From December 8, 2020, iOS and tvOS app developers need to provide Apple with detailed privacy information before uploading a new app or updating an existing app in the App Store.
Apple has a lot of questions for developers. Among other things, the company wants to help users understand how your app collects data, whether you link that data to your users, and which third parties have access to it.
Complying with the new rules will require an in-depth audit of how your app collects and uses data. Sounds daunting? Don't panic. We're here to walk you through the process.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your mobile app. Just follow these steps:
-
At Step 1, select the App option.
-
Answer some questions about your app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new App Privacy Policy.
- 1. Why Did Apple Make These Changes?
- 2. What are the App Privacy Questions?
- 3. Preparing to Answer the App Privacy Questions
- 3.1. Important Considerations
- 3.2. What Does "Collect" Mean?
- 3.3. What is a "Third-Party Partner?"
- 3.4. What Types of Collected Data Do I Need to Disclose?
- 3.5. What Uses of Data Do I Need to Disclose?
- 3.6. What is "Data Linked to the User?"
- 3.7. What Does "Tracking" Mean?
- 3.7.1. What is "Third-Party Data?"
- 3.7.2. What is a "Data Broker?"
- 3.8. When Do I Not Need to Disclose Data I Collect?
- 4. Adding Privacy Links
- 5. How to Add App Privacy Details Labels in Apple App Store Connect
- 6. App Privacy Questions Summary Checklist
Why Did Apple Make These Changes?
Apple's requirements came as consumers are becoming ever-more aware of how companies use their data, lawmakers are passing tougher privacy legislation, and regulators worldwide are increasingly scrutinizing big tech firms.
Apple has long been perceived as a more privacy-focused platform operator than its closest rivals, and it appears to be attempting to build on that reputation. With iOS 14, for example, apps must seek "opt-in" consent before tracking users' activity.
Apple wants you to provide more detailed privacy information to help users understand how your app treats their data. Having this information will also inform whether developers are complying with its App Store Review Guidelines.
A Terms and Conditions for your mobile app isn't required, but it's useful. The T&C document is also known as a Terms of Use or Terms of Service.
What are the App Privacy Questions?
Apple's requirements involve answering "App Privacy Questions" in App Store Connect. Only an account holder or admin can do this.
You'll be asked the App Privacy Questions when you upload a new app or update an existing app. For existing apps, you can answer the App Privacy Questions at any time by selecting an app in the "My Apps" section of App Store Connect and clicking "App Privacy" in the sidebar.
The App Privacy Questions require you to confirm whether you or your third-party partners collect data from your app, confirm what types of data you or your third-party partners collect, and then answer questions about your use of each type of data.
Preparing to Answer the App Privacy Questions
Here's a run-down of all the key concepts and definitions needed to help you prepare for answering the App Privacy Questions.
Important Considerations
When answering the App Privacy Questions, you should remember the following requirements:
- You must provide comprehensive information about how you and your third-party partners collect and use app data. You're responsible for having a thorough understanding of your data flows and being completely honest about your practices.
- Your app must comply with any privacy laws in the places where your users are based. These may include the California Consumer Privacy Act (CCPA) as amended by the CPRA, the EU or UK General Data Protection Regulation (GDPR), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
- Your app must also comply with Apple's App Store Review Guidelines, which includes having an App Store-compliant Privacy Policy.
- You must keep your answers up-to-date. You may need to return to the App Privacy section of App Store Connect if there is a change in the way in which your app collects or uses data.
What Does "Collect" Mean?
How do you know if your app "collects" data? Here's how Apple defines "collect":
You're collecting data if:
- Your app transmits data from a user's device
- In a way that allows you and/or your third-party partners to access it
- For a longer period than necessary for servicing the transmitted request in real time
You aren't collecting data if:
- Your app doesn't transmit data from a user's device
-
Your app transmits data from the user's device, but you or your third-party partners only access it for the period necessary to service the transmitted requested in real time, for example:
- Your app sends an authentication token or IP address on a server call but you don't retain it
- Your app sends data to your servers but you immediately delete it after servicing the request
What is a "Third-Party Partner?"
Does your app make data available to "third-party partners?" Here's how Apple defines "third-party partners":
Common iOS app third-party partners include:
- Google Analytics
- Google Sign-In
- Google AdMob
- Crashlytics (also owned by Google)
- Facebook Analytics
- Facebook Login
- Facebook App Events
- Facebook Share and Send dialogs
- Facebook Graph API
What Types of Collected Data Do I Need to Disclose?
