Apple Requiring App Developers to Disclose Privacy Details in App Store
During its summer conference this year, Apple announced that later in 2020, it would require application developers to provide in-depth detail regarding their data collection and use practices to give users more information and control over the data that applications collect and share. In early November, Apple reaffirmed its commitment to disclosing data collection and use practices to its users and announced that effective December 8, 2020, all Mac and iOS applications published or updated in the iOS App Store or Mac App Store will be required to disclose details regarding all of the data that the application collects and uses.
Application developers will be presented with a number of privacy questions in Apple’s App Store Connect prior to publishing a new application or updating an existing application, which will require the disclosure of the types and categories of data collected by the application or its third-party partners unless certain exceptions apply. The responses to the privacy questions will be used to update the application’s product page within the applicable App Store to inform users about its data collection and usage in a graphical format that utilizes icons so users understand the privacy practices without the need to read a textual privacy notice. Many in the industry are calling it a “nutrition label” for every application offered on the App Stores.
Apple is impressing upon its developers the requirement to understand and disclose how data will be used by the application and its third-party partners, including disclosing whether each data type collected is linked to the user’s identity. For example, if the application collects a user’s email address and uses it to authenticate the user for evaluating the user’s behavior or measuring audience size or characteristics, disclosure is required. These requirements will be in addition to the requirement to post the URL of the developer’s publicly accessible privacy policy.
Certain narrowly defined-data collection activities will not require disclosure. Generally, disclosure is not required if the data is not used for any of the following: tracking purposes (i.e. the data is not linked with data from third parties for advertising or advertising measurement purposes, or shared with a data broker); the developers advertising or marketing purposes, or a third party’s advertising purposes; the data collection occurs so infrequently such that the collection is not part of the application’s primary function and the collection is optional for the user; and the data is provided by the user in the application’s user interface, it is clear to the user what data is being collected, the user name or account is prominently displayed in the submission form along with other data elements being submitted, and the user affirmatively chooses to provide the data each time it is collected. However, if the application meets some, but not all, of these criteria, the developer must still provide the disclosure. In this context, tracking refers to linking data collected about a user or device with third-party data for advertising, advertising measurement purposes, or sharing data about a user or device with a data broker. Some examples of data types that do not need to be disclosed include optional feedback or customer service requests that are not part of the primary purpose of the application and otherwise meet all of the foregoing criteria.
Applications published on the App Stores prior to December 8, 2020, will not be required by Apple to take any action until an update to the application is published. If an application developer provides false, incorrect, or misleading responses to the privacy questions, this may violate Apple’s terms of use and lead to the removal of the application from the App Stores. In addition to removal from the App Stores, false or misleading practices governing the collection and use of data could lead to enforcement action from state or federal (e.g., the FTC) authorities for unfair and deceptive trade practices.
Key Takeaways
- Businesses would be well-served to review their data collection practices and their third-party service providers’ data collection practices in advance of any updates to an existing application or the rollout of a new application.
- All reviews should encompass an audit and comparison of all relevant privacy policies and terms of use, not only for the business but also for the third-party service providers. An application’s privacy policy should include references to the third-party’s data collection and use practices.
- Additionally, contracts with third-party service providers should include representations and warranties regarding the collection and use of data obtained from the application and compliance with the application owner’s policies on collecting and using data.
For questions or additional information on this topic, please contact any of the authors or your Foley relationship partner.