Apple Requiring App Developers to Disclose Privacy Details in App Store

04 December 2020 Privacy, Cybersecurity & Technology Law Perspectives Blog
Authors: Chanley T. Howell Steven M. Millendorf Aaron T. Maguregui

During its summer conference this year, Apple announced that later in 2020, it would require application developers to provide in-depth detail regarding their data collection and use practices to give users more information and control over the data that applications collect and share. In early November, Apple reaffirmed its commitment to disclosing data collection and use practices to its users and announced that effective December 8, 2020, all Mac and iOS applications published or updated in the iOS App Store or Mac App Store will be required to disclose details regarding all of the data that the application collects and uses.

Application developers will be presented with a number of privacy questions in Apple’s App Store Connect prior to publishing a new application or updating an existing application, which will require the disclosure of the types and categories of data collected by the application or its third-party partners unless certain exceptions apply. The responses to the privacy questions will be used to update the application’s product page within the applicable App Store to inform users about its data collection and usage in a graphical format that utilizes icons so users understand the privacy practices without the need to read a textual privacy notice. Many in the industry are calling it a “nutrition label” for every application offered on the App Stores.

Apple is impressing upon its developers the requirement to understand and disclose how data will be used by the application and its third-party partners, including disclosing whether each data type collected is linked to the user’s identity. For example, if the application collects a user’s email address and uses it to authenticate the user for evaluating the user’s behavior or measuring audience size or characteristics, disclosure is required. These requirements will be in addition to the requirement to post the URL of the developer’s publicly accessible privacy policy.

Certain narrowly defined-data collection activities will not require disclosure. Generally, disclosure is not required if the data is not used for any of the following: tracking purposes (i.e. the data is not linked with data from third parties for advertising or advertising measurement purposes, or shared with a data broker); the developers advertising or marketing purposes, or a third party’s advertising purposes; the data collection occurs so infrequently such that the collection is not part of the application’s primary function and the collection is optional for the user; and the data is provided by the user in the application’s user interface, it is clear to the user what data is being collected, the user name or account is prominently displayed in the submission form along with other data elements being submitted, and the user affirmatively chooses to provide the data each time it is collected. However, if the application meets some, but not all, of these criteria, the developer must still provide the disclosure. In this context, tracking refers to linking data collected about a user or device with third-party data for advertising, advertising measurement purposes, or sharing data about a user or device with a data broker. Some examples of data types that do not need to be disclosed include optional feedback or customer service requests that are not part of the primary purpose of the application and otherwise meet all of the foregoing criteria.

Applications published on the App Stores prior to December 8, 2020, will not be required by Apple to take any action until an update to the application is published. If an application developer provides false, incorrect, or misleading responses to the privacy questions, this may violate Apple’s terms of use and lead to the removal of the application from the App Stores.  In addition to removal from the App Stores, false or misleading practices governing the collection and use of data could lead to enforcement action from state or federal (e.g., the FTC) authorities for unfair and deceptive trade practices. 

Key Takeaways

  • Businesses would be well-served to review their data collection practices and their third-party service providers’ data collection practices in advance of any updates to an existing application or the rollout of a new application.
  • All reviews should encompass an audit and comparison of all relevant privacy policies and terms of use, not only for the business but also for the third-party service providers. An application’s privacy policy should include references to the third-party’s data collection and use practices.
  • Additionally, contracts with third-party service providers should include representations and warranties regarding the collection and use of data obtained from the application and compliance with the application owner’s policies on collecting and using data.

For questions or additional information on this topic, please contact any of the authors or your Foley relationship partner.   

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services