Apple requires you to disclose the following 14 types of data when answering the App Privacy Questions.
-
Contact information, such as:
- First name
- Last name
- Email address
- Hashed email address
- Phone number
- Hashed phone numbers
- Physical address (e.g. home address, mailing address, billing address)
- Contact details (any information that could be used to contact the user)
-
Health and fitness data, such as:
- Any user-provided health and medical data
- Clinical Health Records API data
- HealthKit API data
- MovementDisorderAPIs data
- Health-related human subject research data
-
Financial information, such as:
- Any form of payment data
- Payment card number
- Bank account number
- Credit information
- Credit score
- Any form of financial information
- Salary data
- Income data
- Asset data
- Debt data
-
Location information, such as:
- Precise location (data describing the location of the user or device with the same or greater resolution as latitude and longitude to three or more decimal places)
- Coarse location (data describing the location of the user or device with lower resolution than latitude and longitude to three or more decimal places, e.g. Approximate Location Services)
-
Sensitive information, such as:
- Race or ethnicity data
- Sexual orientation data
- Pregnancy or childbirth data
- Disability data
- Data about religious or philosophical beliefs
- Data about trade union membership
- Data about political opinion
- Genetic data
- Biometric data
-
Contacts information, such as:
- Phone contacts list
- Address book data
- Social graph data
-
User content, such as:
- Emails or text messages (including subject line, sender, recipient, contents)
- Photos
- Videos
- Voice or sound recordings
- Gameplay content
- User-generated content
- Customer support request data
-
Browsing history, such as:
- Website visit data
- Data about any content the user has viewed outside of the app
- Search history (within the app)
-
Identifiers, such as:
- User ID
- Screen name
- Handle
- Account ID
- Assigned user ID
- Customer number
- Any other user- or account-level ID that can be used to identify a specific user or account
- Device ID
- Ad ID
- Any other device-level ID
- Purchase history
-
Usage information, such as:
- Product interaction data (e.g., app launches, taps, clicks, scrolling data, music listening-data, data about video views)
- Save positions (in a game, video, or audio file)
- Any other information about how the user interacts with the app
- Advertising data (e.g., data about ad views and interactions)
-
Diagnostic information, such as:
- Crash data
- Crash logs
- Performance data (e.g., launch time, hang rate, or energy use)
- Any other data collected for measuring technical diagnostics
- Any other types of data not mentioned above (including data entered in generic free form text fields)
What Uses of Data Do I Need to Disclose?
When answering the App Privacy Questions, you must disclose how you and your third-party partners use each type of data you collect.
Apple's breaks down the possible uses of data into 6 categories:
-
Third-party advertising, such as:
- Displaying third-party ads in your app
- Sharing data with entities that display third-party ads
-
Developer's advertising or marketing, such as:
- Displaying first-party ads in your app
- Sending marketing communications directly to your users
- Sharing data with entities that display your ads
-
Analytics, such as:
- Evaluating user behavior
- Understanding the effectiveness of existing product features
- Planning new features
- Measuring audience size or characteristics
-
Product personalization, such as:
- Customizing what the user sees
- Presenting a list of recommended products, posts, or suggestions)
-
App functionality, such as:
- Authenticating the user
- Enabling features
- Preventing fraud
- Implementing security measures
- Ensuring server up-time
- Minimizing app crashes
- Improving scalability and performance
- Performing customer support
- Any other data uses not listed above
What is "Data Linked to the User?"
For each type of data you disclose, Apple requires that you confirm whether the data is "linked to the user," either via you or your third-party partners.
You should generally assume that data collected from a user is linked to their identity unless you have taken proactive steps to remove identifiers.
Examples of steps you can take to remove identifiers from data include where:
- You have stripped the data of direct identifiers, such as user IDs or names, before collecting it
- You have manipulated the data to prevent it from being linked to identifiers
After you have deidentified the data, you must not:
- Attempt to link the data back to the user
- Tie the data to any datasets that might enable reidentification
Apple also notes that data is considered "linked to the user" if it can be defined as "personal information" or "personal data" under relevant privacy laws. This means that if you have users in regions with strict privacy regulations, such as the EU, you must take particular care to permanently remove the possibility of reidentification when anonymizing data.
