- 1.1. Data Collection and Storage
- 1.2. Permission
- 1.3. Minimization
- 1.4. Access
- 1.5. Account Sign-in
- 1.6. Using and Sharing Data
- 1.7. Health Information
- 1.8. Children
- 1.9. Location Services
- 3.1. What Data You Collect
- 3.2. How Long Data is Stored For
- 3.3. How Data is Used
- 3.4. Who Has Access to Data/Data Shared With Third Parties
- 3.5. Security of Data
- 3.6. Payment Processing
- 3.7. User Rights
- 3.8. Cookies
- 3.9. Do Not Track (DNT) Clause
- 3.10. Children
- 3.11. Changes to the Policy
- 3.12. Contact Information
- 4.1. App Store Listing
- 4.2. Within Your App
- 4.2.1. Settings Menu
- 4.2.2. Login Screen or Pop-Up on Opening the App
- 4.2.3. Checkout Page for E-commerce Apps
- 4.2.4. About Section
- 5. Summary
Apple has issued a set of guidelines that detail the privacy requirements of an iOS App.
Let's break down exactly what the guidelines require and how to comply.
Data Collection and Storage
5.1.1 Data Collection and Storage
- Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.
- Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user's data.
- What data is collected
- How long personal information is stored
- Who the data is shared with (including analytics tools such as Google analytics)
- What rights users have over their data (such as deletion of data)
The guidelines state that your app must get consent from users before collecting their data:
(ii) Permission Apps that collect user or usage data must secure user consent for the collection, even if such data is considered to be anonymous at the time of or immediately following collection. Paid functionality must not be dependent on or require a user to grant access to this data. Apps must also provide the customer with an easily accessible and understandable way to withdraw consent. Ensure your purpose strings clearly and completely describe your use of the data. Apps that collect data for a legitimate interest without consent by relying on the terms of the European Union's General Data Protection Regulation ("GDPR") or similar statute must comply with all terms of that law. Learn more about Requesting Permission.
There is also a section about not collecting or using personal data unnecessarily. The only data your app should collect is data it needs to function properly and accomplish relevant tasks:
(iii) Data Minimization: Apps should only request access to data relevant to the core functionality of the app and should only collect and use data that is required to accomplish the relevant task. Where possible, use the out-of-process picker or a share sheet rather than requesting full access to protected resources like Photos or Contacts.
The access part of the guidelines make it clear that apps must never try to manipulate or force users to consent to unnecessary data collection. Apple provides an example of manipulation in the following clause:
(iv) Access Apps must respect the user's permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access. For example, apps that include the ability to post photos to a social network must not also require microphone access before allowing the user to upload photos. Where possible, provide alternative solutions for users who don't grant consent. For example, if a user declines to share Location, offer the ability to manually enter an address.
This clause also warns developers against collecting data unecessarly.
For example, your app shouldn't require users to enter personal information unless it's needed to function - this includes login details. If you don't need users to have a user account your app should let people use it without one. The clause makes it clear that retrieving profile information, sharing to social networks or inviting friends are not considered necessary to function.
If users can link to their social network, your app must have an option to revoke this access.
The user must give their explicit consent for their personal data to be accessed - any app that collects personal data indirectly or secretly will be removed from the App Store:
(v) Account Sign-In: If your app doesn't include significant account-based features, let people use it without a log-in. Apps may not require users to enter personal information to function, except when directly relevant to the core functionality of the app or required by law. If your core app functionality is not related to a specific social network (e.g. Facebook, WeChat, Weibo, Twitter, etc.), you must provide access without a login or via another mechanism. Pulling basic profile information, sharing to the social network, or inviting friends to use the app are not considered core app functionality. The app must also include a mechanism to revoke social network credentials and disable data access between the app and social network from within the app. An app may not store credentials or tokens to social networks off of the device and may only use such credentials or tokens to directly connect to the social network from the app itself while the app is in use.
Using and Sharing Data
Firstly, it's essential that you advise users how you use their data and who their data is shared with. Any data you collect cannot be used for a different purpose than the one you gained consent for, without gaining further consent.
The guidelines also state that developers must not build a user profile from the data they collect or collect data about which other apps user's have installed for the purpose of advertising or marketing to them.
Apple also restricts the use of data gathered from its built in API's for the purposes of advertising or use-based data mining:
5.1.2 Data Use and Sharing
(i) Unless otherwise permitted by law, you may not use, transmit, or share someone's personal data without first obtaining their permission. You must provide access to information about how and where the data will be used. Data collected from apps may only be shared with third parties to improve the app or serve advertising (in compliance with the Apple Developer Program License Agreement.). Apps that share user data without user consent or otherwise complying with data privacy laws may be removed from sale and may result in your removal from the Apple Developer Program.
(ii) Data collected for one purpose may not be repurposed without further consent unless otherwise explicitly permitted by law.
(iii) Apps should not attempt to surreptitiously build a user profile based on collected data and may not attempt, facilitate, or encourage others to identify anonymous users or reconstruct user profiles based on data collected from Apple-provided APIs or any data that you say has been collected in an "anonymized," "aggregated," or otherwise non-identifiable way.
