All New and Updated App Store Apps Required to Have a Privacy Policy Starting October

[MacRumors]

Apple has announced that, starting October 3, 2018, all new apps and app updates will require a privacy policy in order to be submitted for distribution on the App Store or through TestFlight for beta testing purposes.

Apple already requires a privacy policy for apps that access personal information, including apps that offer subscriptions, accept Apple Pay, or use Apple frameworks such as HomeKit, HealthKit, or CareKit. Now, the requirement will extend to all apps, including basic ones that do not share data in any way.

It does not appear that existing apps on the App Store will be affected by this move until they are updated on October 3 or later, so long-outdated apps may remain without a privacy policy if they are no longer maintained.

Apple detailed the upcoming changes in the News section of its App Store Connect portal for developers on Thursday:

Starting October 3, 2018, App Store Connect will require a privacy policy for all new apps and app updates in order to be submitted for distribution on the App Store or through TestFlight external testing. In addition, your app's privacy policy link or text will only be editable when you submit a new version of your app.

To add or edit your privacy policy for the App Store:

1. Go to My Apps in App Store Connect, and click on your app.
2. Under App Store, click on App Information.
3. In the top right corner, add your privacy policy link for iOS apps or macOS apps, or enter text directly for tvOS apps.
4. Click Save.

To add your privacy policy link to your app for external TestFlight distribution:

1. Go to My Apps in App Store Connect, and click on your app.
2. Under TestFlight, click Test Information.
3. Add your privacy policy link for iOS apps, or enter text directly for tvOS apps.
4. Click Save.

Apple elaborates on its privacy policy requirements in its App Store Review Guidelines, under Section 5.1.1:

Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner. The privacy policy must clearly and explicitly:

- Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.

- Confirm that any third party with whom an app shares user data (in compliance with these Guidelines) -- such as analytics tools, advertising networks and third party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data -- will provide the same or equal protection of user data as stated in the app's privacy policy and required by these Guidelines.

- Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user's data.

App Store Connect has long provided a privacy policy metadata field for developers to submit a link to their privacy policy webpage for iOS apps. On the Apple TV, there is no web browser, so App Store Connect has a text box for developers to past the full text of their privacy policy displayed in app.

Article Link: All New and Updated App Store Apps Required to Have a Privacy Policy Starting October

 

[Bathplug]

Can’t wait to read them.

 

[nnoble]

Can’t wait to read them.

Me too. If they’re readable.

 

[69Mustang]

I think this will help with transparency (great) but I see another ancillary benefit of weeding out low quality non-viable apps. Devs are going to have to decide if their apps are worth the effort and those that choose not to update with privacy info will find their apps in the realm of abandonware (hopefully)... sort of a self cleaning roomba for the app store.

 

[recoil80]

I didn't check but I think it will impact the B2B store as well, but a standard privacy page should be enough. One of the advantages of working for companies with the enterprise membership is avoid dealing with iTunes Connect and all the boilerplate that goes into publishing an app.

As a user I'm ok with more transparency given to the customer, but I think very few people actually read that stuff

 

[Mac Fly (film)]

I think Apple should change policy on allowing apps access to people's contacts (such as WhatsApp). I don't like that they can—often with a single single tap, without knowing too much of what's being asked—hit "Ok" and upload their full address book (including my entry) to Zuckerberg's servers without my more acute understanding re potential consequences of said seemingly innocuous action. And without our permission. What did one dev. say, "it's the wild-west of data collection". Given how much Apple care about security, I'm surprised Apple still allows this.

 

[jclardy]

I think this will help with transparency (great) but I see another ancillary benefit of weeding out low quality non-viable apps. Devs are going to have to decide if their apps are worth the effort and those that choose not to update with privacy info will find their apps in the realm of abandonware (hopefully)... sort of a self cleaning roomba for the app store.

I doubt this will be the case, as they will likely just produce one privacy policy to cover all the junk apps and just link to it from each one. All of them most likely contain the same ad services and harvest the same data.

 

[zombierunner]

god not again

 

[mtneer]

If this just means more reams of fine print in very legal language, then people will generally not read them or understand it. Apple should instead force developers to disclose the ramifications in terms of what can go wrong - kind of like the "Risk" sections in a SEC 10Q or 10K form. Give me a list of reasons why anything I do with this app can go (horrendously) wrong - "my security team is my dog, and he may not keep your health records secure for long"

 

[pete2106]

So in other words, they'll be required to have a screen forcing us to approve of them collecting and selling our data if we want to use the app.

