The mechanism is a single OS-level prompt. Any app that wants to read the IDFA (Identifier for Advertisers) for cross-app tracking must first call requestTrackingAuthorization and receive an authorized result. The prompt copy — “Allow [App] to track your activity across other companies’ apps and websites?” with a deny button labeled “Ask App Not To Track” — is set by Apple, not the app, and Apple enforces compliance through App Store review. Industry reporting from the mobile measurement partners has converged on a wide opt-in range — roughly a quarter to a third of prompted users — with substantial variance by app category, geography, and how and when the prompt is shown. Treat any single percentage as directional.
Operators routinely conflate ATT with “the cookie deprecation,” but the scope is narrower. ATT governs iOS app access to the IDFA; it does not directly govern web tracking. That sits in a different regime: Safari’s Intelligent Tracking Prevention has restricted third-party cookies for years, while Chrome continues to permit them, with cookie preferences exposed through browser settings. Nor does ATT eliminate ad measurement on iOS — SKAdNetwork, Apple’s privacy-preserving attribution API, continues to return aggregated, delayed conversion postbacks for users who decline the prompt.
For DTC operators, ATT is one of several overlapping privacy-era pressures — alongside ITP, ongoing web-tracking changes, and platform attribution model changes — that have moved measurement toward server-side tagging, the Conversions API, and infrastructure built on first-party data. It is part of why MER and incrementality testing have risen alongside platform attribution as preferred top-line reads. The operator move is to design measurement for the world these shifts created, not to chase the fidelity that’s gone.