App tracking is the process of collecting data from a mobile application about a user or device and linking it to information from third-party sources for targeted advertising, measurement, or data broker sharing. [Starting in iOS 14.5, iPadOS 14.5, and tvOS 14.5] (Apple Support), Apple requires apps to obtain explicit user permission through the [App Tracking Transparency] (Apple Support) framework before tracking activity across other companies' apps and websites. For marketers, this determines access to the Identifier for Advertisers (IDFA) and directly impacts campaign attribution and audience targeting capabilities.
What is App Tracking?
App tracking refers to the practice of recording user activity and behavior across different contexts. [Tracking occurs when information that identifies you or your device collected from an app is linked with information that identifies you or your device collected on apps, websites and other locations owned by third parties for the purposes of targeted advertising or advertising measurement] (Apple Support), or when that information is shared with data brokers.
From an industry perspective, [app tracking is the process of collecting data from an app (application) about the app user and/or device that is linked to other data collected by an ad network, website, or any other third-party data source for targeted advertising or measurement] (Kochava). This includes data such as app downloads, device type, operating system, languages, and in-app events. While "tracking" and "data collection" are often used interchangeably, tracking specifically involves linking data across apps and sites you do not own to build user profiles for advertising or analysis.
Why App Tracking matters
- Campaign measurement: Marketers rely on tracking to attribute app installs and in-app events to specific ad campaigns and understand which channels drive conversions.
- Audience targeting: Tracking enables the creation of specific audience segments based on behavior across multiple apps and sites, allowing for retargeting and personalized ad delivery.
- User profiling: Data linkage creates detailed profiles showing how much time users spend on certain content, their responses to ads, and interaction patterns that inform product decisions.
- IDFA access: On Apple devices, tracking permission determines whether you can access the Identifier for Advertisers (IDFA), the system advertising identifier used for device-level attribution.
- Compliance risk: Attempting to track without permission or using workarounds when users opt out violates platform policies and can result in loss of market access.
How App Tracking works
Apps implement tracking through several technical mechanisms that gather and link user information:
Device identifiers: Apps access unique codes such as the IDFA on Apple devices, International Mobile Equipment Identity (IMEI), Media Access Control (MAC) addresses, or general Advertising IDs to distinguish individual devices across networks.
Software Development Kits (SDKs): Third-party analytics services and SDKs integrate into apps to gather information about user behavior, demographics, and device characteristics, then transmit this data to external servers.
Cookies and tracking pixels: Web-based apps and mobile websites store cookies on devices to monitor activity. Tracking pixels embedded in emails or web pages record when users open content or visit specific URLs.
Permissions: Apps request access to device features such as GPS location, contacts, camera, microphone, and photos. While necessary for functionality like maps or social sharing, these permissions also feed data into tracking systems.
User accounts and social integration: When users sign in through social media platforms or create accounts, apps can track activity across multiple devices and link mobile behavior to web sessions.
Cross-app data linking: The core mechanism involves linking information collected from your app with data from third-party advertisers, data brokers, or other apps to build comprehensive user profiles for ad targeting.
Best practices
Customize permission prompts to explain value: When requesting tracking permission through App Tracking Transparency, clearly explain why the app needs to track. Apple allows developers to customize part of the message to describe specific benefits such as personalized content or supporting free features.
Respect system-level opt-outs: If a user selects "Ask App Not to Track," you cannot access the IDFA. You are also not permitted to track using other identifying information such as email addresses or device fingerprints as workarounds.
Audit third-party SDKs: Review which third-party analytics services and advertising SDKs collect data from your app. Remove unused tracking technologies and verify that active SDKs comply with current platform policies regarding data collection and retention.
Maintain transparent privacy policies: Provide clear details on your App Store product page about how you use data, including third-party sharing, advertising partners, and data retention policies. Vague policies erode user trust and increase opt-out rates.
Design for permission denial: Build attribution and analytics systems that function within privacy constraints. Ensure users can access full app capabilities regardless of tracking permission status, as required by platform guidelines.