(iv) Do not use information from Contacts, Photos, or other APIs that access user data to build a contact database for your own use or for sale/distribution to third parties, and don't collect information about which other apps are installed on a user's device for the purposes of analytics or advertising/marketing.
(v) Do not contact people using information collected via a user's Contacts or Photos, except at the explicit initiative of that user on an individualized basis; do not include a Select All option or default the selection of all contacts. You must provide the user with a clear description of how the message will appear to the recipient before sending it (e.g. What will the message say? Who will appear to be the sender?).
(vi) Data gathered from the HomeKit API, HealthKit, Consumer Health Records API, MovementDisorder APIs, ClassKit or from depth and/or facial mapping tools (e.g. ARKit, Camera APIs, or Photo APIs) may not be used for marketing, advertising or use-based data mining, including by third parties. Learn more about best practices for implementing CallKit, HealthKit, ClassKit, and ARKit.
(vii) Apps using Apple Pay may only share user data acquired via Apple Pay with third parties to facilitate or improve delivery of goods and services.
Any data related to health is classed as sensitive personal data.
Apple states that the only time it is appropriate to use and store data relating to the users health and fitness is when it is providing a direct benefit to the user. It is essential in these cases that you disclose the specific health data which is being collected:
5.1.3 Health and Health Research
Health, fitness, and medical data are especially sensitive and apps in this space have some additional rules to make sure customer privacy is protected:
(i) Apps may not use or disclose to third parties data gathered in the health, fitness, and medical research context - including from the Clinical Health Records API, HealthKit API, Motion and Fitness, MovementDisorderAPIs, or health-related human subject research - for advertising, marketing, or other use-based data mining purposes other than improving health management, or for the purpose of health research, and then only with permission. Apps may, however, use a user's health or fitness data to provide a benefit directly to that user (such as a reduced insurance premium), provided that the app is submitted by the entity providing the benefit, and the data is not be shared with a third party. You must disclose the specific health data that you are collecting from the device.
(ii) Apps must not write false or inaccurate data into HealthKit or any other medical research or health management apps, and may not store personal health information in iCloud.
(iii) Apps conducting health-related human subject research must obtain consent from participants or, in the case of minors, their parent or guardian. Such consent must include the (a) nature, purpose, and duration of the research; (b) procedures, risks, and benefits to the participant; (c) information about confidentiality and handling of data (including any sharing with third parties); (d) a point of contact for participant questions; and (e) the withdrawal process.
(iv) Apps conducting health-related human subject research must secure approval from an independent ethics review board. Proof of such approval must be provided upon request.
The guidelines remind app owners of the importance of complying with the Children's Online Privacy Protection Act (COPPA). Apps can ask for children's date of birth and parent's contact information for the sole purpose of complying with these laws:
For many reasons, it is critical to use care when dealing with personal data from kids, and we encourage you to carefully review all the requirements for complying with laws like the Children's Online Privacy Protection Act ("COPPA"), the European Union's General Data Protection Regulation ("GDPR"), and any other applicable regulations or laws.
Apps may ask for birthdate and parental contact information only for the purpose of complying with these statutes, but must include some useful functionality or entertainment value regardless of a person's age.
Apps intended primarily for kids should not include third-party analytics or third-party advertising. This provides a safer experience for kids. In limited cases, third-party analytics and third-party advertising may be permitted provided that the services adhere to the same terms set forth in Guideline 1.3.
As a reminder, Guideline 2.3.8 requires that use of terms like "For Kids" and "For Children" in app metadata is reserved for the Kids Category. Apps not in the Kids Category cannot include any terms in app name, subtitle, icon, screenshots or description that imply the main audience for the app is children.
Your app should only use location services if it's 'directly relevant to the features and services provided.'
5.1.5 Location Services
Use Location services in your app only when it is directly relevant to the features and services provided by the app. Location-based APIs shouldn't be used to provide emergency services or autonomous control over vehicles, aircraft, and other devices, except for small devices such as lightweight drones and toys, or remote control car alarm systems, etc. Ensure that you notify and obtain consent before collecting, transmitting, or using location data. If your app uses location services, be sure to explain the purpose in your app; refer to the Human Interface Guidelines for best practices on doing so.
If your app is an e-commerce app it will likely also collect billing and shipping information. Alternatively, a third party processor may do this on your behalf.
For example, the EU's General Data Protection Regulation (GDPR) and the California Online Privacy Protection Act (CalOPPA) both state that Privacy Policies are a legal requirement for companies that collect personal data.
It's important to note that the GDPR will apply to you if your app is accessible to people located in the EU. Equally, CalOPPA will apply if your app is accessible to residents of California.
What Data You Collect
This is a good opening clause as it advises users what types of personal data your app collects and how it is collected.
Expedia advises what personal information the app collects and why it's collected. The app separates the data it collects into information provided by the customer directly and information that is collected automatically. Each section has a detailed account of why information is collected:
There's a special section here to cover what information is collected through the Expedia app:
How Long Data is Stored For
Your app should tell users how long you will retain their personal data for.
