ATT nutrition label and actual tracking scope are consistent

The NSUserTrackingUsageDescription wording is a legal representation of your tracking scope that users see before deciding whether to grant ATT consent. Understating the scope — claiming 'for measurement' when the SDK also performs cross-app behavioural targeting — misleads users and violates GDPR Art.5(1)(a) (lawfulness, fairness, transparency) and CCPA §1798.100. Apple cross-checks the description against the App Store nutrition labels 'Data Used to Track You' section, and mismatches trigger rejection. Declaring SKAdNetwork-only measurement while simultaneously passing IDFA to the same ad network makes the privacy-preserving claim false.

Write a tracking description that covers every purpose: ad personalisation, cross-app measurement, attribution, and any analytics use involving the IDFA. Example:

"Your device identifier is used to show you ads relevant to your interests, measure ad effectiveness, and attribute app installs to ad campaigns."

Audit each ad SDK's actual data use against the description. If you want to simplify compliance, switch to SKAdNetwork-only mode — many ad networks support privacy-preserving attribution that does not require ATT consent at all. Verify SKAdNetworkItems in Info.plist and confirm the same networks are not also receiving IDFA directly, which would make the SKAdNetwork-only claim false.

• ID: att-label-consistency

• Severity: high

• What to look for: Count all relevant instances and enumerate each. Cross-reference NSUserTrackingUsageDescription wording against what tracking actually happens. The usage description must accurately describe the tracking purpose. Also check that the App Store nutrition label's "Data Used to Track You" section lists every data type shared with ad networks. Common mismatches: description says "personalized ads" but SDK also does cross-app analytics; description says "measurement" (implying SKAdNetwork-style, non-identifying measurement) but IDFA is actually shared with a third party for targeting; app says it does not track but ad SDK is initialized with IDFA access. Also look for multiple ad networks — each one's tracking scope must be reflected. Check SKAdNetworkItems in Info.plist: if SKAdNetworkIdentifiers are declared, those networks use SKAdNetwork (privacy-preserving) — make sure those networks are NOT also reading IDFA directly, which would make them full-tracking rather than SKAdNetwork-only.

• Pass criteria: NSUserTrackingUsageDescription accurately describes all tracking uses. At least 1 implementation must be verified. App Store nutrition labels declare all data types shared with ad networks. There is no discrepancy between stated and actual tracking scope.

• Fail criteria: Description says "for personalized ads" but SDK does cross-app analytics; labels claim no tracking but IDFA is shared; SKAdNetwork-only claimed but IDFA is also passed to the same network.

• Skip (N/A) when: No tracking or advertising SDKs present and NSUserTrackingUsageDescription is not set.

• Detail on fail: "NSUserTrackingUsageDescription says 'for relevant ads' but AppsFlyer SDK also performs cross-app attribution tracking — the description understates the tracking scope" or "SKAdNetworkItems declared for Google but GADMobileAds is initialized with IDFA — this is full tracking, not SKAdNetwork-only"

• Remediation: Misrepresenting tracking scope in the usage description is a policy violation and grounds for app removal.

  1. Write a complete, accurate tracking description that mentions all purposes:
     • "Your device identifier is used to show you ads relevant to your interests, measure ad effectiveness, and attribute app installs to ad campaigns."
  2. Review each ad SDK's actual data use against your declared tracking description
  3. Consider using SKAdNetwork-only mode (no IDFA) to simplify compliance — many ad networks support this

  Review the configuration in src/ or app/ directory for implementation patterns.