On December 14, 2020, Apple rolled out its new privacy label initiative, displaying “nutrition labels” for mobile apps in the App Store. For all new apps and app updates, Apple now requires app developers to provide detailed information about the data their apps collect and how that data is used. With this information, Apple generates a privacy label for each app in the App Store. To avoid delays in the app approval process, developers should create data maps to ensure they provide accurate information for the labels, and developers should review their privacy policy and app license agreements for consistency with the applicable privacy label.
Privacy Label Screen
Apple’s privacy label screen provides the key privacy information related to an app. This information is displayed on a screen in the app’s product listing. The screen has tabs that explain the different types of data collected.
Approval Process
For each new app and app update submitted to Apple, Apple will evaluate the privacy information provided by the developer. In its review, Apple may take into account the privacy policy and app license agreement posted at the website associated with the app. If Apple identifies inaccuracies or inconsistencies between the privacy information received for the label and the privacy information at the website, Apple could issue a decline.
Data Mapping
To avoid app declines and approval delays, developers should create data maps for their apps. For each category of data, the developer should map how the app collects, uses, and distributes the data. This will help ensure the information provided to Apple is accurate.
App License Agreement and Privacy Policy
Apple does not require developers to provide an app license agreement, sometimes referred to as app terms, license terms, or end user license agreement (EULA). However, launching an app without an app license agreement can present substantial legal risk. For example, without an app license agreement, the app owner can lose the ability to enforce certain copyrights against would-be infringers, and the app owner can be exposed to liability (possibly unlimited) for claims related to app defects or wrongdoing by users. For these reasons, many owners require users to accept an app license agreement before using the app.
Apple does require developers to provide an online privacy policy associated with their app. The privacy label screen displays a link to the owner’s privacy policy. Typically, the owner’s privacy policy applies to the website and all of the owner’s products and services, including the owner’s apps. In this case, the owner should consider adding a section in its privacy policy regarding app privacy. This section should explain that, for any particular app, the related app license agreement provides the specific information and terms regarding any data the app collects, uses, or distributes.
In addition, owners should review the provisions of their app license agreements and revise them to avoid any inconsistency with the information submitted for the privacy label. For example, the privacy label information may indicate that all data is only processed on the mobile device and not sent to a server. To the contrary, the app license agreement may imply the app can send the data to servers. If this is not how the app actually works, the owner should have the app license agreement revised for consistency.
Disclosure to Apple
- Data Categories. When submitting an app or app update to Apple, the developer must disclose whether the app collects the following categories of user-related data: contact information, health and fitness information, financial information, location, sensitive information, contacts, user content, browsing history, search history, identifiers, purchases, usage data, diagnostics, and other data.
- Purpose Categories. For each of these categories of data, the developer must identify the purpose for collecting the data, selecting from the following categories: third-party advertising, developer’s advertising or marketing, analytics, product personalization, app functionality, and other purposes.
- Linked to User. In addition, for each category of data, the developer must identify whether the data is linked to the user’s identity. This generally involves determining whether this data contains personally identifiable information.
- Tracking. Furthermore, for each category of data related to a particular user or device, the developer must indicate whether the collected data is used with data from a third party or whether the collected data is shared with a data broker.
- Exceptions and Examples. Apple provides a set of exceptions to its disclosure requirements, such as exceptions related to certain types of contact us forms, financially regulated data, health research data, and de-identified data. Apple also provides helpful examples of scenarios that do and do not require disclosure. For further information about Apple’s rules, see Apple’s app privacy details.
To avoid app approval delays in the wake of Apple’s new privacy labelling, developers should obtain a full understanding of their apps’ data usage, and they should update their privacy policy and app license agreements to be consistent with the applicable privacy label. Barclay Damon provides counseling and drafting with respect to app license agreements, privacy terms, privacy policies, cookie policies, cookie banners, terms of use, and other app-related and web-related terms. The information provided in this alert includes a summary of Apple’s rules. For the details and actual terms of Apple’s rules, please see the link above.
If you have any questions regarding the content of this alert, please contact Renato Smith, partner, at rsmith@barclaydamon.com, or another member of the firm’s Corporate or Branding, Trademarks & Copyrights Practice Areas.