What App Tracking Transparency Actually Governs

ATT is a permission gate that Apple enforces in iOS and iPadOS. When an app wants to access the device's Identifier for Advertisers (IDFA) or perform tracking that links the user across apps and websites owned by other operators, it must call requestTrackingAuthorization and surface a system prompt that asks the user to allow or deny tracking. The user's response is binary, persistent until they change it in Settings, and visible to the app through the trackingAuthorizationStatus API.

Apple's Definition of Tracking

Apple's developer guidance defines tracking specifically and narrowly: linking user or device data collected from your app with user or device data collected from other companies' apps, websites, or offline properties for targeted advertising or measurement, or sharing user or device data with data brokers. The definition deliberately excludes first-party use of data inside the app, anonymous aggregate analytics, and processing for fraud prevention or legal compliance — those activities do not require an ATT prompt regardless of whether the user has granted it.

What ATT Does Not Do

ATT is not a consent management system in the GDPR sense. It does not collect granular purpose preferences, it does not record a consent receipt with policy versioning, it does not propagate signals to web vendors inside a WKWebView, and it does not satisfy the lawful-basis requirement for storing or reading cookies on a user's device. A publisher who treats the ATT prompt as their entire compliance posture for a hybrid app is one regulator letter away from a fine, because the cookie load inside the web view is a separate event under ePrivacy and needs its own consent layer.

How GDPR and ePrivacy Apply Inside a WKWebView

The web view inside a hybrid app is not magically exempt from the rules that apply to a desktop browser. The moment the WKWebView reads or writes a cookie that is not strictly necessary, ePrivacy is triggered. The moment the WKWebView fires an analytics or advertising request that carries personal data, GDPR is triggered. Apple's container does not change the analysis — what changes is the implementation surface, because the consent banner has to render inside the web view and the consent state has to be visible to native code that may also be reading the same data.

The Banner Inside the Web View

The standard pattern is to render a CMP banner inside the WKWebView the same way you would on a website. The banner sets cookies on the web view's cookie store, fires a consent-update event into the page's JavaScript context, and updates a Google Consent Mode v2 state machine that the page's analytics and advertising tags read. The implementation is not different from a normal web CMP — what is different is that the cookie store is scoped to the WKWebView and is not visible to other apps or to Safari, which is helpful for isolation but unhelpful if the publisher also runs a website where the user has already consented.

Sharing Consent Between the Web View and the Native Shell

The harder problem is the bridge between the WKWebView and the native shell. The native shell may have its own analytics SDK that reads the IDFA after the user has granted ATT, while the web view has its own consent banner that the user may or may not have accepted. If the user grants ATT but rejects advertising consent in the web view, the native SDK can still read the IDFA but the web view's tags must not. If the user denies ATT but accepts the web view's advertising consent, the native SDK is blocked but the web view's tags should still fire — though the native SDK's IDFA-based identifier obviously cannot pass through the bridge. The cleanest pattern is a single source of truth — the CMP — exposed through a JavaScript bridge that the native shell reads on app start and on every consent change, with a parallel ATT prompt that defers to the CMP's advertising decision rather than asking again.

The CPRA and US State Layer

For US publishers the picture has a third layer. CPRA, plus the cluster of state laws that followed Virginia, Colorado, Connecticut, and Utah, treat the IDFA the same way they treat web cookies — both are personal information whose sale or share triggers an opt-out right. The Global Privacy Control header that web browsers send is the consumer-facing signal, and the IAB's Multi-State Privacy Agreement (MSPA) with its associated US Privacy String is the publisher-facing signal. A hybrid app that ships in the US needs to expose a 'Do Not Sell or Share My Personal Information' link inside the app itself, route the resulting opt-out into both the web view's CMP and the native shell's measurement SDK, and respect any inbound GPC header that arrives at the web view from a deep link.

Children and COPPA Inside Hybrid Apps

If the app is rated for children or has any reasonable expectation of child users, COPPA in the US and the GDPR-K provisions in the EU pile additional restrictions on top of ATT and standard consent. The IDFA must not be requested at all for child accounts, the web view's advertising consent must default to deny, and any third-party SDK in the native shell must be confirmed COPPA-compliant before it ships. App Store review rejects child-rated apps that show the standard ATT prompt, which is a common implementation mistake when teams build a single binary for all audiences.

The Engineering Pattern That Ships

The hybrid app architecture that survives both App Store review and an EU privacy audit has a small number of repeatable elements. The CMP banner inside the WKWebView is the source of truth for advertising consent. The ATT prompt is shown only after the CMP has resolved, only if the user accepted advertising consent, and only with a custom pre-prompt that explains what tracking will enable. A JavaScript bridge exposes the CMP's consent state to the native shell on app start and emits an event on every consent change. The native shell's SDKs are gated on both the CMP advertising consent and the ATT authorisation status; either one denying the request is enough to block the SDK.

Pre-Prompts and the Apple Guideline

Apple permits — and in practice expects — a pre-prompt before the ATT system prompt that explains in publisher voice why the app wants tracking and what the user gets in return. A well-written pre-prompt can lift opt-in rates substantially. What Apple does not permit is a pre-prompt that tries to bypass the system prompt, that misrepresents the consequences of denial, or that conditions app functionality on tracking authorisation. Reviewers reject apps for all three patterns and increasingly for using the pre-prompt to nudge towards opt-in with manipulative copy.

Server-Side and SKAdNetwork as Fallbacks

When ATT is denied or advertising consent is rejected in the web view, the publisher can still fall back to SKAdNetwork for attribution — Apple's privacy-preserving network that delivers conversion data without exposing individual user identifiers. SKAdNetwork is not subject to ATT and works regardless of the user's consent decision, which makes it the right default for measurement when the personalised path is closed. Server-to-server postbacks from the native shell to a publisher-owned identity service can also fill the measurement gap, provided the data is genuinely first-party and is not joined with other operators' data in a way that pulls it back into Apple's tracking definition.

Common Mistakes That Trigger Rejections or Audits

The hybrid apps that get pulled or fined tend to fail in the same handful of ways. The CMP banner inside the WKWebView fires before the ATT prompt has been resolved, putting cookies on the device while Apple's permission is still pending — a finding that can result in App Store rejection. The ATT prompt is shown without a pre-prompt and on cold start, producing low opt-in rates and a confusing user experience that increases churn. The native shell's analytics SDK reads the IDFA before the CMP has fired its first consent event, putting personal data on the wire under no clear lawful basis. The web view's consent state and the native shell's authorisation state are kept in separate stores with no synchronisation, producing a user who has rejected advertising in the web view but whose native ad SDK is still firing. Each of these is a fix of one to two engineering days and a regression test pass — but each is also the exact pattern an auditor or a reviewer opens with.

The Bottom Line

ATT and cookie consent are not redundant overlays. ATT is a permission gate scoped to a specific iOS API, and cookie consent is a lawful basis for processing data inside any browser-class environment, including a WKWebView. A hybrid app needs both, wired together so the user sees one coherent decision rather than two contradictory prompts, and so the native shell and the web view honour the same answer. The publishers who get this right ship apps that pass review, monetise reliably, and never appear in a regulator's enforcement summary. The publishers who treat ATT as the whole answer or who let the web view consent and the native shell drift apart spend 2026 alternating between App Store review meetings and audit response letters. Build the bridge once, treat the CMP as the source of truth, and let ATT be the iOS-specific lock on top of a privacy posture that is already coherent at the web layer.