acK2TeTE2UI/m/jIz_s5keBAAJ

However, the response there is completely useless and misses the point. In that reply it said that "One approach is to first show the ATT prompt and then determine whether or not to display the GDPR prompt" - but that is impossible. We are not deciding what form comes first, that is all done by the UMP SDK. I agree that it seems like the UMP SDK should maybe do that first, but it is NOT. The attempt at a second option there is equally useless, as we are not the ones deciding the order of anything showing at all - it is all the UMP SDK.

This looks like it needs a Google fix to make sure the IDFA is shown first, then GDPR, as you have suggested. If there is any workaround for this now, please let us know ASAP, as we are sitting in "rejected" status with Apple due to this.

[Mobile Ads SDK Forum Advisor]

Hello,

Welcome to Mobile Ads SDK Support team. Thank you for reaching out to us.

Can you confirm if you have followed the below guides?

• https://developers.google.com/admob/ios/privacy
• https://developers.google.com/admob/ios/ios14#request

Moreover, is it possible to share to us the below information so we can share this issue as well to our wider team if necessary?

• sample project implementation where the issue is reproducible
• screen recording of the behavior on your end
• admob sdk version
• ump sdk version

If the file(s) you are looking to share are less than 25mb in total you can attach them to this case on your next reply. If you are having trouble attaching your file to this case or if your file(s) are larger than 25mb, you can share your files with me by performing the following steps:

1. Navigate to

https://docs.google.com/forms/d/e/1FAIpQLSfkAiXMeYP-fw1W3Z-tT9uwmATEKO5X6S-th0gR2ezdKaaqfg/viewform?usp=pp_url&entry.400550049=Mobile+Ads+SDK&entry.460850823=5004Q00002nqo7SQAQ&entry.80707362=00192769

2. Fill out all fields, and attach your file(s).

3. Please reply back on this thread when you have uploaded your file(s). Please do not share this link.

 

This message is in relation to case "ref:_00D1U1174p._5004Q2nqo7S:ref"

Thanks,
 

Mobile Ads SDK Team

[JF47]

Yes, I can confirm the guids were all followed, however note that as mentioned this is in Unity, so the appropriate guides and implementation were followed there. The native code is essentially the same, but worth reminding you that our case we use Unity. I'm fairly certain the problem will be the same with native code projects as well.

- I am working to create a reproducible Unity project for you, as I can't share our entire game code with you (and your demo/sample for Unity doesn't even compile on any recent version of Unity). However, this will take more time and we really need a resolution to this now. I'm certain that if you just call "ConsentInformation.Update" once to load the GDPR, and then after that is done you call it again, either at the same time or on a new app launch, you will see this issue.

- Screen recording uploaded via the Google Form link you provided.

- admob sdk version (iOS) is 10.9 (updated to latest available to confirm, but also happens on older versions)

- UMP SDK (and plugin) is the latest from your GitHub repo: https://github.com/googleads/googleads-mobile-unity, and lists:

Google Mobile Ads Android SDK 22.2.0
Google Mobile Ads iOS SDK 10.9
Google User Messaging Platform 2.1.0
External Dependency Manager for Unity 1.2.176

[JF47]

I have now uploaded the Unity project (tested with Unity 2022.3.7f1, but anything around that or newer will work fine) for reproducibility using your Google Form link. The code is extremely simple, and is based entirely on the Google provided Demo/Sample project on GitHub as provided earlier (https://github.com/googleads/googleads-mobile-unity).

Note that the Google provided sample/demo does NOT compile on newer versions of Unity, and even after trying to clear past most of the compile issues, it still doesn't work. Instead I had to create a new project entirely in Unity (2D Mobile Template from Unity), but used the sample "GoogleMobileAdsController" class and supporting files from the sample/demo. Everywhere I changed or modified that code to produce this sample, is noted with clear start/end comments in the code. You will find the code is hardly changed at all, and just added logging and the follow-up call to "ConsentInformation.Update" as mentioned earlier.

