24 December 2020
From December 8, 2020, iOS and tvOS app developers will need to provide Apple with detailed privacy information before uploading a new app or updating an existing app in the App Store.
Apple has a lot of questions for developers. Among other things, the company wants to help users understand how your app collects data, whether you link that data to your users, and which third parties have access to it.
Complying with the new rules will require an in-depth audit of how your app collects and uses data. Sounds daunting? Don't panic. We're here to walk you through the process.
Apple's new requirements come as consumers are becoming ever-more aware of how companies use their data, lawmakers are passing tougher privacy legislation, and regulators worldwide are increasingly scrutinizing big tech firms.
Apple has long been perceived as a more privacy-focused platform operator than its closest rivals, and it appears to be attempting to build on that reputation. With iOS 14, for example, apps must seek "opt-in" consent before tracking users' activity.
Now Apple wants you to provide more detailed privacy information to help users understand how your app treats their data. Having this information will also inform whether developers are complying with its App Store Review Guidelines.
Apple's new requirements involve answering "App Privacy Questions" in App Store Connect. Only an account holder or admin can do this.
You'll be asked the App Privacy Questions when you upload a new app or update an existing app. For existing apps, you can answer the App Privacy Questions at any time by selecting an app in the "My Apps" section of App Store Connect and clicking "App Privacy" in the sidebar.
The App Privacy Questions require you to confirm whether you or your third-party partners collect data from your app, confirm what types of data you or your third-party partners collect, and then answer questions about your use of each type of data.
Here's a run-down of all the key concepts and definitions needed to help you prepare for answering the App Privacy Questions.
When answering the App Privacy Questions, you should remember the following requirements:
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
How do you know if your app "collects" data? Here's how Apple defines "collect":
You're collecting data if:
You aren't collecting data if:
Your app transmits data from the user's device, but you or your third-party partners only access it for the period necessary to service the transmitted requested in real time, for example:
Does your app make data available to "third-party partners?" Here's how Apple defines "third-party partners":
Common iOS app third-party partners include:
Apple requires you to disclose the following 14 types of data when answering the App Privacy Questions.
Contact information, such as:
Health and fitness data, such as:
Financial information, such as:
Location information, such as:
Sensitive information, such as:
Contacts information, such as:
User content, such as:
Browsing history, such as:
Identifiers, such as:
Usage information, such as:
Diagnostic information, such as:
When answering the App Privacy Questions, you must disclose how you and your third-party partners use each type of data you collect.
Apple's breaks down the possible uses of data into 6 categories:
Third-party advertising, such as:
Developer's advertising or marketing, such as:
Analytics, such as:
Product personalization, such as:
App functionality, such as:
For each type of data you disclose, Apple requires that you confirm whether the data is "linked to the user," either via you or your third-party partners.
You should generally assume that data collected from a user is linked to their identity unless you have taken proactive steps to remove identifiers.
Examples of steps you can take to remove identifiers from data include where:
After you have deidentified the data, you must not:
Apple also notes that data is considered "linked to the user" if it can be defined as "personal information" or "personal data" under relevant privacy laws. This means that if you have users in regions with strict privacy regulations, such as the EU, you must take particular care to permanently remove the possibility of reidentification when anonymizing data.
For more information, see our article: What is Personal Information Under Privacy Laws?
You must disclose whether any data you collect is used for "tracking." Apple defines "tracking" in quite a broad way.
Apple identifies two types of "tracking," which we'll call "linking" and "sharing":
Linking the following two types of data:
Data collected from your app about a user or device, such as:
For the purposes of either:
Here are some examples of tracking:
These are very common activities, and Apple will soon require you to get opt-in user consent before you engage in them.
Apples defines "third-party data" as "any data about a particular end-user or device collected from apps, websites, or offline properties not owned by you."
Apple doesn't define "data broker," and the term has different legal definitions in different places. In this context, a data broker is an entity that collects or aggregates personal information for commercial purposes, usually to sell it to advertisers.
Apple identifies some types of data that are optional to disclose. This exemption is designed to allow you to provide optional feedback forms or customer service requests without Apple needing to disclose it to users before they download your app.
You may choose not to disclose your collection of data if it meets all of the following conditions:
The data is not used for:
If your collection of data only meets some of these criteria, you must disclose it to Apple.
In addition to answering the privacy questions, Apple asks you to provide two "privacy links":
In preparation for answering the App Privacy Questions: