Last updated on 03 June 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Apple now gives this requirement in its App Store Review Guidelines:
Apple also states that every iOS app must comply with local law:
Therefore, you must also comply with the privacy laws that apply in your region, and any other regions in which your app is available.
Perhaps your iPhone app doesn't transfer any user data away from your users' devices. After all, if you don't need to collect user data or personal information, you should not do so.
Here's how iPad photo editing app Pixelmator handles this:
We're going to explain each of these obligations and give examples so you can understand exactly what Apple requires.
Note that Apple uses the term "data." Due to the context, you can reasonably conclude that "data" includes "personal information" and you should apply a very broad definition of this term.
Bear in mind that Apple doesn't allow iOS apps to collect unnecessary or excess personal information. Your app should collect user data sparingly. This is stated in this section of the App Store Review Guidelines on "data minimization":
Here's how iOS app Drafts discloses the types of data it collects:
Drafts breaks down the types of data it collects into categories to make it easier for users to understand.
Note that even if your app doesn't transmit user data from the device, you should still disclose any permissions that your app requests.
Depending on what your app does, it might collect user data by requesting it (e.g., names, usernames, email addresses) or by collecting it automatically (e.g., device data, usage data, location data).
Here's how Chemdata explains how it collects the data its users provide directly:
After this section, Chemdata describes how its app collects user data automatically:
Here's how Cultured Code explains its uses for the user data it collects:
Apple places strict rules on how developers share user data with third parties.
Your app must be compliant with Apple's privacy standards. Therefore, any third party your app shares user data with must also be compliant with Apple's privacy standards.
Apple gives some examples of the types of companies it considers third parties:
Apple's App Store Review Guidelines states that you must only collect user data with consent. If a user revokes consent, you must stop collecting their data.
Here's how Võrumaa Nutimängud explains how its users can revoke consent:
You must not keep user data longer than you need it. This means thinking carefully about how long you need to store user data and, if necessary, creating a retention schedule.
Be as specific as possible here with your timeframe, and make sure you're disclosing your actual practices.
This implies that you must offer users a way to delete any user data you hold on them. Apple doesn't explicitly state that you need to do this in its App Store Review Guidelines.
However, Apple does require that you give users control over their data. Apple states this in a document called "Protecting the User's Privacy:"
Your app could provide the user with the ability to delete their data. Or you can invite your users to send you an email to make a deletion request.
Here's how the alarm clock app EY presents this type of information in its Privacy Statement:
After you meet Apple's requirements, there are more you'll need to be familiar with.
Note: You must obey the privacy law of the regions where your users are based and not just where you are based.
|Region(s) in which your app is accessible:||Examples of privacy laws you need to obey:|
Effectively, the State of California sets privacy standards in the United States. As long as your app is accessible to California consumers, you must obey the state's strict privacy laws.
All commercial websites and apps must comply with the California Online Privacy Protection Act (CalOPPA).
Larger companies must comply with the California Consumer Privacy Act (CCPA)
There's also the California Privacy Rights Act (CPRA).
Canada's privacy standards are also high. If your app has users in Canada, you must comply with the Personal Information Processing and Electronic Documents Act (PIPEDA).
|Australia||If your app is accessible in Australia, you may be subject to Australia's main consumer privacy law, the Privacy Act of 1988.|
To get your app hosted in the App Store, you first need to add it to your App Store Connect account.
Apple explains this in its App Store Connect Help for bundles:
Users must click on the main Account icon to open the Account menu. From here, there's a Legal menu: