Complying With Apple's App Privacy Details

Complying With Apple's App Privacy Details

From December 8, 2020, iOS and tvOS app developers will need to provide Apple with detailed privacy information before uploading a new app or updating an existing app in the App Store.

Apple has a lot of questions for developers. Among other things, the company wants to help users understand how your app collects data, whether you link that data to your users, and which third parties have access to it.

Complying with the new rules will require an in-depth audit of how your app collects and uses data. Sounds daunting? Don't panic. We're here to walk you through the process.

Why is Apple Making These Changes?

Apple's new requirements come as consumers are becoming ever-more aware of how companies use their data, lawmakers are passing tougher privacy legislation, and regulators worldwide are increasingly scrutinizing big tech firms.

Apple has long been perceived as a more privacy-focused platform operator than its closest rivals, and it appears to be attempting to build on that reputation. With iOS 14, for example, apps must seek "opt-in" consent before tracking users' activity.

Now Apple wants you to provide more detailed privacy information to help users understand how your app treats their data. Having this information will also inform whether developers are complying with its App Store Review Guidelines.

What are the App Privacy Questions?

What are the App Privacy Questions?

Apple's new requirements involve answering "App Privacy Questions" in App Store Connect. Only an account holder or admin can do this.

You'll be asked the App Privacy Questions when you upload a new app or update an existing app. For existing apps, you can answer the App Privacy Questions at any time by selecting an app in the "My Apps" section of App Store Connect and clicking "App Privacy" in the sidebar.

The App Privacy Questions require you to confirm whether you or your third-party partners collect data from your app, confirm what types of data you or your third-party partners collect, and then answer questions about your use of each type of data.

Preparing to Answer the App Privacy Questions

Preparing to Answer the App Privacy Questions

Here's a run-down of all the key concepts and definitions needed to help you prepare for answering the App Privacy Questions.

Important Considerations

When answering the App Privacy Questions, you should remember the following requirements:

  • You must provide comprehensive information about how you and your third-party partners collect and use app data. You're responsible for having a thorough understanding of your data flows and being completely honest about your practices.
  • Your app must comply with any privacy laws in the places where your users are based. These may include the California Consumer Privacy Act (CCPA), the EU or UK General Data Protection Regulation (GDPR), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Your app must also comply with Apple's App Store Review Guidelines, which includes having an App Store-compliant Privacy Policy.
  • You must keep your answers up-to-date. You may need to return to the App Privacy section of App Store Connect if there is a change in the way in which your app collects or uses data.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the App option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your mobile app and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about Mobile App - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

What Does "Collect" Mean?

How do you know if your app "collects" data? Here's how Apple defines "collect":

Apple App Privacy Details: Data Collection section - Definition of Collect

You're collecting data if:

  • Your app transmits data from a user's device
  • In a way that allows you and/or your third-party partners to access it
  • For a longer period than necessary for servicing the transmitted request in real time

You aren't collecting data if:

  • Your app doesn't transmit data from a user's device
  • Your app transmits data from the user's device, but you or your third-party partners only access it for the period necessary to service the transmitted requested in real time, for example:

    • Your app sends an authentication token or IP address on a server call but you don't retain it
    • Your app sends data to your servers but you immediately delete it after servicing the request

What is a "Third-Party Partner?"

Does your app make data available to "third-party partners?" Here's how Apple defines "third-party partners":

Apple App Privacy Details: Data Collection section - Definition of third-party partners

Common iOS app third-party partners include:

  • Google Analytics
  • Google Sign-In
  • Google AdMob
  • Crashlytics (also owned by Google)
  • Facebook Analytics
  • Facebook Login
  • Facebook App Events
  • Facebook Share and Send dialogs
  • Facebook Graph API

What Types of Collected Data Do I Need to Disclose?

What Types of Collected Data Do I Need to Disclose?

Apple requires you to disclose the following 14 types of data when answering the App Privacy Questions.

  • Contact information, such as:

    • First name
    • Last name
    • Email address
    • Hashed email address
    • Phone number
    • Hashed phone numbers
    • Physical address (e.g. home address, mailing address, billing address)
    • Contact details (any information that could be used to contact the user)
  • Health and fitness data, such as:

    • Any user-provided health and medical data
    • Clinical Health Records API data
    • HealthKit API data
    • MovementDisorderAPIs data
    • Health-related human subject research data
  • Financial information, such as:

    • Any form of payment data
    • Payment card number
    • Bank account number
    • Credit information
    • Credit score
    • Any form of financial information
    • Salary data
    • Income data
    • Asset data
    • Debt data
  • Location information, such as:

    • Precise location (data describing the location of the user or device with the same or greater resolution as latitude and longitude to three or more decimal places)
    • Coarse location (data describing the location of the user or device with lower resolution than latitude and longitude to three or more decimal places, e.g. Approximate Location Services)
  • Sensitive information, such as:

    • Race or ethnicity data
    • Sexual orientation data
    • Pregnancy or childbirth data
    • Disability data
    • Data about religious or philosophical beliefs
    • Data about trade union membership
    • Data about political opinion
    • Genetic data
    • Biometric data
  • Contacts information, such as:

    • Phone contacts list
    • Address book data
    • Social graph data
  • User content, such as:

    • Emails or text messages (including subject line, sender, recipient, contents)
    • Photos
    • Videos
    • Voice or sound recordings
    • Gameplay content
    • User-generated content
    • Customer support request data
  • Browsing history, such as:

    • Website visit data
    • Data about any content the user has viewed outside of the app
  • Search history (within the app)
  • Identifiers, such as:

    • User ID
    • Screen name
    • Handle
    • Account ID
    • Assigned user ID
    • Customer number
    • Any other user- or account-level ID that can be used to identify a specific user or account
    • Device ID
    • Ad ID
    • Any other device-level ID
  • Purchase history
  • Usage information, such as:

    • Product interaction data (e.g., app launches, taps, clicks, scrolling data, music listening-data, data about video views)
    • Save positions (in a game, video, or audio file)
    • Any other information about how the user interacts with the app
    • Advertising data (e.g., data about ad views and interactions)
  • Diagnostic information, such as:

    • Crash data
    • Crash logs
    • Performance data (e.g., launch time, hang rate, or energy use)
    • Any other data collected for measuring technical diagnostics
  • Any other types of data not mentioned above (including data entered in generic free form text fields)

What Uses of Data Do I Need to Disclose?

When answering the App Privacy Questions, you must disclose how you and your third-party partners use each type of data you collect.

Apple's breaks down the possible uses of data into 6 categories:

  • Third-party advertising, such as:

    • Displaying third-party ads in your app
    • Sharing data with entities that display third-party ads
  • Developer's advertising or marketing, such as:

    • Displaying first-party ads in your app
    • Sending marketing communications directly to your users
    • Sharing data with entities that display your ads
  • Analytics, such as:

    • Evaluating user behavior
    • Understanding the effectiveness of existing product features
    • Planning new features
    • Measuring audience size or characteristics
  • Product personalization, such as:

    • Customizing what the user sees
    • Presenting a list of recommended products, posts, or suggestions)
  • App functionality, such as:

    • Authenticating the user
    • Enabling features
    • Preventing fraud
    • Implementing security measures
    • Ensuring server up-time
    • Minimizing app crashes
    • Improving scalability and performance
    • Performing customer support
  • Any other data uses not listed above

What is "Data Linked to the User?"

What is

For each type of data you disclose, Apple requires that you confirm whether the data is "linked to the user," either via you or your third-party partners.

You should generally assume that data collected from a user is linked to their identity unless you have taken proactive steps to remove identifiers.

