New rules from Apple means that app publishers must give the company much more detail about the data they collect about users and the ways they use that data.
The good news is that this shouldn't be a major headache if you already comply with relevant data laws.
Also good news towards compliance is that Apple is keeping its previous requirement to link to a Privacy Policy, so this is a good opportunity to review your policy and add more detail if needed.
We'll tell you what's changing and what you need to do to comply.
- 1. What's Changing in Apple's Approach to Privacy?
- 2. What Information Will Apple Require You to Provide?
- 2.1. The Types of Data You Collect
- 2.2. Data Use
- 2.3. Data Linked to the User
- 2.4. Tracking
- 2.5. Privacy Links
- 2.6. How to Create a Privacy Policy
- 3. Is Any Information Exempt?
- 4. Do You Need to Keep the Information Up to Date?
- 5. How Does This Work With Other Personal Data and Privacy Rules?
- 5.1. General Data Protection Regulation (GDPR)
- 5.2. California Consumer Privacy Act (CCPA)
- 5.3. Personal Information Protection and Electronic Documents Act (PIPEDA) plus equivalent provincial laws in Canada
- 5.4. Lei Geral de Proteção de Dados Pessoais (LGPD)
- 5.5. Protection of Personal Information Act (POPI)
- 6. Summary
What's Changing in Apple's Approach to Privacy?
Although Apple has always had rules about how app publishers handle user data, it previously did not have particularly strong requirements about communicating this to users. Instead, publishers simply had to provide a link to their Privacy Policy, and this link then appears on the product page for each app.
In 2021, Apple will show more details on privacy and data handling on the product page for an app. To prepare for this, Apple changed its rules on 8 December 2020 to require app publishers to provide these details through the App Store Connect tool.
This applies to any new app published from this date. It also applies whenever you update an existing app.
What Information Will Apple Require You to Provide?
As a general overview, you will need to identify any data that either you, or a third-party working with you, collects through the app.
Examples of third parties include advertising networks and analytics providers. In short, it's anyone who will collect data about users through your app, or will have access to data you collect yourself.
The information you'll need to provide includes:
- The types of data you collect
- The ways you use the data
- How you link the data to the user
- If and how you use data to track the user
- A link to your Privacy Policy
Let's break these down in detail.
The Types of Data You Collect
You'll need to use the App Store Connect tool to say what data you and third-party partners collect in 14 categories, broken down into sub-categories as follows:
- Contact Info: Name; email address; phone number; physical address; other contact info
- Health and Fitness: Health; fitness
- Financial Info: Payment info, credit info, other financial info
- Location: Precise location (to at least the equivalent of three decimal places of latitude and longitude); coarse location (any other location data)
- Sensitive Info
- Contacts
- Browsing History (outside the app)
- Search History (within the app)
- Identifiers: User ID; device ID
- Purchases
- Usage Data: Product interaction; advertising data; other usage data
- Diagnostics: Crash data; performance data; other diagnostic data
- Other Data
- User content: Emails or text messages; photos or videos; audio data; gameplay content; customer support; other user content
Some key points to remember about these categories:
- You must say if you collect email addresses and phone numbers, even if you store them in hashed format.
- Sensitive Info examples include "racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data."
- "Customer support" covers data the user generates while making a request for customer support.
- Purchases can include data about an individual or an account. It can include both details of specific purchases and wider patterns, for example the type of products somebody buys most often.
Data Use
You must detail the ways you and your third-party partners use each type of data, specifically whether it falls into any of six categories:
- Third-Party Advertising
- Developer's Advertising or Marketing
- Analytics
- Product Personalization
- App Functionality
- Other Purposes
Note it's possible the same type of data could be used for two or more purposes.
Data Linked to the User
For each type of data, you must say whether or not the data is linked to the user's identity. This covers both your activity and that of your third-party partners.
If you are in any doubt, you should treat data as being linked to the user's identity unless you take active and ongoing steps to prevent this. Such steps could include:
- Removing user names or IDs before collecting data
- Altering the data to remove and prevent any link to user identities
- Avoiding any steps that could restore the link to a user identity
- Not combining multiple sets of a data in a way that could create a link to a user identity
Note that Apple says if any of the data you collected is classed as "personal information" or "personal data" under relevant laws, you must always list it as being linked to the user's identity.
Tracking
You will need to disclose what (if any) information you or your third-party partners use to track users. For these purposes Apple defines tracking as either of the following:
- Linking data you collect about a specific user or device with third-party data, either for targeted advertising or for advertising measurement, or
- Sharing data you collect about a specific user or device with a data broker
It doesn't matter what technical method you use to link or share data. For example, showing targeted ads, transferring a database or using a third-party SDK would all count as tracking if the activity meets either of the two criteria above.
The main exemptions are when:
- The data and the data linking remains solely on the user's device
- The data broker only uses the data to detect or prevent fraud or carry out other security measures. This use must be solely for your benefit.
Privacy Links
You must link to a publicly accessible Privacy Policy.
You can choose whether or not to link to a publicly accessible page that lets users manage their privacy choices regarding your app. This could include seeing what data you store about them and asking you to change or remove the data.
