Apple Offers Developers Clarification on Some App Privacy Data Reporting Requirements

[MacRumors]

Apple today informed developers that it has introduced additional guidance for App Store privacy labels, a feature that Apple has been requiring for all apps since December.

Apple says that rules surrounding data types like email, text messages, and gameplay content have been expanded to make it easier for developers to understand and comply with requirements.

Additional details have been published on completing your App Store privacy labels, including more information about data types, such as email or text messages, and gameplay content. You'll also find more information about data collected in web views and data that may be entered by users within documents or other file types.

On its developer website, Apple has a detailed list of the kind of information that developers must provide for their apps, and explanations of the types of data collection that must be disclosed.

Data collection for tracking purposes, third-party advertising, marketing, and other reasons must be disclosed to users, and developers are required to self-report using Apple's guidelines. As of December, Apple has been requiring App Store developers to provide App Privacy label information to submit new apps and app updates to the App Store.

Apple does not check the data that each app submits, and in January, The Washington Post found more than a dozen apps providing inaccurate or misleading data in their privacy labels.

Apple said in response that it is subjecting developers to routine and ongoing audits of information provided. The company works with developers to correct inaccuracies and has said that apps that fail to disclose accurate privacy information may have future updates rejected or could be removed from the App Store entirely.

Article Link: Apple Offers Developers Clarification on Some App Privacy Data Reporting Requirements

 

[Apple_Robert]

If Apple does not check the data that each app submits, what is to stop developers from lying about their privacy label sans Apple doing a random audit? I may be missing something here but, that lack of follow-up with each app defeats the purpose of moving towards more transparency and privacy, in my opinion.

 

[icanhazmac]

Apple said in response that it is subjecting developers to routine and ongoing audits of information provided. The company works with developers to correct inaccuracies and has said that apps that fail to disclose accurate privacy information may have future updates rejected or could be removed from the App Store entirely.

Excellent, thank you Apple! Without consequences devs will just lie/omit.

 

[aesc80]

If Apple does not check the data that each app submits, what is to stop developers from lying about their privacy label sans Apple doing a random audit? I may be missing something here but, that lack of follow-up with each app defeats the purpose of moving towards more transparency and privacy, in my opinion.

It's sort of random, but normally there is a good amount of checking that's done. That being said, it's difficult to check every submission that goes through Apple Connect for compliance. It's definitely one job I'm glad I'm not doing (but also tip my hat to those at Apple that do).

 

[LFC2020]

Give us the mark zuckerberg update already. 😁

 

[Daveoc64]

If Apple does not check the data that each app submits, what is to stop developers from lying about their privacy label sans Apple doing a random audit? I may be missing something here but, that lack of follow-up with each app defeats the purpose of moving towards more transparency and privacy, in my opinion.

Apple can't check what happens to the data - it's simply not possible.

As the article says, the privacy label is intended to tell users when their data is used for purposes like marketing and ads. The privacy label system has different sections to cover the different ways in which data can be collected and used.

If an app only uses your email address to send you password reset emails and nothing else, that can be declared in one place on the privacy label. If the app uses email addresses to track you for advertising purposes, that goes in a different place. If the app only uses email addresses in exceptional circumstances (e.g. when filling out an optional feedback form), the app may not need to declare that it collects email addresses at all.

Apple can't verify what happens to the data once it goes to the app developer's servers. If they say it's just for logging in, Apple has to trust that, unless proven otherwise.

 

[MacBH928]

The privacy labels is a joke. you can't understand it. Its so vague. For example the Gmail app says:

Purchases: What purchases, Its an email app not a store front.
Identifiers: Like what? My IP address or my DNA?
Other Data: Yes, ok I got it.
Search History: What search history? From the Safari browser? Chrome? My computer? TV?

add to that you can never know whats going on in a closed source program.

 

[TheYayAreaLiving 🎗️]

Release iOS 14.5 already please 😞

 

[Baritone_Guy]

The privacy labels is a joke. you can't understand it. Its so vague. For example the Gmail app says:

Purchases: What purchases, Its an email app not a store front.
Identifiers: Like what? My IP address or my DNA?
Other Data: Yes, ok I got it.
Search History: What search history? From the Safari browser? Chrome? My computer? TV?

add to that you can never know whats going on in a closed source program.

I agree completely. Made a similar comment yesterday on the Gmail article. We need better explanations. I suspect if they did that the nutrition labels would read like a book.

 

[fernelius]

Apple can't check what happens to the data - it's simply not possible.

As the article says, the privacy label is intended to tell users when their data is used for purposes like marketing and ads. The privacy label system has different sections to cover the different ways in which data can be collected and used.

If an app only uses your email address to send you password reset emails and nothing else, that can be declared in one place on the privacy label. If the app uses email addresses to track you for advertising purposes, that goes in a different place. If the app only uses email addresses in exceptional circumstances (e.g. when filling out an optional feedback form), the app may not need to declare that it collects email addresses at all.

Apple can't verify what happens to the data once it goes to the app developer's servers. If they say it's just for logging in, Apple has to trust that, unless proven otherwise.

This is very accurate. Unless Apple can continuously monitor every app and every server it talks to, they can't guarantee the app meets the self-reporting designations. This would be absolutely unmanageable for Apple to attempt, and even if they could, many companies would find it too invasive. I am glad, however, that Apple is doing this. First, honest companies will report accurately (to the best of their ability), and that's helpful.

