Requirements of Apple's Privacy Policy Details

by Jennifer L. Legal writer.
Requirements of Apple's Privacy Policy Details

If you're an app developer, you must provide a simplified summary of your Privacy Policy on your app's product page within the Apple Store. The objective is to ensure that users have as much information as possible about how you plan on using their data before they download your app onto their iPhones.

In short, you must:

  • Set out a short, bulleted summary highlighting what personal information you capture from users
  • Ask for permission to track users before you track them across other websites (you can't just track them without asking)
  • Include a visible link to your more detailed Privacy Policy

Some businesses are concerned that the changes might dissuade people from downloading their app or using their services. However, Apple takes users' privacy concerns really seriously, so if you plan on making your app available through the Apple Store, you'll need to comply.

So, what's required of you, as an app developer? Let's break down what you need to know.


Apple's New Privacy Requirements

The requirements are fairly straightforward. In short, you must do three things.

First, you must write what's informally called a "privacy nutrition label." The label summarizes what personal information you gather through the app and how you may use it for commercial purposes.

Next, you must get express permission to track someone's personal data across the other websites they visit, and you must make it easy for them to opt-out. Users will be able to see if you've requested permission to track them, and they're free to accept or deny your request.

And finally, you must be sure to include a link to your more detailed Privacy Policy somewhere in your summary. If you haven't already drafted a Privacy Policy, you should do this before hosting your app on the platform.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

This might seem like a lot to do, but it's more simple than it seems.

What's Behind the New Privacy Disclosure Requirements?

First, before we explore how developers can comply with Apple's new Privacy Policy rules, here's a brief summary of what's behind the changes:

  • There's a global trend towards offering great privacy protection online e.g., the EU's General Data Protection Regulation (GDPR) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Consumers want more control over what businesses do with their personal data - meaning data which can be used to personally identify them.
  • In a competitive marketplace, businesses are under pressure to show they take privacy concerns seriously.

The changes are designed to put people back in control of their personal information, while respecting the need for businesses to process sensitive data for commercial purposes.

Now we're clear on where the new rules are coming from, let's take a look at the biggest change: privacy 'nutrition' labels.

Privacy 'Nutrition' Labels

Privacy 'Nutrition' Labels

Think of these labels as "at-a-glance" summaries of your company's key Privacy Policy details.

The labels summarize:

  • What data your app can access
  • How you plan on using this data, and
  • The methods you use to collect the data

Let's take a look at the Disney+ app label in the App Store so you can see how it works.

From the label, we learn that Disney's app gathers data like contact details and location information. It also collects diagnostic information (although, this data isn't directly traceable back to an individual):

Disney Plus Apple app Privacy Nutrition Label

The labels are designed to be easily understood by the average user, so they follow a standardized format. To learn more about what's being tracked, users can click "see details:"

Disney Plus Apple app Privacy Nutrition Label description with Details link

This opens up a box with more detailed information about the data Disney plans on processing, and what it's used for:

Disney Plus Apple app Privacy Nutrition Label: Details link screen

It's on you to accurately disclose your personal data handling practices in your summary, so here are some guidelines to follow:

  • Be sure to disclose all data you collect (including data third-parties collect on your behalf)
  • It's your responsibility to keep the details up-to-date, so review your summary regularly
  • Take legal advice before completing the summary if you're in any doubt about how to fill it in

If you don't comply when you're asked to submit the new privacy details summary, you won't lose your app's place in the Apple Store...for now. However, you'll find there's a non-compliance label on your page where the 'nutrition' label should be.

Here's an example from Poetry Magazine:

Poetry Magazine Apple app Privacy Nutrition Label with No Details Provided

This label clearly isn't the best advertisement for your business, especially when there's so much concern over how businesses protect users' privacy online. It's best to update your details as soon as you're requested to do so.

It's quite simple to complete the summary. Here's what to do.

Answering the App Privacy Questions

Answering the App Privacy Questions

Every developer must complete the same questionnaire, and your answers are used to fill in the "label" or summary. The questionnaire expects you to confirm:

  • What data you collect
  • Why you need it
  • Who collects it i.e., you or a third-party
  • Which trackers you use e.g., cookies
  • How you use the data

Note that you must be an admin, or the account holder, to complete the summary.

  • Go to My Apps, choose the relevant app, and select "App Privacy."
  • Click "Get Started" to complete the questionnaire.
  • If you or your third-party partners don't collect any personal data, click "No" as the answer to the first question. However, if you collect any sensitive information at all, you must click "Yes."

Once you're in the questionnaire, simply confirm the different types of data you collect, answer any follow-up questions, and click "Save" when you're done.

You can then hit "Publish" to complete the label once you've moved through each section.

If you want to amend your answers at any time, you simply follow the same process.

Note that not all data must be disclosed. For example, if you only collect it occasionally, or someone gives you it voluntarily. An example might be a one-off, optional feedback form.

However, if you're in any doubt, disclose it anyway.