Common mistakes
Mistake: Attempting to fingerprint devices using email addresses or hardware identifiers when IDFA is blocked. Fix: Apple explicitly prohibits tracking via alternative identifying information when users opt out through App Tracking Transparency. Use aggregated or probabilistic measurement methods that do not identify individual users.
Mistake: Assuming enterprise or managed devices allow tracking. Fix: Devices using configuration profiles, educational institution accounts, or child accounts (under 18) cannot enable "Allow Apps to Request to Track." Your attribution models should account for these gaps.
Mistake: Confusing necessary functional data with tracking. Fix: Location access for maps functionality or camera access for profile photos is data collection, not tracking. Tracking specifically involves linking that data with third-party sources for advertising. Only request tracking permission when necessary for cross-app measurement.
Mistake: Failing to update for iOS 14.5+ requirements. Fix: If your app targets iOS versions prior to 14.5, update your implementation immediately. Apps must ask for permission before tracking across other companies' apps and websites.
Mistake: Retaining unused apps with active tracking. Fix: Remove apps you no longer update or support. Unmaintained apps present security vulnerabilities and may use outdated tracking methods that violate current privacy standards.
Examples
Example scenario: An e-commerce app wants to measure the effectiveness of a Facebook ad campaign. Without App Tracking Transparency permission, the app cannot access the IDFA to deterministically attribute an in-app purchase to the ad click on the user's device. The marketer must rely on aggregate statistical models rather than user-level attribution.
Example scenario: A fitness app requests location permissions to map running routes. If the developer also shares this location data with ad networks to serve targeted advertisements for athletic gear in other apps, this triggers Apple's tracking definition. The app must display the permission prompt, and if the user denies it, the developer cannot use the location data for ad targeting purposes, though the mapping feature can still function.
Example scenario: A news app includes three third-party analytics SDKs and an advertising mediation platform. When a user opts out of tracking, the app continues to serve ads using contextual targeting (based on article content) rather than behavioral targeting (based on the user's history across other apps), maintaining revenue while respecting privacy settings.
FAQ
What is the difference between app tracking and analytics?
Tracking refers specifically to linking user or device data collected from your app with information from other companies' apps, websites, or data brokers for advertising or measurement. Analytics generally refers to first-party data collection about how users interact with your app only, which does not require App Tracking Transparency permission unless combined with third-party data sets.
Do I need permission to track on Apple devices?
Yes. [Starting in iOS 14.5, iPadOS 14.5, and tvOS 14.5] (Apple Support), apps must ask for permission before tracking activity across other companies' apps and websites. If the user taps "Ask App Not to Track," you cannot access the IDFA or track using other identifying information.
What happens if a user opts out of tracking?
If a user denies tracking permission, the app developer cannot access the system advertising identifier (IDFA) on Apple devices. The app is not permitted to track that user's activity using other information that identifies the user or device, such as email addresses or device fingerprints. Users can still access the full capabilities of the app.
Can I track users without the IDFA?
You cannot deterministically track individual users across apps without the IDFA or equivalent device identifiers on other platforms. Some contextual or aggregated measurement methods exist, but user-level attribution requires the identifier or explicit tracking permission. Using workarounds like fingerprinting violates platform policies.
How do I know if my app is compliant with tracking policies?
Review your app's permissions and data flows. Check which third-party SDKs transmit data to external advertising networks or analytics platforms. Verify that you request tracking permission before any cross-app data sharing occurs, and ensure your privacy policy accurately reflects your data practices, including retention policies and third-party sharing agreements.
Is location tracking the same as app tracking?
Not necessarily. Location tracking is a specific type of data collection that uses GPS or network data to determine physical position. It becomes "app tracking" under Apple's definition only when that location data is linked with information from other companies' apps or websites for advertising, measurement, or data broker purposes. Location access for core app functionality (such as maps or safety features) does not require tracking permission.
What are the risks of not respecting tracking opt-outs?
Violating tracking policies can result in removal from the App Store or other platform penalties. Additionally, accumulated user data faces security breach risks, and privacy violations can damage brand reputation. Users may experience targeted advertising manipulation or privacy concerns that lead to uninstalls and negative reviews.
