Keypoint: App developers will need to navigate a new privacy questionnaire designed to provide users with an easy to understand presentation of an App’s privacy practices.

As of December 8, 2020, Apple now requires all newly submitted applications (Apps) on its App Store, or updates to Apps, to include a privacy nutrition label describing the App’s privacy practices. This is in addition to Apple’s existing requirement that all Apps provide a link to a publicly accessible full privacy policy.

The privacy nutrition label is automatically generated based on a developer’s answers to a series of questions about the types of data the App collects (both first party and third-party collection), how each data type is used, whether the data is linked to the user, and whether the data is used for tracking purposes.

In the below post, we outline the four steps required by Apple.

Step 1: Identify Data Collected (including data collected by third-party partners)

The questionnaire covers fourteen categories of data: contact info, health and fitness, financial info, location, sensitive info, contacts, user content, browsing history, search history, identifiers, purchases, usage data, diagnostics, and other data. Many of those categories are broken down into specific data elements. For example, “contact info” contains the following data elements: name, email address, phone number, physical address, and other user contact info.

Apple makes it optional for businesses to disclose data that meets all of the following requirements:

  • The data is not used for tracking purposes, meaning the data is not linked with third-party data for advertising or advertising measurement purposes, or shared with a data broker.
  • The data is not used for third-party advertising, the business’s advertising or marketing purposes, or for other purposes (as defined by Apple).
  • Collection of the data occurs only in infrequent cases that are not part of the App’s primary functionality, and which are optional for the user.
  • The data is provided by the user in the App’s interface, it is clear to the user what data is collected, the user’s name or account name is prominently displayed in the submission form alongside the other data elements being submitted, and the user affirmatively chooses to provide the data for collection each time.

Step 2: For Each Data Element Collected, Disclose How It Is Used

With respect to data use, App developers will need to identify – on a data element by data element basis – whether the data is used for (1) third-party advertising, (2) the developer’s advertising or marketing, (3) analytics, (4) product personalization, (5) App functionality, and (6) other purposes.

Step 3: For Each Data Element Collected, Confirm If It Is Linked to the User’s Identity

Next, App developers must confirm whether each data element is linked to the user’s identity by the developer or any third-party partners. If the data element is covered as “personal information” and “personal data” under relevant privacy laws, Apple directs developers to answer this question in the affirmative.

Step 4: For Each Data Element Collected, Confirm If It Is Used for Tracking Purposes

Finally, App developers will need to confirm whether the data element is used by the developer or any third-party partners for tracking purposes. Apple defines “tracking” as “linking data collected from your app about a particular end-user or device, such as a user ID, device ID, or profile, with Third-Party Data for targeted advertising or advertising measurement purposes, or sharing data collected from your app about a particular end-user or device with a data broker.”

In answering these questions, App developers should ensure that they are not only accurate in their responses but that those responses match the representations made in the App’s full privacy policy. Inconsistencies between the privacy nutrition label and the full privacy policy could lead to claims that the developer is misrepresenting its privacy practices. In addition, App developers should consider using this as an opportunity to ensure that their full privacy policies are updated. That is particularly true for entities subject to the California Consumer Privacy Act, which requires that disclosures be updated every twelve months.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Stauss David Stauss

David is leader of Husch Blackwell’s privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents…

David is leader of Husch Blackwell’s privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents clients in data security-related litigation. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Photo of Malia Rogers Malia Rogers

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures…

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures as well as drafting breach response and action plans.

Photo of Shelby Dolen Shelby Dolen

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data…

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data privacy policies and intellectual property portfolios.