Last updated on 21 January 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
This article will help you understand:
Apple now gives this requirement in its App Store Review Guidelines:
Apple also states that every iOS app must comply with local law:
Therefore, you must also comply with the privacy laws that apply in your region, and any other regions in which your app is available.
Perhaps your iPhone app doesn't transfer any user data away from your users' devices. After all, if you don't need to collect user data or personal information, you should not do so.
Here's how iPad photo editing app Pixelmator handles this:
We're going to explain each of these obligations and give examples so you can understand exactly what Apple requires.
Note that Apple uses the term "data." Due to the context, you can reasonably conclude that "data" includes "personal information" and you should apply a very broad definition of this term.
Apple doesn't provide a definitive list of what types of information it considers "personal information." It does give some examples of personal information in a guidance document called Requesting Permission:
Apple considers at least the following types of data to be personal information:
Bear in mind that Apple doesn't allow iOS apps to collect unnecessary or excess personal information. Your app should collect user data sparingly. This is stated in this section of the App Store Review Guidelines on "data minimization":
Here's how iOS app Drafts discloses the types of data it collects:
Drafts breaks down the types of data it collects into categories to make it easier for users to understand.
Note that even if your app doesn't transmit user data from the device, you should still disclose any permissions that your app requests.
Depending on what your app does, it might collect user data by requesting it (e.g., names, usernames, email addresses) or by collecting it automatically (e.g., device data, usage data, location data).
Here's how Chemdata explains how it collects the data its users provide directly:
Here's how Cultured Code explains its uses for the user data it collects:
Apple places strict rules on how developers share user data with third parties.
Your app must be compliant with Apple's privacy standards. Therefore, any third party your app shares user data with must also be compliant with Apple's privacy standards.
Apple gives some examples of the types of companies it considers third parties:
Apple's App Store Review Guidelines states that you must only collect user data with consent. If a user revokes consent, you must stop collecting their data.
Here's how Kinemaster explains how its users can revoke consent:
For example, if you ask for a user's email address to send them your newsletter, they should be able to withdraw consent for this at any time.
Here's how the translation app company evolly.app explains this:
You must not keep user data longer than you need it. This means thinking carefully about how long you need to store user data and, if necessary, creating a retention schedule.
Be as specific as possible here with your timeframe, and make sure you're disclosing your actual practices.
This implies that you must offer users a way to delete any user data you hold on them. Apple doesn't explicitly state that you need to do this in its App Store Review Guidelines.
However, Apple does require that you give users control over their data. Apple states this in a document called "Protecting the User's Privacy:"
Your app could provide the user with the ability to delete their data. Or you can invite your users to send you an email to make a deletion request.
Note that alarm clock users only need to contact the company if they want to delete backup data (which is stored remotely). To delete locally-stored data, users can simply delete the app.
Note: You must obey the privacy law of the regions where your users are based and not just where you are based.
|Region(s) in which your app is accessible:||Privacy law you need to obey:|
Effectively, the State of California sets privacy standards in the US. As long as your app is accessible to California consumers, you must obey the state's strict privacy laws.
All commercial websites and apps must comply with the California Online Privacy Protection Act (CalOPPA).
Larger companies must comply with the California Consumer Privacy Act (CCPA). This is currently the strictest privacy law in the US.
Canada's privacy standards are also high. If your app has users in Canada, you must comply with the Personal Information Processing and Electronic Documents Act (PIPEDA).
|Australia||If your app is accessible in Australia, you may be subject to Australia's main consumer privacy law, the Privacy Act of 1988.|
To get your app hosted in the App Store, you first need to add it to your App Store Connect account.
Apple explains this in its App Store Connect Help for bundles:
The Kindle app's "Settings" menu contains an "Other" option where the Privacy Notice is linked along with other legal agreements and information: