In short, you must:
- Set out a short, bulleted summary highlighting what personal information you capture from users
- Ask for permission to track users before you track them across other websites (you can't just track them without asking)
Some businesses are concerned that the changes might dissuade people from downloading their app or using their services. However, Apple takes users' privacy concerns really seriously, so if you plan on making your app available through the Apple Store, you'll need to comply.
So, what's required of you, as an app developer? Let's break down what you need to know.
Apple's New Privacy Requirements
The requirements are fairly straightforward. In short, you must do three things.
First, you must write what's informally called a "privacy nutrition label." The label summarizes what personal information you gather through the app and how you may use it for commercial purposes.
Next, you must get express permission to track someone's personal data across the other websites they visit, and you must make it easy for them to opt-out. Users will be able to see if you've requested permission to track them, and they're free to accept or deny your request.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
This might seem like a lot to do, but it's more simple than it seems.
What's Behind the New Privacy Disclosure Requirements?
- There's a global trend towards offering great privacy protection online e.g., the EU's General Data Protection Regulation (GDPR) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
- Consumers want more control over what businesses do with their personal data - meaning data which can be used to personally identify them.
- In a competitive marketplace, businesses are under pressure to show they take privacy concerns seriously.
The changes are designed to put people back in control of their personal information, while respecting the need for businesses to process sensitive data for commercial purposes.
Now we're clear on where the new rules are coming from, let's take a look at the biggest change: privacy 'nutrition' labels.
Privacy 'Nutrition' Labels
The labels summarize:
- What data your app can access
- How you plan on using this data, and
- The methods you use to collect the data
Let's take a look at the Disney+ app label in the App Store so you can see how it works.
From the label, we learn that Disney's app gathers data like contact details and location information. It also collects diagnostic information (although, this data isn't directly traceable back to an individual):
The labels are designed to be easily understood by the average user, so they follow a standardized format. To learn more about what's being tracked, users can click "see details:"
This opens up a box with more detailed information about the data Disney plans on processing, and what it's used for:
It's on you to accurately disclose your personal data handling practices in your summary, so here are some guidelines to follow:
- Be sure to disclose all data you collect (including data third-parties collect on your behalf)
- It's your responsibility to keep the details up-to-date, so review your summary regularly
- Take legal advice before completing the summary if you're in any doubt about how to fill it in
If you don't comply when you're asked to submit the new privacy details summary, you won't lose your app's place in the Apple Store...for now. However, you'll find there's a non-compliance label on your page where the 'nutrition' label should be.
Here's an example from Poetry Magazine:
This label clearly isn't the best advertisement for your business, especially when there's so much concern over how businesses protect users' privacy online. It's best to update your details as soon as you're requested to do so.
It's quite simple to complete the summary. Here's what to do.
Answering the App Privacy Questions
Every developer must complete the same questionnaire, and your answers are used to fill in the "label" or summary. The questionnaire expects you to confirm:
- What data you collect
- Why you need it
- Who collects it i.e., you or a third-party
- Which trackers you use e.g., cookies
- How you use the data
Note that you must be an admin, or the account holder, to complete the summary.
- Go to My Apps, choose the relevant app, and select "App Privacy."
- Click "Get Started" to complete the questionnaire.
- If you or your third-party partners don't collect any personal data, click "No" as the answer to the first question. However, if you collect any sensitive information at all, you must click "Yes."
Once you're in the questionnaire, simply confirm the different types of data you collect, answer any follow-up questions, and click "Save" when you're done.
You can then hit "Publish" to complete the label once you've moved through each section.
If you want to amend your answers at any time, you simply follow the same process.
Note that not all data must be disclosed. For example, if you only collect it occasionally, or someone gives you it voluntarily. An example might be a one-off, optional feedback form.
However, if you're in any doubt, disclose it anyway.
App Tracking Transparency
There's another component to the privacy 'nutrition' label, and it's the "tracking" summary.
Essentially, you now need permission to track app users across websites owned by other businesses. By tracking, we're talking about using the data your app collects from an end user's device for advertising or analytics purposes.
Situations covered by the new rules include:
- Sharing identifiers or personal data with third parties so they can send out their own advertising
- Delivering targeted advertisements based on someone's browser history
- Sharing, or using, someone's location data
Here's what National Geographic's label looks like. It can use someone's contact information to track them across websites:
To be clear, you don't need to disclose if you're using the data to track purely for fraud prevention or security purposes. But if you're tracking for any other reason, you must abide by Apple's AppTracking Transparency Framework.
First, ensure you fill in the correct details when you complete the privacy questionnaire we talked about above. This generates a tracking label for your page.
Next, provide an NSUserTrackingUsageDescription. This message alerts people when you want permission to track them:
Next, use a one-time request tracking tag. This remembers whether a user opts in or out of data tracking:
Finally, check your authorization status to ensure everything's working as it should be.
As with the privacy 'nutrition' label, you can update, delete, or add to your tracking preferences through the developer platform.
- How users can contact you for more information
- What personal data is, and why you need to collect it
- How you collect the data
- Who you share the data with and how it's used
- How users can opt out of data collection, and what rights they have over any data you collect
Be sure to check if strict laws apply in your chosen jurisdiction. Some privacy laws, like the GDPR, are more strict than others.
Privacy Best Practices
Essentially, you must:
- Be open and honest about how you plan on using personal data
- Don't collect more data than you need for a certain purpose i.e., you don't need someone's date of birth for a newsletter sign-up
- If you need access to device data, like someone's location, don't request access until it's necessary, and always give the user an opportunity to opt-out
- Make it easy for users to disable access to sensitive data
If you're already complying with privacy laws like GDPR, these practices should be familiar to you.
Going forward, it's probably best practice to do the same and include a link within the summary, as well as a link in the "Information" section.
Remember, it's all about making it easy for users to find the details they need before they download or use your app.
If you want to place your app on Apple's App Store, you must do three things:
- Confirm if you track users' data through the app, and offer people the chance to opt-out.
It's your responsibility to know which privacy laws apply in your chosen jurisdiction. Apple's privacy update doesn't change this.
Depending on the laws, you might need to get someone's express consent to gather and use their personal information once they download the app, meaning that merely complying with Apple's new privacy rules isn't necessarily sufficient.
And, finally, Apple can remove your app or delete your account if you don't follow the rules. If you haven't completed your privacy 'nutrition' label yet, Apple may place a default label on your page saying you haven't complied yet, which looks quite bad for your business.