Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 2.1. What Data Your App Collects
- 2.2. How Your App Collects Data
- 2.3. How Your App Uses Data
- 2.4. Information About Sharing Data With Third Parties
- 2.5. How Your Users Can Revoke Consent
- 2.6. Your Data Retention Policy
- 2.7. How Your Users Can Delete Their Data
- 3. Legal Requirements
At Step 1, select the App option.
Answer some questions about your app.
Answer some questions about your business.
Apple now gives this requirement in its App Store Review Guidelines:
Apple also states that every iOS app must comply with local law:
Therefore, you must also comply with the privacy laws that apply in your region, and any other regions in which your app is available.
Here's how iPad photo editing app Pixelmator handles this:
- Disclose what user data you collect
- Explain how you collect user data
- Explain you use user data
- Confirm that you only share user data with companies that have good privacy practices
- Disclose how long you store user data
- Explain how your users can revoke their consent to your use of their data
- Explain how your users can request you delete their data
We're going to explain each of these obligations and give examples so you can understand exactly what Apple requires.
What Data Your App Collects
Note that Apple uses the term "data." Due to the context, you can reasonably conclude that "data" includes "personal information" and you should apply a very broad definition of this term.
Bear in mind that Apple doesn't allow iOS apps to collect unnecessary or excess personal information. Your app should collect user data sparingly. This is stated in this section of the App Store Review Guidelines on "data minimization":
Here's how iOS app Drafts discloses the types of data it collects:
Drafts breaks down the types of data it collects into categories to make it easier for users to understand.
Note that even if your app doesn't transmit user data from the device, you should still disclose any permissions that your app requests.
How Your App Collects Data
Here's how Chemdata explains how it collects the data its users provide directly:
After this section, Chemdata describes how its app collects user data automatically:
How Your App Uses Data
Here's how Cultured Code explains its uses for the user data it collects:
Information About Sharing Data With Third Parties
Your app must be compliant with Apple's privacy standards. Therefore, any third party your app shares user data with must also be compliant with Apple's privacy standards.
Apple gives some examples of the types of companies it considers third parties:
- Analytics tools providers
- Advertising networks
- Third-party software development kit (SDK) providers
- Parent companies, subsidiaries, or other related entities
How Your Users Can Revoke Consent
Here's how Võrumaa Nutimängud explains how its users can revoke consent:
Your Data Retention Policy
Be as specific as possible here with your timeframe, and make sure you're disclosing your actual practices.
How Your Users Can Delete Their Data
However, Apple does require that you give users control over their data. Apple states this in a document called "Protecting the User's Privacy:"
Enabling your users to request the deletion of their personal information is also a legal requirement under several privacy laws, including the GDPR and the CCPA.
Your app could provide the user with the ability to delete their data. Or you can invite your users to send you an email to make a deletion request.
Here's how the alarm clock app EY presents this type of information in its Privacy Statement:
After you meet Apple's requirements, there are more you'll need to be familiar with.
Note: You must obey the privacy law of the regions where your users are based and not just where you are based.
|Region(s) in which your app is accessible:||Examples of privacy laws you need to obey:|
Effectively, the State of California sets privacy standards in the United States. As long as your app is accessible to California consumers, you must obey the state's strict privacy laws.
All commercial websites and apps must comply with the California Online Privacy Protection Act (CalOPPA).
Larger companies must comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
Canada's privacy standards are also high. If your app has users in Canada, you must comply with the Personal Information Processing and Electronic Documents Act (PIPEDA).
|Australia||If your app is accessible in Australia, you may be subject to Australia's main consumer privacy law, the Privacy Act of 1988.|
You can download these instructions as PDF file.
Log in to your Apple App Store Connect account.
Select your app:
Under the General section, select App Privacy:
Apple explains this in its App Store Connect Help for bundles:
Users must click on the main Account icon to open the Account menu. From here, there's a Legal menu:
- What user data your app collects
- How you collect user data
- How you use user data
- Whether you only share user data with companies that have good privacy practices
- How long you retain user data
- How your users can revoke consent
- How your users can request you delete their user data