App Tracking Transparency

App Tracking Transparency

There's another component to the privacy 'nutrition' label, and it's the "tracking" summary.

Essentially, you now need permission to track app users across websites owned by other businesses. By tracking, we're talking about using the data your app collects from an end user's device for advertising or analytics purposes.

Situations covered by the new rules include:

  • Sharing identifiers or personal data with third parties so they can send out their own advertising
  • Delivering targeted advertisements based on someone's browser history
  • Sharing, or using, someone's location data

Here's what National Geographic's label looks like. It can use someone's contact information to track them across websites:

National Geographic Apple app Privacy Nutrition Label: Contact Info - Data Used to Track You

To be clear, you don't need to disclose if you're using the data to track purely for fraud prevention or security purposes. But if you're tracking for any other reason, you must abide by Apple's AppTracking Transparency Framework.

First, ensure you fill in the correct details when you complete the privacy questionnaire we talked about above. This generates a tracking label for your page.

Next, provide an NSUserTrackingUsageDescription. This message alerts people when you want permission to track them:

Apple NSUserTrackingUsageDescription: Discussion section introduction

Next, use a one-time request tracking tag. This remembers whether a user opts in or out of data tracking:

Apple RequestTrackingAuthorization: Discussion section introduction

Finally, check your authorization status to ensure everything's working as it should be.

As with the privacy 'nutrition' label, you can update, delete, or add to your tracking preferences through the developer platform.

Writing a Privacy Policy

Writing a Privacy Policy

As set out in Section 5 of Apple's App Store Review Guidelines, every app in the Store must come with a compliant Privacy Policy:

Apple App Store Review Guidelines: Legal section - Privacy - Data Collection and Storage - Privacy Policies requirement highlighted

It's your responsibility, as the developer, to ensure your app (and Privacy Policy) complies with the privacy laws applicable in whichever jurisdiction you sell your app. For example, if you make your app available to EU consumers, you must draft a GDPR-compliant Privacy Policy, and so on:

Apple App Store Review Guidelines: Legal section - Comply with legal requirements highlighted

In other words, Apple can remove your app from the App Store if you fail to follow the applicable laws. If you're unsure how to comply, take Apple's advice and get legal advice in advance, but essentially, every Privacy Policy must contain clauses explaining:

  • How users can contact you for more information
  • What personal data is, and why you need to collect it
  • How you collect the data
  • Who you share the data with and how it's used
  • Whether you use cookies or other tracking technologies
  • How you'll notify users of any major changes to your Privacy Policy
  • How users can opt out of data collection, and what rights they have over any data you collect

Be sure to check if strict laws apply in your chosen jurisdiction. Some privacy laws, like the GDPR, are more strict than others.

Privacy Best Practices

Essentially, you must:

  • Be open and honest about how you plan on using personal data
  • Don't collect more data than you need for a certain purpose i.e., you don't need someone's date of birth for a newsletter sign-up
  • If you need access to device data, like someone's location, don't request access until it's necessary, and always give the user an opportunity to opt-out
  • Make it easy for users to disable access to sensitive data

If you're already complying with privacy laws like GDPR, these practices should be familiar to you.

The Privacy Policy URL

Finally, to comply with Apple's requirements, you must also display a link to your Privacy Policy on the App Store.

This generally means providing a URL to take users straight to your Privacy Policy. However, if you're running a tvOS app, you need to provide the full text on the relevant platform.

Here's an example. The Depop app includes a URL to its Privacy Policy:

Depop Apple App Store listing: Information section - Privacy Policy link highlighted

When you click the URL, you go straight to a detailed Privacy Policy, telling users everything they should know about the app before they download.

Netflix helpfully includes the link to its Privacy Policy within its app page privacy summary:

Netflix Apple app Privacy Nutrition Label with Privacy Policy link highlighted

Going forward, it's probably best practice to do the same and include a link within the summary, as well as a link in the "Information" section.

Remember, it's all about making it easy for users to find the details they need before they download or use your app.

Conclusion

If you want to place your app on Apple's App Store, you must do three things:

  • Include a summary of your core Privacy Policy on the app page.
  • Confirm if you track users' data through the app, and offer people the chance to opt-out.
  • Draft a compliant Privacy Policy and post a link to it on the app's page. Ideally, you should put the link somewhere within the privacy summary so users don't need to look for it.

If you're offering a tvOS app for download, you must ensure there's a text version of your Privacy Policy on the platform for people to read and agree to before using your product.

It's your responsibility to know which privacy laws apply in your chosen jurisdiction. Apple's privacy update doesn't change this.

Depending on the laws, you might need to get someone's express consent to gather and use their personal information once they download the app, meaning that merely complying with Apple's new privacy rules isn't necessarily sufficient.

And, finally, Apple can remove your app or delete your account if you don't follow the rules. If you haven't completed your privacy 'nutrition' label yet, Apple may place a default label on your page saying you haven't complied yet, which looks quite bad for your business.

Last updated on 18 March 2021

Article categories

Jennifer L.

Legal writer.