This, admittedly, leaves a significant hole. Companies can lie; however, in that they have self-reported publicly what the app does, I suspect they could face some very significant lawsuits and government scrutiny in some cases if they do lie and get caught. The danger of such a lawsuit should be sufficient to scare a number of companies into compliance. Some companies may take advantage of limited enforcement across national boundaries, lack of detection, and other means with hopes they don't suffer repercussions. I suspect countries who want a vibrant app development economy may start cracking down eventually on companies that lie. If they don't people may be reluctant to buy apps from their country.

 

[Blowback]

If Apple does not check the data that each app submits, what is to stop developers from lying about their privacy label sans Apple doing a random audit? I may be missing something here but, that lack of follow-up with each app defeats the purpose of moving towards more transparency and privacy, in my opinion.

My guess is this is 'step 1' with many to follow. Not a lawyer but there may be some legal (ie; Apple with its deep pockets becomes 'responsible ' for _____ fill in the blank) reason. Again, this is just the start of a good thing....maybe even a 'wink' to the congress critters as to what path to follow????

 

[amartinez1660]

It's sort of random, but normally there is a good amount of checking that's done. That being said, it's difficult to check every submission that goes through Apple Connect for compliance. It's definitely one job I'm glad I'm not doing (but also tip my hat to those at Apple that do).

I see it like speeding or even drug trafficking for going to an even more of an extreme example... they won’t catch everybody but the fact that they catch some it’s good enough of a deterrent and just be compliant. The harsher the punishment the more people will fall in line, thing is, this doesn’t really warrant an iron fist... a dev might not even know the full privacy implications of using a specific xKit library in all honesty. And it’s reasonable since that’s the purpose, using it and solving the problem at hand.
Sadly that means that bad agents will use that free test of having a second chance to “correct inaccuracies”.

 

[Tech198]

If Apple does not check the data that each app submits, what is to stop developers from lying about their privacy label sans Apple doing a random audit? I may be missing something here but, that lack of follow-up with each app defeats the purpose of moving towards more transparency and privacy, in my opinion.

I believe this only says to new apps only. It's like a half-baked cookie... No one would want it.

When searching for old apps, before this privacy reporting came out,, the privacy section for is now there is there, but "No information for this" appears.

If Apple can say with confidence they have removed all 32-bits on the App store, they can plonk this one in the butt as well. Or just say "only new apps are eligible for privacy reporting"

 

[cupcakes2000]

I believe this only says to new apps only. It's like a half-baked cookie... No one would want it.

When searching for old apps, before this privacy reporting came out,, the privacy section for is now there is there, but "No information for this" appears.

If Apple can say with confidence they have removed all 32-bits on the App store, they can plonk this one in the butt as well. Or just say "only new apps are eligible for privacy reporting"

Once those apps get updated they’ll need to have the report. If they don’t get updated then that’s up to you whether you want (what will eventually be) a dead app and risk the lack of privacy info.

 

[mazz0]

If Apple does not check the data that each app submits, what is to stop developers from lying about their privacy label sans Apple doing a random audit? I may be missing something here but, that lack of follow-up with each app defeats the purpose of moving towards more transparency and privacy, in my opinion.

Isn't that what addressed by:

Apple said in response that it is subjecting developers to routine and ongoing audits of information provided. The company works with developers to correct inaccuracies and has said that apps that fail to disclose accurate privacy information may have future updates rejected or could be removed from the App Store entirely

 

[qoop]

I threw my iPhone 6S into the sea yesterday. Creepy developers can track some fish instead.

 

[makitango]

Apple can't check what happens to the data - it's simply not possible.

As the article says, the privacy label is intended to tell users when their data is used for purposes like marketing and ads. The privacy label system has different sections to cover the different ways in which data can be collected and used.

If an app only uses your email address to send you password reset emails and nothing else, that can be declared in one place on the privacy label. If the app uses email addresses to track you for advertising purposes, that goes in a different place. If the app only uses email addresses in exceptional circumstances (e.g. when filling out an optional feedback form), the app may not need to declare that it collects email addresses at all.

Apple can't verify what happens to the data once it goes to the app developer's servers. If they say it's just for logging in, Apple has to trust that, unless proven otherwise.

Some few weeks ago there was a news article here on MacRumors about researchers checking and finding that more than a dozen apps out of 100 presented wrong labels.
If they can find out I‘m sure Apple can as well.

 

[MacBH928]

I agree completely. Made a similar comment yesterday on the Gmail article. We need better explanations. I suspect if they did that the nutrition labels would read like a book.

They can simplify it by saying:-

1 What they see
2 What they will store
3 How they will use it.

For example
Able to see:- Messages, Pictures, location, network/cell service
Stored for 6 months : Sessions, messages, finger clicks, time of operation
Used: messages shared with 3rd party to deliver your personalized ads.

 

[Daveoc64]

They can simplify it by saying:-

1 What they see
2 What they will store
3 How they will use it.

For example
Able to see:- Messages, Pictures, location, network/cell service
Stored for 6 months : Sessions, messages, finger clicks, time of operation
Used: messages shared with 3rd party to deliver your personalized ads.

The difficulty is that some apps are entirely offline, so even if they do use your location, they don't send that location to a server or anything, so it's wrong for Apple to claim that the app developer can see your data.

 

[MacBH928]

The difficulty is that some apps are entirely offline, so even if they do use your location, they don't send that location to a server or anything, so it's wrong for Apple to claim that the app developer can see your data.

If its offline and the developer does not see my data then who cares? Only me and the metal in my hand knows about it. It does not require a "privacy label".