I am on the final stretch before releasing my app on the App Store. I've been reading about the IDFA popup which raised some concerns regarding part of my functionality.
My app generates a random string (token) and saves it on-device and remotely in the back-end. Later, as part of the consecutive login process, I verify if there is a token on the device and whether it matches the one that is saved in the back-end (from the prev session). This allows me to find out if the user is logged in on a different device, or if they have shared their account details with someone else. If they did, I show a screen which tells them that they are using the app on a different device and if they want to continue to use the app on the current device. This generates a new token and saves it with their account details in the back-end. The purpose is to discourage users from sharing an account which grants them access to certain content. It has nothing to do with tracking for marketing purposes. Also the token is randomly generated and is not their device id.
Here are some excerpts that got me thinking that my app would get rejected based on the above functionality https://developer.apple.com/app-store/user-privacy-and-data-use/
If I have not received permission from a user via the tracking permission prompt, can I use an identifier other than the IDFA (for example, a hashed email address or hashed phone number) to track that user?
No. You will need to receive the user’s permission through the AppTrackingTransparency framework to track that user.
And
Can I fingerprint or use signals from the device to try to identify the device or a user?
No. Per the Apple Developer Program License Agreement, you may not derive data from a device for the purpose of uniquely identifying it. Examples of user or device data include, but are not limited to: properties of a user’s web browser and its configuration, the user’s device and its configuration, the user’s location, or the user’s network connection. Apps that are found to be engaging in this practice, or that reference SDKs (including but not limited to Ad Networks, Attribution services, and Analytics) that are, may be rejected from the App Store.
My questions to people who are familiar with the process are - would the described functionality lead to rejection? Do I have to show the tracking prompt? If yes and users respond with "Do not track" do I have to disable the described functionality.