Last updated on 28 September 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Apple now gives this requirement in its App Store Review Guidelines:
Apple also states that every iOS app must comply with local law:
Therefore, you must also comply with the privacy laws that apply in your region, and any other regions in which your app is available.
Here's how iPad photo editing app Pixelmator handles this:
We're going to explain each of these obligations and give examples so you can understand exactly what Apple requires.
Note that Apple uses the term "data." Due to the context, you can reasonably conclude that "data" includes "personal information" and you should apply a very broad definition of this term.
Bear in mind that Apple doesn't allow iOS apps to collect unnecessary or excess personal information. Your app should collect user data sparingly. This is stated in this section of the App Store Review Guidelines on "data minimization":
Here's how iOS app Drafts discloses the types of data it collects:
Drafts breaks down the types of data it collects into categories to make it easier for users to understand.
Note that even if your app doesn't transmit user data from the device, you should still disclose any permissions that your app requests.
Here's how Chemdata explains how it collects the data its users provide directly:
After this section, Chemdata describes how its app collects user data automatically:
Here's how Cultured Code explains its uses for the user data it collects:
Your app must be compliant with Apple's privacy standards. Therefore, any third party your app shares user data with must also be compliant with Apple's privacy standards.
Apple gives some examples of the types of companies it considers third parties:
Here's how Võrumaa Nutimängud explains how its users can revoke consent:
Be as specific as possible here with your timeframe, and make sure you're disclosing your actual practices.
However, Apple does require that you give users control over their data. Apple states this in a document called "Protecting the User's Privacy:"
Your app could provide the user with the ability to delete their data. Or you can invite your users to send you an email to make a deletion request.
Here's how the alarm clock app EY presents this type of information in its Privacy Statement:
After you meet Apple's requirements, there are more you'll need to be familiar with.
Note: You must obey the privacy law of the regions where your users are based and not just where you are based.
|Region(s) in which your app is accessible:||Examples of privacy laws you need to obey:|
Effectively, the State of California sets privacy standards in the United States. As long as your app is accessible to California consumers, you must obey the state's strict privacy laws.
All commercial websites and apps must comply with the California Online Privacy Protection Act (CalOPPA).
Larger companies must comply with the California Consumer Privacy Act (CCPA)
There's also the California Privacy Rights Act (CPRA).
Canada's privacy standards are also high. If your app has users in Canada, you must comply with the Personal Information Processing and Electronic Documents Act (PIPEDA).
|Australia||If your app is accessible in Australia, you may be subject to Australia's main consumer privacy law, the Privacy Act of 1988.|
Apple explains this in its App Store Connect Help for bundles:
Users must click on the main Account icon to open the Account menu. From here, there's a Legal menu:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
28 September 2022