Examples of steps you can take to remove identifiers from data include where:

  • You have stripped the data of direct identifiers, such as user IDs or names, before collecting it
  • You have manipulated the data to prevent it from being linked to identifiers

After you have deidentified the data, you must not:

  • Attempt to link the data back to the user
  • Tie the data to any datasets that might enable reidentification

Apple also notes that data is considered "linked to the user" if it can be defined as "personal information" or "personal data" under relevant privacy laws. This means that if you have users in regions with strict privacy regulations, such as the EU, you must take particular care to permanently remove the possibility of reidentification when anonymizing data.

For more information, see our article: What is Personal Information Under Privacy Laws?

What Does "Tracking" Mean?

What Does

You must disclose whether any data you collect is used for "tracking." Apple defines "tracking" in quite a broad way.

Apple App Privacy Details: Tracking section - Definition of Tracking

Apple identifies two types of "tracking," which we'll call "linking" and "sharing":

  • "Linking" means:

    • Linking the following two types of data:

      • Data collected from your app about a user or device, such as:

        • User ID
        • Device ID
        • Profile
      • Third-party data
    • For the purposes of either:

      • Targeted advertising, or
      • Advertising measurement
  • "Sharing" means:

    • Sharing data collected from your app about a user or device with a data broker

Here are some examples of tracking:

  • Showing targeted ads in your app based data collected about them from third-party apps and websites (rather than simply displaying "contextual ads" that do not depend on user behavior)
  • Sharing data about a user's location or contact information with a data broker
  • Sharing contact information or identifiers with a third-party ad network that uses the data for retargeting purposes (e.g. to show users ads within other apps)
  • Using a third-party SDKthat links data from your app with data from other apps for advertising or analytics purposes

These are very common activities, and Apple will soon require you to get opt-in user consent before you engage in them.

What is "Third-Party Data?"

Apples defines "third-party data" as "any data about a particular end-user or device collected from apps, websites, or offline properties not owned by you."

What is a "Data Broker?"

Apple doesn't define "data broker," and the term has different legal definitions in different places. In this context, a data broker is an entity that collects or aggregates personal information for commercial purposes, usually to sell it to advertisers.

When Do I Not Need to Disclose Data I Collect?

When Do I Not Need to Disclose Data I Collect?

Apple identifies some types of data that are optional to disclose. This exemption is designed to allow you to provide optional feedback forms or customer service requests without Apple needing to disclose it to users before they download your app.

You may choose not to disclose your collection of data if it meets all of the following conditions:

  • The data is not used for:

    • Tracking
    • Advertising
    • Marketing
    • Third-party advertising
  • The data is only collected infrequently
  • The data is not collected as part of your app's primary fnctionality
  • The user has a choice regarding whether the data is collected
  • The data is provided by the user in your app's interface
  • It is clear to the user what data is being collected
  • The data is collected via a submission form that prominently displays the user's name or account name alongside the other data elements being submitted
  • The user affirmatively chooses to provide the data each time it is collected
  • The data is not collected on an ongoing basis after the initial permission request

If your collection of data only meets some of these criteria, you must disclose it to Apple.

Adding Privacy Links

In addition to answering the privacy questions, Apple asks you to provide two "privacy links":

  • Privacy Policy URL (Mandatory): You must provide a link to your Privacy Policy. You should ensure your Privacy Policy meets the App Store Privacy Policy requirements before submitting it to Apple.
  • Privacy Choices URL (Optional): You can also provide a link to your Privacy Choices page, where users can exercise their choices and rights over their data. You may be legally obliged to offer users privacy choices like this, for example under the EU General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA).

App Privacy Questions Summary Checklist

In preparation for answering the App Privacy Questions:

  • Make a list of each type of data you collect, divided into Apple's 14 data categories
  • Make a list of your third-party partners
  • Identify how you and your third-party partners use each type of data, divided into Apple's six data use categories
  • Confirm whether you link each type of data to the user
  • Confirm whether you use each type of data for tracking

You should also make sure your Privacy Policy meets Apple's requirements before submitting it.

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.