Apple’s New Privacy Requirements for the App Store: Details and How to Comply
Apple recently announced new requirements for mobile application privacy disclosures that are meant to provide increased privacy protections for consumers. Developers of newly added mobile applications, as well as apps that are implementing any updates, must enter detailed privacy information in order to create a “Privacy Nutrition Label” to be displayed on the app’s page within the App Store.
The Privacy Nutrition Labels feature is meant to give users an easy-to-view summary of the app developer’s privacy practices. A look at a sample label in the App Store provides the following:
- The data used to track the individual downloading the app;
- A list of the data that may be collected and linked to the individual’s identity; and
- A list of the data that may be collected that is not linked to the individual’s identity.
In addition, in the next few months with the launch of iOS 14, Apple will introduce a feature called “App Tracking Transparency.” This feature will require apps to get users’ permission before their data and “Identifiers for Advertisers” (IDFAs) are tracked across different apps and websites. The feature will allow users to see which apps have requested their permission to be tracked and allows the user to decide whether they want to continue to allow tracking. Apple has cited praise from multiple privacy organizations related to these modifications. In addition, Apple has stated that users will still be able to access all of the app’s full capabilities if they decide they do not want the app to track them. Further, if an app violates its privacy policies, Apple will either require the app to comply or remove it from the app store.
These changes affect new app developers and existing ones. Apple will now require developers to answer a questionnaire via the “App Store Connect” that provides information that will be put into the label. In order to answer the questionnaire, developers should have knowledge of all of the data that the app collects along with any data that third-party partners collect as well. This data includes information related to the following:
- Health and fitness;
- User content;
- Browsing and search history;
- User and device identifiers;
- Purchase history; Usage data; and
To briefly describe what a “third-party partner” may entail, according to Apple: “Third-party partners refers to analytics tools, advertising networks, third-party [software development kits], or other external vendors whose code [the developer has] added to [the] app.” Therefore, it is important for businesses to understand how and where the app is transferring data and to whom. Additionally, disclosure may be optional if all of the following requirements are met:
- The data is not used for tracking purposes and third-party advertising;
- Data collection occurs infrequently, is not part of the app’s primary functionality, and is optional for the user; and
- The user affirmatively chooses to provide the data for collection, it is provided by the user in the application, the user understands what data is collected, and the user’s name or account name is prominently displayed alongside the data elements being submitted in the data submission form.
It is important to note that although Apple is requiring these changes, the implementation of such changes is entirely self-monitored by developers. A closer look at Privacy Nutrition Labels confirms that the information provided is not verified by Apple. However, even though it is not verified, app developers should still be careful when reporting privacy information. Providing misleading or false information risks liability under states’ unfair and deceptive acts and practices laws as well as scrutiny by federal agencies such as the Federal Trade Commission.
Companies have had mixed reactions to Apple’s changes. For example, Google has sent out a bulletin advising developers and advertisers in “their community” how to comply with Apple’s updates. Google states that developers should convert their software to use SKAdNetwork Application Programming Interfaces which do not need to comply with the App Tracking Transparency requirements because transactions within the network are signed and verified by Apple as opposed to IDFAs. However, Google has refused to update some of their apps in order to avoid providing the applicable data. In addition, Facebook has taken an aggressive stance against Apple stating that Apple’s changes are for Apple’s own benefit and not for privacy transparency; while Snap Inc. stated that this is the right move in order to protect consumers.
For more information on Apple’s guidelines, developers may visit the link here. The link provides in detail how to answer the app privacy questions including how to qualify for optional disclosure, what types of data developers need to know they collect, how to know if their app tracks users, along with specific definitions and additional guidance for users. Step-by-step instructions on updating apps on Apple Store Connect can be found here.
Koley Jessen can help your business with any required modifications to mobile application privacy policies in order to comply with the Apple App Store’s privacy requirements. If you have additional questions or concerns regarding these changes, please contact a member of the Koley Jessen Data Privacy and Security practice area.
*Special thanks to Jake Walker, Law Clerk, for his assistance with this article.