For more information, see our article: What is Personal Information Under Privacy Laws?
What Does "Tracking" Mean?
You must disclose whether any data you collect is used for "tracking." Apple defines "tracking" in quite a broad way.
Apple identifies two types of "tracking," which we'll call "linking" and "sharing":
-
"Linking" means:
-
Linking the following two types of data:
-
Data collected from your app about a user or device, such as:
- User ID
- Device ID
- Profile
- Third-party data
-
-
For the purposes of either:
- Targeted advertising, or
- Advertising measurement
-
-
"Sharing" means:
- Sharing data collected from your app about a user or device with a data broker
Here are some examples of tracking:
- Showing targeted ads in your app based data collected about them from third-party apps and websites (rather than simply displaying "contextual ads" that do not depend on user behavior)
- Sharing data about a user's location or contact information with a data broker
- Sharing contact information or identifiers with a third-party ad network that uses the data for retargeting purposes (e.g. to show users ads within other apps)
- Using a third-party SDKthat links data from your app with data from other apps for advertising or analytics purposes
These are very common activities, and Apple will soon require you to get opt-in user consent before you engage in them.
What is "Third-Party Data?"
Apples defines "third-party data" as "any data about a particular end-user or device collected from apps, websites, or offline properties not owned by you."
What is a "Data Broker?"
Apple doesn't define "data broker," and the term has different legal definitions in different places. In this context, a data broker is an entity that collects or aggregates personal information for commercial purposes, usually to sell it to advertisers.
When Do I Not Need to Disclose Data I Collect?
Apple identifies some types of data that are optional to disclose. This exemption is designed to allow you to provide optional feedback forms or customer service requests without Apple needing to disclose it to users before they download your app.
You may choose not to disclose your collection of data if it meets all of the following conditions:
-
The data is not used for:
- Tracking
- Advertising
- Marketing
- Third-party advertising
- The data is only collected infrequently
- The data is not collected as part of your app's primary fnctionality
- The user has a choice regarding whether the data is collected
- The data is provided by the user in your app's interface
- It is clear to the user what data is being collected
- The data is collected via a submission form that prominently displays the user's name or account name alongside the other data elements being submitted
- The user affirmatively chooses to provide the data each time it is collected
- The data is not collected on an ongoing basis after the initial permission request
If your collection of data only meets some of these criteria, you must disclose it to Apple.
Adding Privacy Links
In addition to answering the privacy questions, Apple asks you to provide two "privacy links":
- Privacy Policy URL (Mandatory): You must provide a link to your Privacy Policy. You should ensure your Privacy Policy meets the App Store Privacy Policy requirements before submitting it to Apple.
- Privacy Choices URL (Optional): You can also provide a link to your Privacy Choices page, where users can exercise their choices and rights over their data. You may be legally obliged to offer users privacy choices like this, for example under the GDPR or CCPA.
How to Add App Privacy Details Labels in Apple App Store Connect
- Log in to your Apple App Store Connect account.
- Select your app:
- Under the General section, select App Privacy:
- Click Get Started to start adding the App Privacy Details Labels:
-
Start answering the questions regarding your app privacy practices.
The first question is about Data Collection. Answer and click Next to continue:
If you don't collect any data, select "No, we do not collect data from this app" and click Save. You won't not need to answer any further questions.
If you collect data, then select "Yes, we collect data from this app" and click Next.
- If you collect data, the next set of questions will appear. For example, questions about your data collection by selecting the data types your app collects, ie. email addresses:
-
A new dialog titled Additional Setup Required will appear. Click OK to continue:
This type of setup will be required for all data types you select under the Data Collection modal.
For example, if you collect email addresses as a data type, click on Set up Email Address:
- After you answered the questions about the data types you collect, you'll see the summary of your answers:
- Review your App Privacy responses. Click Publish in the upper right corner and confirm the changes.
- You're done!
App Privacy Questions Summary Checklist
In preparation for answering the App Privacy Questions:
- Make a list of each type of data you collect, divided into Apple's 14 data categories
- Make a list of your third-party partners
- Identify how you and your third-party partners use each type of data, divided into Apple's six data use categories
- Confirm whether you link each type of data to the user
- Confirm whether you use each type of data for tracking
You should also make sure your Privacy Policy meets Apple's requirements before submitting it.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.