Keypoint: App developers will need to navigate a new privacy questionnaire designed to provide users with an easy to understand presentation of an App’s privacy practices.
As of December 8, 2020, Apple now requires all newly submitted applications (Apps) on its App Store, or updates to Apps, to include a privacy nutrition label describing the App’s privacy practices. This is in addition to Apple’s existing requirement that all Apps provide a link to a publicly accessible full privacy policy.
The privacy nutrition label is automatically generated based on a developer’s answers to a series of questions about the types of data the App collects (both first party and third-party collection), how each data type is used, whether the data is linked to the user, and whether the data is used for tracking purposes.
In the below post, we outline the four steps required by Apple.
Step 1: Identify Data Collected (including data collected by third-party partners)
The questionnaire covers fourteen categories of data: contact info, health and fitness, financial info, location, sensitive info, contacts, user content, browsing history, search history, identifiers, purchases, usage data, diagnostics, and other data. Many of those categories are broken down into specific data elements. For example, “contact info” contains the following data elements: name, email address, phone number, physical address, and other user contact info.
Apple makes it optional for businesses to disclose data that meets all of the following requirements:
- The data is not used for tracking purposes, meaning the data is not linked with third-party data for advertising or advertising measurement purposes, or shared with a data broker.
- The data is not used for third-party advertising, the business’s advertising or marketing purposes, or for other purposes (as defined by Apple).
- Collection of the data occurs only in infrequent cases that are not part of the App’s primary functionality, and which are optional for the user.
- The data is provided by the user in the App’s interface, it is clear to the user what data is collected, the user’s name or account name is prominently displayed in the submission form alongside the other data elements being submitted, and the user affirmatively chooses to provide the data for collection each time.
Step 2: For Each Data Element Collected, Disclose How It Is Used
With respect to data use, App developers will need to identify – on a data element by data element basis – whether the data is used for (1) third-party advertising, (2) the developer’s advertising or marketing, (3) analytics, (4) product personalization, (5) App functionality, and (6) other purposes.
Step 3: For Each Data Element Collected, Confirm If It Is Linked to the User’s Identity
Next, App developers must confirm whether each data element is linked to the user’s identity by the developer or any third-party partners. If the data element is covered as “personal information” and “personal data” under relevant privacy laws, Apple directs developers to answer this question in the affirmative.
Step 4: For Each Data Element Collected, Confirm If It Is Used for Tracking Purposes
Finally, App developers will need to confirm whether the data element is used by the developer or any third-party partners for tracking purposes. Apple defines “tracking” as “linking data collected from your app about a particular end-user or device, such as a user ID, device ID, or profile, with Third-Party Data for targeted advertising or advertising measurement purposes, or sharing data collected from your app about a particular end-user or device with a data broker.”
In answering these questions, App developers should ensure that they are not only accurate in their responses but that those responses match the representations made in the App’s full privacy policy. Inconsistencies between the privacy nutrition label and the full privacy policy could lead to claims that the developer is misrepresenting its privacy practices. In addition, App developers should consider using this as an opportunity to ensure that their full privacy policies are updated. That is particularly true for entities subject to the California Consumer Privacy Act, which requires that disclosures be updated every twelve months.