iOS App Tracking · howto
Including Onesecondbefore's consent solution in a mobile app requires additional steps to make sure your app follows Apple's App Store Review guidelines. As Apple's guidelines do not map one on one with Europe's GDPR requirements you will have to show both the App Tracking Request and the CMP. You basically have the following two options:
- Recommended consent flow
First ask if you can use the ID for Advertisers with an App Tracking Request. The consent dialogue will be shown after. No changes to the consent dialogue will be made depending on the answer on the App Tracking Request.
- Alternative consent flow
First show the consent dialogue. Depending on the consent given by the user, you can show the App Tracking Request or go straight to the app. A disadvantage of this approach is that it is not possible to resurface the App Tracking Request at will, e.g. after a resurface of the consent dialogue, e.g. due to an update on the cookie policy or a user changes his mind.
Open WebView with consent page
- Open a (fullscreen) WebView with the URL of the consent page as specified by OSB support. Do this only when consent has not been given previously (it either is not stored in
UserDefaultsor its value has expired). Add a WebKit messageHandler
osbCmpMessageHandlerthat accepts three parameters:consent(stringified JSON object)The IAB TCF consent object with the following members:
Name Description tcStringThe IAB TCF consent string. Should be stored in the UserDefaultsobjectpurposesAn array of consented purpose id's (integer 1-11) legitimateInterestsAn array of legitimate interest id's (integer 1-11) specialFeaturesAn array of special feature id's (integer 1-2) vendorConsentsAn array of vendor id's for which consent has been given (integer) vendorLegitimateInterestsAn array of vendor id's for which legitimate interest has been consented (integer) cduid(string)The cross-domain user-id, either the IDFA (if authorized, see above), or the IDFV.
expirationDate(number)The date until which this consent is valid in milliseconds since 1970-01-01. If consent has expired, the WebView should be shown again. Its value should be stored in the
UserDefaultsobject.
This WebKit messageHandler will be called using client-side JavaScript in the WebView as follows:
window.webkit.messageHandlers.osbCmpMessageHandler.postMessage({ consent, // JSON object as String cduid, // String expirationDate // Number });Parse the JSON in the consent string and store the
tcStringandexpirationDatemembers inUserDefaultsIf the user consented to any advertising, social or marketing purposes (e.g. IAB purposes 2-6), ask for Apple App Tracking (see below).
Pass the
tcStringto any Ad provider that requires it using their own API.
Apple App Tracking consent
Requesting App Tracking consent is done with ATTrackingManager.requestTrackingAuthorization, available since iOS 14.
Only after the user has authorized this request is Onesecondbefore's SDK allowed to access the Identifier for Advertisers (IDFA).
The SDK will never call the ATTrackingManager.requestTrackingAuthorization on its own and it's the responsibility of
the app developer to include this call during the start up phase of the app.
Additionally, the app's Info.plist should contain the following key/value pair:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSUserTrackingUsageDescription</key>
<string>User-friendly text why you are requesting app tracking</string>
...