This past summer, Apple introduced significant changes for iOS 14 in the data privacy realm (we discussed these here). Among those changes are Apple’s so-called privacy “nutrition labels” intended to better inform consumers of the data collection and privacy practices of individual applications. Apple announced a few days ago that developers will be required to provide these new privacy details to app users starting December 8. This applies to both new apps and any apps already in the App Store that are updated, and developers may already submit details through the through App Store Connect. Apple has provided more information here.

A few key things to consider when completing the questionnaires:

  • The labels are intended to provide users an overview of an app’s practices using symbols and brief language, because it is a well-known fact that most users do not read privacy policies. That said, Apple has required apps to include a link to their long-form privacy policies for some time (this used to be voluntary), and the new privacy disclosure does NOT do away with this requirement. In other words, in addition to the privacy nutrition label, the long-form privacy policy will also still need to be included. Apple also encourages developers to include a link to a “Privacy Choices” page where users can exercise their privacy rights and decisions.
  • In responding to the questionnaires, developers must disclose information that they collect. Apple defines “collect” as transmitting data off the device in a way that allows the app and/or its third-party partners to access it for a period longer than what is necessary to service the transmitted request in real time. “Third-party partners” refers to analytics tools, advertising networks, third-party SDKs, or other external vendors whose code has been added to the app.
  • As developers complete Apple’s questionnaires – which will then automatically generate the privacy label – there is a risk that the answers do not properly match up with the information contained in the long-form privacy policy drafted by legal or privacy counsel. As such, we recommend ensuring that your engineering and legal teams work together to complete the questionnaires and review the long-form privacy policy to avoid any misalignment. Any such inconsistencies or gaps between Apple’s nutrition label and the long-form privacy notice could potentially be considered a deceptive trade practice. In fact, Apple makes this clear in the link provided above. As an aside, this type of “disclosure gap” comes up often, such as in the context of cookie banners that claim not to not drop cookies until a user has opted in but actually (and technically) drop the cookie before the opt-in. It’s a good time to review your privacy policies and just-in-time notices as well as technical implementations to make sure that they are all consistent.
  • When developers respond to the questionnaires, they will need to include information about their own data collection practices AND any third-party technologies that collect data via the app, such as an SDK for advertising or other purposes. Apple states that “[y]ou should have a clear understanding of how each data type is used by you and your third-party partners.” In other words, the challenge here will be to ensure that whatever information is provided about vendors actually aligns with the vendor’s practices, and this could prove very tricky.
  • With respect to disclosures, Apple requires developers to identify all of the data the app or its third-party partners collect, unless the data meets all of the criteria for optional disclosure, which are described in the link above. It also notes that data that is processed only on device is not “collected” and does not need to be disclosed in the questionnaire answers. However, if the app derives anything from that data and then sends it off device, the resulting data should be considered separately.
  • For location data, developers will need to disclose whether they collect coarse or precise location. For apps that collect precise location, but immediately de-identify and coarsen it before storing, developers must disclose that the app collects coarse location.

More information, in particular with respect to tracking, is contained in Apple’s documentation, which is surprisingly thorough and easy to use. However, the key takeaway is that legal and engineering teams should work closely together to ensure that all privacy-related disclosures and technical implementations are properly aligned.