How to Create a Privacy Policy
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
Is Any Information Exempt?
Yes, Apple has set out an exemption for some data as long as it meets four criteria. If it doesn't meet all four criteria, you must disclose it.
The criteria are:
- The data isn't used for tracking
- The data isn't used for advertising or marketing
- You collect the data infrequently in a way that's optional for the user and isn't part of the app's core functionality
- The user actively provides the data, for example by completing a form and confirming submission
Apple gives the example of a feedback form or service request as information that would meet these criteria.
You can still disclose this data. It's simply optional to do so. It may be safer to disclose the data if it's possible the way you use it will change in the future such that it no longer meets the criteria.
Do You Need to Keep the Information Up to Date?
Yes. You must update the information you've provided to Apple whenever your data practices change. To do so, you can simply use the App Store Connect tool in the same way as when you first provided the data. You can change this information without having to update the app itself.
How Does This Work With Other Personal Data and Privacy Rules?
The good news is that collecting the information you need to comply with the new Apple requirements makes a great start to producing a publicly accessible Privacy Policy.
The combination of following Apple's rules and publishing a policy with all this information will go a long way to complying with several privacy laws that could affect you if your app is available internationally.
Let's recap those laws and note where you'll need to include information not required by Apple.
General Data Protection Regulation (GDPR)
The GDPR affects you if: You, a customer, or your data processing is in a European Union country. (At the time of writing the rules also apply in the UK under domestic law.)
What extra details your Privacy Policy needs:
- Your contact details and those of your data protection officer, if applicable
- The legal basis for processing data
- Whether you'll transfer the data to a non-EU country and if so, how you'll safeguard it
- How long you'll keep the data
- Whether the data subject is legally required to give consent and what happens if they don't
- Whether you use the data for automated decision-making
- The data subject's eight privacy rights under the GDPR
California Consumer Privacy Act (CCPA)
The CCPA affects you if: You serve customers in California and either your annual gross revenue is at least $25 million; you collect or receive personal data about 50,000 Californians; or you make more than half your annual gross revenue by selling Californians' personal data.
You must conspicuously link from your website homepage to your Privacy Policy and update your Privacy Policy at least every 12 months.
What extra details your Privacy Policy needs:
- The data your policy was last updated
- A link titled "Do Not Sell My Personal Information" pointing to a page telling people how to opt out of their data being sold. (This link must also appear at the bottom of your website, in the footer. You don't need the page or the links if you don't sell personal information.)
- Information about the data you have collected, sold and disclosed in the past 12 months using 12 specific categories which differ from those in Apple's disclosure requirement.
- The consumer's right to access their personal data and how to exercise this right
- The consumer's right to delete their personal data and how to exercise this right
- The fact that you will not (and must not) refuse to serve customers, or charge extra, if they exercise their CCPA rights
Personal Information Protection and Electronic Documents Act (PIPEDA) plus equivalent provincial laws in Canada
PIPEDA will affect you if: You collect, use or disclose personal information in the course of a commercial activity.
What extra details your Privacy Policy needs: How data subjects can request access to the personal information you hold about them.
Lei Geral de Proteção de Dados Pessoais (LGPD)
The LGPD affects you if: You collect data in Brazil; you process data while offering goods and services in Brazil; or the data subject lives in Brazil.
What extra details your Privacy Policy needs:
- Your contact details and those of your data protection officer, if applicable
- The legal basis for processing data
- Whether you'll transfer the data outside Brazil and, if so, how you'll safeguard it
- How long you'll keep the data
- Whether the data subject is legally required to give consent and what happens if they don't
- Whether you use the data for automated decision-making
- Your responsibilities in protecting data and an outline of your security measures
- The data subject's rights under the LGPD, including to withdraw consent and demand the relevant data is immediately deleted
Protection of Personal Information Act (POPI)
POPI affects you if: You, the data subject, or the processing itself, are in South Africa.
What extra details your Privacy Policy needs:
- Whether the data subject must supply the data and what happens if they don't
- Which law (if any) says you must collect the data
- Whether you will transfer the data outside South Africa and, if so, how you will safeguard it
Summary
Let's recap what you need to know about Apple's new privacy rules:
- From 8 December 2020, Apple required app publishers to disclose more detailed information about how they handle user data.
- The requirement kicks in whenever you publish a new app or when you update an existing app.
- You'll need to say what data you collect, whether and how you use the data, and whether and how you track the user.
- For each of these questions, you'll need to give specific answers for each of 32 sub-categories (grouped in 14 main categories).
-
For each sub-category you'll also need to say which of the following uses apply:
- Third-Party Advertising
- Developer's Advertising or Marketing
- Analytics
- Product Personalization
- App Functionality
- Other Purposes
- You must provide a link to your publicly accessible Privacy Policy, usually on your website.
- You can choose whether to provide a link to a page where users can manage their privacy choices about your app.
- Very limited exceptions apply, most commonly where a user provides data in a feedback form or when requesting support.
- You must update the disclosures whenever your data practices change.
- Gathering together this information and also publishing it in a Privacy Policy on your website will go a long way to meeting several privacy laws that may apply depending on where your app is available. However, you may need to add extra details and information to comply with other specific laws.
