This past summer, Apple introduced significant changes for iOS 14 in the data privacy realm (we discussed these here). Among those changes are Apple’s so-called privacy “nutrition labels” intended to better inform consumers of the data collection and privacy practices of individual applications. Apple announced a few days ago that developers will be required to provide these new privacy details to app users starting December 8. This applies to both new apps and any apps already in the App Store that are updated, and developers may already submit details through the through App Store Connect. Apple has provided more information here.
A few key things to consider when completing the questionnaires:
- In responding to the questionnaires, developers must disclose information that they collect. Apple defines “collect” as transmitting data off the device in a way that allows the app and/or its third-party partners to access it for a period longer than what is necessary to service the transmitted request in real time. “Third-party partners” refers to analytics tools, advertising networks, third-party SDKs, or other external vendors whose code has been added to the app.
- When developers respond to the questionnaires, they will need to include information about their own data collection practices AND any third-party technologies that collect data via the app, such as an SDK for advertising or other purposes. Apple states that “[y]ou should have a clear understanding of how each data type is used by you and your third-party partners.” In other words, the challenge here will be to ensure that whatever information is provided about vendors actually aligns with the vendor’s practices, and this could prove very tricky.
- With respect to disclosures, Apple requires developers to identify all of the data the app or its third-party partners collect, unless the data meets all of the criteria for optional disclosure, which are described in the link above. It also notes that data that is processed only on device is not “collected” and does not need to be disclosed in the questionnaire answers. However, if the app derives anything from that data and then sends it off device, the resulting data should be considered separately.
- For location data, developers will need to disclose whether they collect coarse or precise location. For apps that collect precise location, but immediately de-identify and coarsen it before storing, developers must disclose that the app collects coarse location.
More information, in particular with respect to tracking, is contained in Apple’s documentation, which is surprisingly thorough and easy to use. However, the key takeaway is that legal and engineering teams should work closely together to ensure that all privacy-related disclosures and technical implementations are properly aligned.