To reproduce on a Mac to build for iOS:

1) Open the Unity project, and make sure the Unity Google Mobile Ads plugin is installed properly in Unity (as available on the GitHub provided)

2) Build the iOS XCode project as any other Unity project (you may have to disable bitcode in the build settings of the XCode project, depending on your XCode version)

3) Run the project in XCode to a real device (recently confirmed on an iPhone 8, but many others tested prior), and make sure that device is running in an area that requires GDPR, or (as we did when testing) use a VPN connected to the appropriate country for testing (we used France). This is because simply adding a test device ID will NOT work for this kind of test, because the Device ID will change on every install, and this issue only shows on the first run of a fresh install, and Google provides no way to debug/test otherwise.

4) Observe that even if you do not consent to the initial GDPR prompt, the IDFA prompt will still show afterwards.

To run the test multiple times, you must uninstall/delete the app from the device and install fresh, because again, this is a "first run" problem.

I have also uploaded a short video of this reproducible project running on a device to illustrate it has the same issue. If you need anything further, please let me know, but we need this resolved ASAP.

On Friday, August 11, 2023 at 1:27:09 AM UTC-7 Mobile Ads SDK Forum Advisor wrote:

[Mobile Ads SDK Forum Advisor]

Hello,

Thank you for providing the requested information.

Upon reviewing this, I've noticed you are prompting the user with a custom message before showing the IDFA message. With your implementation, I recommend displaying the IDFA message first then the GDPR prompt. This way, if the user declines the IDFA message, you won't have to display the GDPR prompt. 

[JF47]

No, that is clearly incorrect. I have no idea how you possibly came to that conclusion. The messages shown are all coming from the UMP SDK. One for GDPR and one for IDFA. We do NOT select the order they are shown in, and we are not creating that prompt ourselves - they are configured in the "Privacy and messaging" section of AdMob as the documentation specifies they should be. That is all done by Google and the UMP SDK. Did you look at the reproducible project that I spent hours making and testing for you? That makes it very clear that none of this is coming from us, and the order is not being set by us.

[Hezi medina]

Hi,

The right way:

1. MESSAGE GDPR > approve >  IDFA > 

2. MESSAGE GDPR > not approve > dont show the message  IDFA 

Can see more information here: https://groups.google.com/g/google-admob-ads-sdk/c/scMoEETnKFE

[JF47]

I see that the Google response there is just as useless. Both the GDPR and IDFA messages are coming from Google and the UMP SDK, and that provides no way whatsoever to force one to happen before the other, or to not show the IDFA if the GDPR isn't consented to. Google must fix this. I have provided them a clear and simple reproducible case to do so.

[Mobile Ads SDK Forum Advisor]

Hello,

Thank you for responding back. I understand the urgency of your concern. With that, allow me to raise this (including the reports and discussion thus far) to a wider team to get their insight. I'll update this thread the soonest I hear back from them.

[Mobile Ads SDK Forum Advisor]

Hello,

Thank you for your inquiry. Current behavior is that if the GDPR form is not consented, that the next call to requestConsentInfoUpdate() update indicates ConsentStatus.REQUIRED again to trigger the IDFA explainer/prompt. Because it is called mid-session, the same session is showing the IDFA prompt. We are looking at changing this behavior server-side to stop showing that prompt altogether if the user doesn't consent to GDPR. Our short term recommendation is to not call requestConsentInfoUpdate() again mid-session. I will follow up here as soon as the change has been put in. 

Thanks,
Justin

ref:_00D1U1174p._5004Q2nqo7S:ref

[JF47]

Hi Justin, thank you for the update and for your work to get this resolved!

Unfortunately, the "short term recommendation" provided would be a significant ad revenue impact, and so it is not viable. We do need to call requestConsentInfoUpdate to get the IDFA prompt today, because the UMP SDK does not provide any way for us to know if they consented or not. As you mentioned, we only get the "ConsentStatus.REQUIRED", and that is the problem. Without that second call to "requestConsentInfoUpdate", we would end up with a large number of users agreeing to GDPR and then not prompting for the IDFA, which makes it worse than useless. A user needs to agree to both to get personalized advertising. Just prompting for the first one would be a very poor business decision with significant financial impacts. That makes it simply not an option.

The only solution is as you stated, by "changing this behavior server-side to stop showing that prompt altogether if the user doesn't consent to GDPR". Can you please provide an ETA on when you think that might be completed? Are we talking days, weeks, or ???

[Mobile Ads SDK Forum Advisor]

Hello,

Thank you for following up. You should still call requestConsentInfoUpdate() on every app launch, just not a second time mid-session. This means that while the user would not see the IDFA in the same session, if they did not consent to GDPR they would see the prompt in the very next session (given you are calling requestConsentInfoUpdate() on every app launch). As for when I do not have an ETA but it is something that is highly prioritized by our team. 

