Here’s How Apple’s App Store ‘Privacy Nutrition Labels’ Will Work

One of the features Apple touted at WWDC among the big list of privacy improvements coming to iOS 14 was the addition of new privacy labels on the App Store pages for each app to give users an easily readable summary of what kind of personal information an app may request before they even download it.

Designed to be similar to the nutrition labels found on many foods, the new labels are intended to help you easily understand exactly what an app is up to without needing to wade through a bunch of descriptive text, and best of all you can use it to avoid apps that may compromise your privacy in ways you’re not comfortable with.

At WWDC, Apple provided a few examples of what these could look like, but only recently has it actually offered guidelines for developers on what information they will need to submit, since the system relies entirely on self-reporting.

The good news right off the bat is that it appears that Apple won’t simply be hoping that developers supply this information on their own initiative, but in fact it’s actually adding a series of privacy questions to the App Store Connect platforms that developers will have to answer when submitting new apps or even updates to existing ones.

In its new guidelines, Apple also makes it clear that developers are expected to identify “all possible data collections and uses,” no matter how limited they are in scope, and even if they come from third-party modules and SDKs that are used by their apps. Developers are also expected to keep their responses up to date if the behaviour of their app changes in any way.

The Big List of Data

Apple isn’t holding anything back when it comes to these questions either, and it’s put together a pretty massive list of the types of data that an app might ask for, with all affirmative responses presumably being automatically incorporated into the new “privacy nutrition label” that will appear on the App Store.

Categories include contact info, which is broken down into name, email address, phone number, mailing address, and more along with health and fitness data, financial info, location data, browsing history, search history, data on third-party contacts stored on the user’s iPhone, emails, text messages, photos, videos, audio recordings, gameplay content, purchase history, usage data, and diagnostics.

There’s also a specific category for “Sensitive Info” that will be used to specifically identify if an app collects “racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data.

For each of the categories and types of information, developers will also be required to specify exactly how that data is being used and what it will be used for, such as third-party advertising services, first-party ads by the developer themselves, analytics, personalization, or app functionality.

Identifying and Tracking Users

Not only will developers need to note all of the data that they collect through their apps, but they’re also required to disclose any ways in which they link data to the user, such as connecting a user ID, name, or device ID to an online account.

In fact, Apple notes that it will assume that any personally identifiable data is linked to the user unless the developer notes that it has put specific privacy protections in place to de-identify or anonymize the data.

Further, Apple is putting the onus on its developers to identify any third-party partners who use app data to track users; this is something that many developers have traditionally been in the dark about, but now they’ll be expected to know what’s going on with any SDKs or third-party libraries they’re using. So, for example, if a developer uses a Facebook API or other advertising service in their app, they’d better be prepared to read the terms and conditions as Apple will hold them accountable for knowing and reporting on what those APIs are doing in their app.

Developers are required to disclose any situations where targeted ads are displayed in an app based on data collected by third parties, or where device location, email lists, advertising IDs, or other personally identifying info is shared with third parties. Apple also notes that simply using a third-party SDK in an app qualifies as enabling tracking, even if the developer doesn’t use the SDK for that purpose. Facebook’s login SDK would be a good example of this.

However, Apple states that it’s not considered tracking if the data is linked solely on the user’s local device or is not transmitted in any manner that could be used to identify the user or the specific device. Data shared with a data broker that works solely to provide fraud protection, prevention, and security services solely on behalf of the developer is also exempt.

Developers will now also be required to have a publicly accessible privacy policy, a link to which will be published on the App Store page. They’ll also optionally be able to submit a URL where users can learn more about their privacy choices for the developer’s app and how to manage them.

While the new privacy labels feature was announced alongside iOS 14, it’s not necessarily dependent upon the new operating system, although we’d certainly expect it to launch around the same time. However, Apple does not yet seem to have provided any deadlines by which existing developers will be expected to comply for apps that are already on the App Store, although it does appear the questionnaire will need to be completed when submitting new apps or app updates.