 

[AngerDanger]

In the not-too-distant future…

 

[pete2106]

I think Apple should change policy on allowing apps access to people's contacts (such as WhatsApp). I don't like that they can—often with a single single tap, without knowing too much of what's being asked—hit "Ok" and upload their full address book (including my entry) to Zuckerberg's servers without my more acute understanding re potential consequences of said seemingly innocuous action. And without our permission. What did one dev. say, "it's the wild-west of data collection". Given how much Apple care about security, I'm surprised Apple still allows this.

that's the single reason I've never used WhatsApp. I hate the thought that I have to give them access to the phone numbers, addresses, and email addresses of my friends and family without them being able to consent.

 

[DNichter]

This is a good move by Apple. They are making regular changes to protect the privacy of their users and I feel that's extremely valuable. Push you own transparency focus through other companies on your platform as well. It only makes sense. Stuff like this is why customers stay with Apple.

 

[Supermacguy]

How are single devs supposed to deal with this? Let's say you just use Google Analytics (or Firebase). How complicated must this be? More importantly, WHAT IF APPLE STARTS APPROVING OR DENY BASED ON HOW DETAILED YOUR POLICY TEXT IS?

 

[H2SO4]

Can’t wait to read them.

Meaning?

 

[ChrizON]

How are single devs supposed to deal with this? Let's say you just use Google Analytics (or Firebase). How complicated must this be? More importantly, WHAT IF APPLE STARTS APPROVING OR DENY BASED ON HOW DETAILED YOUR POLICY TEXT IS?

That’s my concern too.
Another aspect I’ve read is that the app must include a link to the privacy details whether the app is web enabled or not. So without more clarification it looks like a small developer would have to then have a website that the app can connect to just to tell the user that they’re not collecting anything and that except for that link it wouldn’t otherwise have even connected to the net?

 

[DNichter]

How are single devs supposed to deal with this? Let's say you just use Google Analytics (or Firebase). How complicated must this be? More importantly, WHAT IF APPLE STARTS APPROVING OR DENY BASED ON HOW DETAILED YOUR POLICY TEXT IS?

It's a fair point, but I don't think Apple is demanding that it needs to be super detailed. The developer just need to be transparent on what data they collect and all uses of said data, who it shares data with, and how to delete said data. In the end, it's good for consumers, so they are putting that over business (although focusing on privacy in itself IS a business decision). Stuff like this will only become more prevalent, better to get used to it now.

 

[pmau]

I believe the good days of the Internet are over.
Terms and Conditions, Privacy regulations, Real Name accounts, central Login Tokens.
In five years it will all be a nightmare, you will have a virtual Photo ID to go to YouPorn, or post a comment here.
(I do both in that order exactly. But I wash my hands.)

 

[Drogba11]

They need to to stop the scam apps locking people into subscriptions for crazy sums of money like $50 a week for stupid camera apps, wallpaper apps etc. There are far too many of them on the app store getting away with it and Apple aren't doing enough to prevent it.

Too many apps offering a free trial then getting people into extortionate money grabs most of the time without the user knowing what they have got themselves into before they installed it.

 

[craigrusse11]

i wonder if this will help cut down clone apps

 

[TrulsZK]

My Privacy Policy

1. We may collect any data we want, for any purpose without any consent or limitations of any kind whatsoever.
2. We share the data with who ever we want without any limitations of any kind, for any reason, or no reason at all
3. We may retain the data for the duration of eternity and you may not request a copy, of it, furthermore we may not correct or delete such data.

Haha no GDPR and I will probably be removed from the Apple Developer program with this Privacy Policy

 

[DeepIn2U]

I didn't check but I think it will impact the B2B store as well, but a standard privacy page should be enough. One of the advantages of working for companies with the enterprise membership is avoid dealing with iTunes Connect and all the boilerplate that goes into publishing an app.

As a user I'm ok with more transparency given to the customer, but I think very few people actually read that stuff

Agreed. I think this is more for the vendors to make sure That what they create is exactly what the standby in the face of the customer and that if they don’t then Apple quickly pulls their app.

 

[cmaier]

Just wrote mine. What a pain. I don’t collect any information. Would be nice if we could just check a “we don’t collect anything” box in appstoreconnect.

 

[nt5672]

That’s my concern too.
Another aspect I’ve read is that the app must include a link to the privacy details whether the app is web enabled or not. So without more clarification it looks like a small developer would have to then have a website that the app can connect to just to tell the user that they’re not collecting anything and that except for that link it wouldn’t otherwise have even connected to the net?

Thats easy, just set up a GitHub account, write, in markdown, a simple single paragraph about what your privacy policy is and include the link.

Having several apps, some with default privacy policies and some with detailed and extensive information gathering I've had no problems with Apple in this regard. I just clearly explain what we do. We do, however, have our own website.

 

[dumastudetto]

Just wrote mine. What a pain. I don’t collect any information. Would be nice if we could just check a “we don’t collect anything” box in appstoreconnect.

A checkbox is easy to deny. You could claim later you accidentally checked the box and didn't mean to state you didn't collect anything. If you are forced to provide a specific privacy policy, there is no doubting the intent.