During its annual Worldwide Developers Conference this summer, Apple announced a handful of new consumer-oriented privacy features coming to its software and devices. One feature will require app publishers to disclose information regarding their apps’ data collection and use practices in what some are referring to as a privacy “nutrition label.” Another significant privacy feature will require businesses to assess whether they are “tracking” users of their apps and, if so, obtain opt-in consent from users to continue the practice.

Privacy Nutrition Labels

On November 5, 2020, Apple announced that the privacy nutrition label requirement will apply to new apps and updates submitted on or after December 8, 2020. Starting December 8, all new apps and app updates must include the following information before they can be published in the App Store:

  • Which of Apple’s 14 predetermined types of data you collect (Contact Info, Health and Fitness, Financial Info, Location, Sensitive Info, Contacts, User Content, Browsing History, Search History, Identifiers, Purchases, Usage Data, Diagnostics, and Other Data).
  • Which of Apple’s six predetermined purpose(s) for collecting data describe your purposes for collecting each type of data you collect (Third-Party Advertising, Developer’s Advertising or Marketing, Analytics, Product Personalization, App Functionality, and Other Purposes).
  • Which of the types of data you collect are “linked” to the user’s identity (linked is not defined, but Apple says that data considered personal data or personal information under “relevant privacy laws” are considered linked to the user’s identity).
  • Which of the types of data you collect are used for “tracking” the user (Apple defines tracking as “linking data collected from your app about a particular end-user or device, such as a user ID, device ID, or profile, with Third-Party Data for targeted advertising or advertising measurement purposes, or sharing data collected from your app about a particular end-user or device with a data broker”).

This information will then be compiled by Apple and presented on the app’s App Store page in Apple’s standardized privacy nutrition label format.

For most companies, a member of the product development team will be responsible for providing the required privacy information to Apple when submitting a new app or an app update. Accordingly, businesses and their legal departments should proactively prepare to address the new disclosure obligations and ensure that the information aligns with the organization’s other public disclosures concerning its privacy practices (e.g., online privacy policies). Providing inaccurate information in this context could trigger a violation of the App Store’s terms of use, which could result in suspension or removal of an app or provoke allegations of unfair and deceptive practices under Section 5 of the Federal Trade Commission Act or analogous state laws regarding unfair competition. For more information on state enforcement actions brought against app publishers, see this blog post.

For apps currently available in the App Store, there is no need to provide a new privacy disclosure until developers submit an update to that app. To help companies prepare for these detailed disclosure requirements, Apple has released guidance explaining exactly what information will be required and how to enter that information when submitting a new or updated app.  On November 24, 2020, Apple posted a reminder of the coming changes on its developer website.

User Consent for Tracking

Although initially intended to launch in fall 2020 alongside its iOS 14 operating system, Apple announced in September that it would wait until 2021 to begin requiring apps to obtain opt-in consent from the user in order to track the user or access the device’s advertising identifier. Apple published a letter on November 19, 2020, reaffirming its commitment to implementing these requirements in the future, but there is still no set date for when the requirements will take effect. Information regarding Apple’s current definition of tracking and associated requirements can be found here.