September 18, 2018

Protecting Users: Why Privacy Policies Will Become Compulsory for iOS Apps From October 2018

As the new privacy policy for iOS apps has been enacted, we will take a look into what exactly it is, why this change happened and how can developers prepare themselves for it.

Yichen Huang

Content Marketing Manager

Apple is about to launch a crackdown on apps without robust privacy policies.

From the 3rd October 2018, apps that are released through the App Store or being distributed via TestFlight must have a compliant privacy policy or face rejection from Apple.

But what exactly has changed in Apple’s terms and conditions? And how can developers prepare themselves for the change? We’ve put our heads together to try to give you the answers.

Why has Apple shifted its approach to user privacy?

Apple’s approach has changed because of legal, political and cultural changes in attitudes to protecting individual user privacy.

From a legal perspective, the European General Data Protection Regulation (GDPR) – which was enacted in May 2018 – has played a big role in shifting expectations of privacy.

In particular, GDPR’s strengthening of both individual rights and government authority’s ability to fine non-compliant companies across a continent has made creating (and maintaining) a strong privacy policy essential.   

However, wider cultural and political shifts have also increased the emphasis on user data rights. The collection and use of Facebook meta-data to distribute “fake news” across the world has led to many users questioning how companies use their personal data.

As a result, companies like Apple must be seen to be taking serious action in implementing privacy policies to both fulfil a legal and a cultural responsibility to users.

What exactly is the App Store’s new privacy policy rule?

Apple’s new privacy policy rule can be found in its App Store Review Guidelines in section 5.1.1. It says the following:

Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner.

The privacy policy must clearly and explicitly:

  • Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.
  • Confirm that any third party with whom an app shares user data (in compliance with these Guidelines) — such as analytics tools, advertising networks and third party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data — will provide the same or equal protection of user data as stated in the app’s privacy policy and required by these Guidelines.
  • Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user’s data.

Importantly, this rule now applies to all apps.  Previously, Apple had only required a privacy policy for apps that accessed personal data or used Apple frameworks. Now, every app will have to carry one – even if they don’t process personal data.

As a result, all developers will have to make sure they create and upload a privacy policy to the store in time for the 3rd October. Otherwise, there is a strong chance that new releases and updates will be rejected until they are compliant.

What impact will this have on app businesses?

The rule change is likely to have a different impact on businesses releasing apps onto the store.

For companies who have been running apps that have been processing data since May 2018, dealing with this rule change shouldn’t be a challenge.

Apple’s new rules tack closely to the obligations most businesses have under GDPR in Europe. This means that most developers will have to spend a little time linking to their already compliant privacy policy to make sure their new or existing releases continue to be accepted on the store.

However, this rule change could be a bit tougher for businesses that don’t have a strong privacy policy place.

In some instances, this will be because the company failed to become GDPR compliant. Apple’s move should therefore provide a handy kick to those companies to get on with creating one.

But equally, new app businesses or creators of apps that don’t transmit data (e.g. a premium mobile game) will have to make a privacy policy from scratch to ensure that they will be able to distribute on the store after the start of October.

How can we make sure we’re compliant by the 3rd October?

In the immediate short term, businesses without a privacy policy will need to set about creating one.

Doing so will take some time, but it also doesn’t need to be that difficult. While Apple does offer guidance on how to write one based on legal requirements, most tech savvy law firms will be able to work up a privacy policy quickly via templating. This means you can act quickly to ease any potential short-term headaches this may cause.

However, it’s really important to remember that compliance is a long term business process and not a one-shot activity.

To be truly compliant with user privacy in the longer term, app businesses must ensure that both their technology and businesses are designed in such a way to protect user privacy.

So our biggest tip for businesses faced with this challenge is to look carefully at how it can design for user privacy first and foremost as soon as possible. This will help make sure that any privacy policy that is added to the store is a statement of intent to protect your users, rather than a box-ticking exercise.