Requirements of Apple's Privacy Policy Details
If you're an app developer, you must provide a simplified summary of your Privacy Policy on your app's product page within the Apple Store. The objective is to ensure that users have as much information as possible about how you plan on using their data before they download your app onto their iPhones.
In short, you must:
- Set out a short, bulleted summary highlighting what personal information you capture from users
- Ask for permission to track users before you track them across other websites (you can't just track them without asking)
- Include a visible link to your more detailed Privacy Policy
Some businesses are concerned that the changes might dissuade people from downloading their app or using their services. However, Apple takes users' privacy concerns really seriously, so if you plan on making your app available through the Apple Store, you'll need to comply.
So, what's required of you, as an app developer? Let's break down what you need to know.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
Apple's New Privacy Requirements
The requirements are fairly straightforward. In short, you must do three things.
First, you must write what's informally called a "privacy nutrition label." The label summarizes what personal information you gather through the app and how you may use it for commercial purposes.
Next, you must get express permission to track someone's personal data across the other websites they visit, and you must make it easy for them to opt-out. Users will be able to see if you've requested permission to track them, and they're free to accept or deny your request.
And finally, you must be sure to include a link to your more detailed Privacy Policy somewhere in your summary. If you haven't already drafted a Privacy Policy, you should do this before hosting your app on the platform.
This might seem like a lot to do, but it's more simple than it seems.
What's Behind the New Privacy Disclosure Requirements?
First, before we explore how developers can comply with Apple's new Privacy Policy rules, here's a brief summary of what's behind the changes:
- There's a global trend towards offering great privacy protection online e.g., the EU's General Data Protection Regulation (GDPR) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
- Consumers want more control over what businesses do with their personal data - meaning data which can be used to personally identify them.
- In a competitive marketplace, businesses are under pressure to show they take privacy concerns seriously.
The changes are designed to put people back in control of their personal information, while respecting the need for businesses to process sensitive data for commercial purposes.
Now we're clear on where the new rules are coming from, let's take a look at the biggest change: privacy 'nutrition' labels.
Privacy 'Nutrition' Labels
Think of these labels as "at-a-glance" summaries of your company's key Privacy Policy details.
The labels summarize:
- What data your app can access
- How you plan on using this data, and
- The methods you use to collect the data
Let's take a look at the Disney+ app label in the App Store so you can see how it works.
From the label, we learn that Disney's app gathers data like contact details and location information. It also collects diagnostic information (although, this data isn't directly traceable back to an individual):
The labels are designed to be easily understood by the average user, so they follow a standardized format. To learn more about what's being tracked, users can click "see details:"
This opens up a box with more detailed information about the data Disney plans on processing, and what it's used for:
It's on you to accurately disclose your personal data handling practices in your summary, so here are some guidelines to follow:
- Be sure to disclose all data you collect (including data third-parties collect on your behalf)
- It's your responsibility to keep the details up-to-date, so review your summary regularly
- Take legal advice before completing the summary if you're in any doubt about how to fill it in
If you don't comply when you're asked to submit the new privacy details summary, you won't lose your app's place in the Apple Store...for now. However, you'll find there's a non-compliance label on your page where the 'nutrition' label should be.
Here's an example from Poetry Magazine:
This label clearly isn't the best advertisement for your business, especially when there's so much concern over how businesses protect users' privacy online. It's best to update your details as soon as you're requested to do so.
It's quite simple to complete the summary. Here's what to do.
Answering the App Privacy Questions
Every developer must complete the same questionnaire, and your answers are used to fill in the "label" or summary. The questionnaire expects you to confirm:
- What data you collect
- Why you need it
- Who collects it i.e., you or a third-party
- Which trackers you use e.g., cookies
- How you use the data
Note that you must be an admin, or the account holder, to complete the summary.
- Go to My Apps, choose the relevant app, and select "App Privacy."
- Click "Get Started" to complete the questionnaire.
- If you or your third-party partners don't collect any personal data, click "No" as the answer to the first question. However, if you collect any sensitive information at all, you must click "Yes."
Once you're in the questionnaire, simply confirm the different types of data you collect, answer any follow-up questions, and click "Save" when you're done.
You can then hit "Publish" to complete the label once you've moved through each section.
If you want to amend your answers at any time, you simply follow the same process.
Note that not all data must be disclosed. For example, if you only collect it occasionally, or someone gives you it voluntarily. An example might be a one-off, optional feedback form.
However, if you're in any doubt, disclose it anyway.
App Tracking Transparency
There's another component to the privacy 'nutrition' label, and it's the "tracking" summary.
Essentially, you now need permission to track app users across websites owned by other businesses. By tracking, we're talking about using the data your app collects from an end user's device for advertising or analytics purposes.
Situations covered by the new rules include:
- Sharing identifiers or personal data with third parties so they can send out their own advertising
- Delivering targeted advertisements based on someone's browser history
- Sharing, or using, someone's location data
Here's what National Geographic's label looks like. It can use someone's contact information to track them across websites:
To be clear, you don't need to disclose if you're using the data to track purely for fraud prevention or security purposes. But if you're tracking for any other reason, you must abide by Apple's AppTracking Transparency Framework.
First, ensure you fill in the correct details when you complete the privacy questionnaire we talked about above. This generates a tracking label for your page.
Next, provide an NSUserTrackingUsageDescription. This message alerts people when you want permission to track them:
Next, use a one-time request tracking tag. This remembers whether a user opts in or out of data tracking:
Finally, check your authorization status to ensure everything's working as it should be.
As with the privacy 'nutrition' label, you can update, delete, or add to your tracking preferences through the developer platform.
Writing a Privacy Policy
As set out in Section 5 of Apple's App Store Review Guidelines, every app in the Store must come with a compliant Privacy Policy:
It's your responsibility, as the developer, to ensure your app (and Privacy Policy) complies with the privacy laws applicable in whichever jurisdiction you sell your app. For example, if you make your app available to EU consumers, you must draft a GDPR-compliant Privacy Policy, and so on:
In other words, Apple can remove your app from the App Store if you fail to follow the applicable laws. If you're unsure how to comply, take Apple's advice and get legal advice in advance, but essentially, every Privacy Policy must contain clauses explaining:
- How users can contact you for more information
- What personal data is, and why you need to collect it
- How you collect the data
- Who you share the data with and how it's used
- Whether you use cookies or other tracking technologies
- How you'll notify users of any major changes to your Privacy Policy
- How users can opt out of data collection, and what rights they have over any data you collect
Be sure to check if strict laws apply in your chosen jurisdiction. Some privacy laws, like the GDPR, are more strict than others.
Privacy Best Practices
Essentially, you must:
- Be open and honest about how you plan on using personal data
- Don't collect more data than you need for a certain purpose i.e., you don't need someone's date of birth for a newsletter sign-up
- If you need access to device data, like someone's location, don't request access until it's necessary, and always give the user an opportunity to opt-out
- Make it easy for users to disable access to sensitive data
If you're already complying with privacy laws like GDPR, these practices should be familiar to you.
The Privacy Policy URL
Finally, to comply with Apple's requirements, you must also display a link to your Privacy Policy on the App Store.
This generally means providing a URL to take users straight to your Privacy Policy. However, if you're running a tvOS app, you need to provide the full text on the relevant platform.
Here's an example. The Depop app includes a URL to its Privacy Policy:
When you click the URL, you go straight to a detailed Privacy Policy, telling users everything they should know about the app before they download.
Netflix helpfully includes the link to its Privacy Policy within its app page privacy summary:
Going forward, it's probably best practice to do the same and include a link within the summary, as well as a link in the "Information" section.
Remember, it's all about making it easy for users to find the details they need before they download or use your app.
Conclusion
If you want to place your app on Apple's App Store, you must do three things:
- Include a summary of your core Privacy Policy on the app page.
- Confirm if you track users' data through the app, and offer people the chance to opt-out.
- Draft a compliant Privacy Policy and post a link to it on the app's page. Ideally, you should put the link somewhere within the privacy summary so users don't need to look for it.
If you're offering a tvOS app for download, you must ensure there's a text version of your Privacy Policy on the platform for people to read and agree to before using your product.
It's your responsibility to know which privacy laws apply in your chosen jurisdiction. Apple's privacy update doesn't change this.
Depending on the laws, you might need to get someone's express consent to gather and use their personal information once they download the app, meaning that merely complying with Apple's new privacy rules isn't necessarily sufficient.
And, finally, Apple can remove your app or delete your account if you don't follow the rules. If you haven't completed your privacy 'nutrition' label yet, Apple may place a default label on your page saying you haven't complied yet, which looks quite bad for your business.