Etsy advises that the retailer will only retain data for as long as necessary and does not provide a set period of time. Since Etsy is a platform for e-commerce retailers, the policy also advises that Etsy sellers may be required to retain data to comply with their legal obligations:
Calm advises that the app retains data for as long as necessary:
How Data is Used
Both the law and the App Store Guidelines require app owners to inform users how they use personal data.
Who Has Access to Data/Data Shared With Third Parties
You should include a clause which tells users who can or might access their data. When drafting this clause, consider who can access user's data internally, as well as externally (third parties).
If your app is an e-commerce app, it's likely you share data with third party payment processors. Make sure you advise users who their data is shared with and why.
Ideally, you should provide a link to any third party policies to enable users to find and view them easily.
Property app Rightmove includes a clause about access to data which explains who can access data both internally and externally. The clause informs users that if the business was sold or merged, users data may be disclosed to the buyer:
Urban Outfitters explain that data is shared with the 'corporate family' and may also be shared with sister companies or third parties used to fulfill services, such as processing data and payments. The clause also advises users where data is stored and stresses that the company only grants access to data on a need-to-know basis:
The clause includes information about how users can update or delete personal information, which is useful in case someone has shared information with UO and wants to make sure it won't be shared with anyone else.
Security of Data
For example, e-commerce app ShopClues states that the app uses a secure server which encrypts all information sent by users. The clause goes on to explain how the retailer prevents unauthorized access of data:
Similarly, Paypal includes a clause which advises users of the security measures in place with regard to data protection. The company states that these measures include firewalls, encryption and physical access controls. The clause also reminds users that they are responsible for keeping their passwords secure:
Clothing app Nasty Gal discloses its security measures and reassures users that any third party contracted to process data is required to have security measures in place. The clause also states that users will be notified in the event of a breach:
Calm advises who processes customer payments and what personal data they may collect to do so:
You should also include a clause which informs users of their rights. If your app is accessible to EU citizens it's important to include all of the rights given by the GDPR, including the right to:
- Be informed
- Withdraw consent
- Access information
- Erase data
- Correct inaccurate data
- Object to or restrict processing
- Data portability
There are also rights involving automated decision making and profiling.
Nasty Gal list all of the rights given under the GDPR and advises how customers can exercise the rights:
Rather than simply listing user rights, Candy Crush breaks down each right individually:
After going into detail about each right, the app suggests alternative ways for users to control what information is collected. For example, users can disconnect their Facebook from the game or limit ad tracking using their cell phone settings:
Candy Crush provides a detailed cookies clause which explains why cookies and ad identifiers are used:
Nasty Gal briefly explains why cookies are used and links to a separate Cookies Policy. In addition, the retailer advises how to opt out of cookies but warns users they will not be able to access all features if they do so:
Do Not Track (DNT) Clause
It's a legal requirement under CalOPPA to have a DNT clause if your app is accessible to residents of California.
Users can make DNT requests through their browsers in an attempt to stop companies from tracking their online behavior. Your clause must state how your app responds to DNT requests.
Your app does not legally need to respond to these requests or follow the DNT setting - it simply needs to notify users of your policy.
Calm explains what DNT is and informs users that the app does not respond to such requests:
This clause advises whether you collect data from minors. It's essential to include since The Children's Online Privacy Protection Act (COPPA) makes it unlawful to collect the data of children under 13 without obtaining their parents or guardians consent.
Calm advises that the app is not intended to be used by children under the age of 13. The policy also states that if the developers learn that the app has collected the data of a child under 13, it will be deleted:
Similarly, the Wish app states that the app does not knowingly collect personal data from children under the age of 13 and the retailer will delete any information of this kind. This clause is quite detailed and includes a paragraph specific to EU residents regarding consent:
Changes to the Policy
You should include a clause which explains your app's policy is subject to change. It's also a good idea to advise users whether they will be notified of any changes and via what method(s).
Ideally, users should be asked to consent to any changes to the terms - particularly in the case of material changes.
Rightmove advises that users may be required to accept a change of terms in order to continue to use the app:
Etsy informs users that they will be told about any material changes:
Choices also notes that the app will inform users of any changes, however this time the app says they will do this before the changes are made:
Etsy provides a link to the store's 'Help Center,' alongside an email address and two physical addresses depending on what part of the World the user is in:
Your users will greatly appreciate this clause in case they wish to reach out to you.
App Store Listing
Once you've added your link, make sure you press 'save'!
From the website, the user can return to the App Store by clicking the button at the top left:
Within Your App
Candy Crush places the app's policy directly under Settings:
Etsy does a similar thing, except the app has a 'legal' section under settings which leads to the retailer's legal policies:
Login Screen or Pop-Up on Opening the App
You may choose to do this in the form of a pop-up, like H&M has done in this example:
Checkout Page for E-commerce Apps
If you want to gain user's consent, add a checkbox and an 'I agree' statement. This is a good idea since customers will not be able to say they didn't agree to your terms.
The guidelines state that the Policy must be linked to in the App Store Connect metadata field, as well as within the app itself.
- What types of personal data you collect
- How and why you collect the data
- Who has access to the data
- How you protect the data
- What rights users have over their data