[JF47]

Hi, it's been a week, and we agree this needs to be a "highly prioritized" item. Any updates? As I mentioned before, having the first user session not include the IDFA prompt is a significant revenue issue, so this needs to be resolved ASAP.

[Mobile Ads SDK Forum Advisor]

Hello,

Thank you for your query. At this moment, our team is actively working on your case. I will follow up here as soon as the work is completed. The work being done is not expected to require an app update. 

[JF47]

Hi, we are now going on a Month since my original report, on an issue we seem to agree is an urgent high priority, yet has still not been resolved. I am unable to submit an update to Apple without this fixed on your side. I understand that you don't need an SDK update, but we are still waiting to hear if you have the server side update in place. Without it, Apple will just reject our update again. Please escalate this issue so it can get the attention it needs and get this resolved ASAP!

[Mobile Ads SDK Forum Advisor]

Hi JF47,

Yes, the server side change is now live. If the user does not consent to purpose 1 on the GDPR form, the ATT prompt will not be shown.

ref:_00D1U1174p._5004Q2nqo7S:ref

[JF47]

Thank you for resolving this issue. I have tested and confirmed the fix works as expected on my test devices

[Oscar Tsang]

The ATT prompt will not be shown, cannot solve the problem. The app may reject by Apple reviewer using this reason :

"We’re looking forward to completing our review, but we need more information to continue. Your app uses the AppTrackingTransparency framework, but we are unable to locate the App Tracking Transparency permission request when reviewed"

Your app does not get reject is lucky. 

Currently, to solve the apple reviewer reject problem, is stop the GDPR message during review, after passing the app review. Re-enable the GDPR message.

To solve the apple review problem, Admob should change GDPR message showing sequence to :

1. Show ATT prompt first.

 2. If ATT is "Ask App Not to Track" ---> Do not promote GDPR message. ---> GDPR auto set to "Do not consent".

[Mobile Ads SDK Forum Advisor]

Hello Oscar,

Thank you for flagging this. I have escalated your query to the engineering team to take a closer look. In the meantime, this doesn't appear to be a rejection from Apple but rather an inquiry for more information. This is the first time I have seen an Apple review come back with this follow-up message. Short-term would be to respond to Apple mentioning that the ATT alert appears if GDPR consent is accepted.

Thanks,
Justin

ref:!00D1U01174p.!5004Q02nqo7S:ref

[Marsele Pavlov]

Dont listen to him with his "Auto Do Not Consent" it will ruin many people apps logic. If some reviewer ask for ATT first every developer can make it older way with 2 lines of code

понедельник, 15 января 2024 г. в 23:35:59 UTC+2, Mobile Ads SDK Forum Advisor:

[Oscar Tsang]

If some others don't want to change the program flow. It is simple, if Admob allows developers to set "Do not consent" programmably (i.e. no need to promote GDPR message let user select)

Every problem can be solved.

--

---
You received this message because you are subscribed to a topic in the Google Groups "Google Mobile Ads SDK Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-admob-ads-sdk/huUa7eyMTEE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-admob-ads...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-admob-ads-sdk/25acee10-cd39-4a2a-8843-3e3bb54e45d9n%40googlegroups.com.

[Marsele Pavlov]

ATT consent rate only 40%, but admob will show ads anyway. GDPR consent rate 70%+ and do not consent means no ads. So this Auto Do Not Consent  will purge half ads. If reviewer want ATT first just make him older way without UMP SDK

вторник, 16 января 2024 г. в 12:25:19 UTC+2, Oscar Tsang:

[Oscar Tsang]

As I know do not consent means non-personalized ads, not no ad.

Do I wrong?

To view this discussion on the web visit https://groups.google.com/d/msgid/google-admob-ads-sdk/b3044b36-a7cb-4e20-b789-3e23d37830dcn%40googlegroups.com.

[Mobile Ads SDK Forum Advisor]

Hi Oscar,

See our Ad serving modes doc for the requirements to serve certain ads. In short, if a user does not consent that will result in Limited ads. For everyone is in this thread, please which our help center article that describes the flow for which message your users will see when using both GDPR + ATT.