Skip to main content

Does Your App Track Users that Opted-out of Tracking?

By , and October 26, 2021October 28th, 2022Insights

In April 2020, Apple rolled out the App Tracking Transparency (“ATT”) framework, prompting legal and development teams to identify apps that “track”, as defined by Apple, users or access the IDFA and implement the ATT framework accordingly. See here for the NT Analyzer blog post. Technically, if a consumer chooses to opt-out of tracking, the app should no longer “track” the user.  However, a new study by a transparency-focused privacy software company confirms that some apps continue to transmit data to third parties despite users having opted-out of “tracking” under ATT.  The study tested 10 popular apps and discovered that some continue to track even though those users have “ask[ed] app not to track” when presented with the ATT pop-up.

Business Implications

The study serves as a cautionary tale to businesses. Continuing to track users against the user’s consent could cause issues for companies, including potential reputational harm and enforcement actions as a result of misrepresentations regarding data practices.  Indeed, companies that do not have a clear understanding of their apps’ data flows are especially vulnerable to the risk of violating privacy laws.

How can we help?

Through NT Analyzer, we work with clients on a daily basis to help identify and mitigate these problems to help them comply with their data privacy obligations.  For example, NT Analyzer allows organizations to see all third parties and data associated with their mobile app or website, enabling them to manage data privacy risk by either entering into relevant agreements or removing the third parties from their mobile app or website.


Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa
Steven Roosa

Author Wenda Tang

Wenda Tang is a lawyer in the Washington, DC office, where she is part of the Data Protection, Privacy and Cybersecurity practice group. Wenda focuses on drafting and interpreting technology-related contracts, including insertion orders, service provider addendums, DPAs, advertising agreements, and non-disclosure agreements. She also assists clients in complying with data protection and privacy laws, such as the CCPA, GDPR, HIPAA, GLBA, COPPA, CAN-SPAM Act, and TCPA.

More posts by Wenda Tang
Steven Roosa

Author Nicole Sakin

Nicole Sakin is an associate in Norton Rose Fulbright's Information Governance, Privacy and Cybersecurity practice group in the Washington, DC office. Nicole advises clients on compliance with data protection and privacy laws, including COPPA, GLBA, HIPAA, TCPA, VPPA, FTC Act, and CCPA/CPRA and other state privacy laws. Nicole has experience with drafting applicable disclosures, privacy policies, and operational controls, as well as advising clients on building and implementing their privacy compliance programs across all stages of the development lifecycle. She also assists clients with drafting and interpreting technology-related contracts, including insertion orders, service provider addendums, and data protection agreements/addendums.

More posts by Nicole Sakin