During its summer conference this year, Apple announced that later in 2020, it would require application developers to provide in-depth detail regarding their data collection and use practices to give users more information and control over the data that applications collect and share. In early November, Apple reaffirmed its commitment to disclosing data collection and use practices to its users and announced that effective December 8, 2020, all Mac and iOS applications published or updated in the iOS App Store or Mac App Store will be required to disclose details regarding all of the data that the application collects and uses.
Application developers will be presented with a number of privacy questions in Apple’s App Store Connect prior to publishing a new application or updating an existing application, which will require the disclosure of the types and categories of data collected by the application or its third-party partners unless certain exceptions apply. The responses to the privacy questions will be used to update the application’s product page within the applicable App Store to inform users about its data collection and usage in a graphical format that utilizes icons so users understand the privacy practices without the need to read a textual privacy notice. Many in the industry are calling it a “nutrition label” for every application offered on the App Stores.
Certain narrowly defined-data collection activities will not require disclosure. Generally, disclosure is not required if the data is not used for any of the following: tracking purposes (i.e. the data is not linked with data from third parties for advertising or advertising measurement purposes, or shared with a data broker); the developers advertising or marketing purposes, or a third party’s advertising purposes; the data collection occurs so infrequently such that the collection is not part of the application’s primary function and the collection is optional for the user; and the data is provided by the user in the application’s user interface, it is clear to the user what data is being collected, the user name or account is prominently displayed in the submission form along with other data elements being submitted, and the user affirmatively chooses to provide the data each time it is collected. However, if the application meets some, but not all, of these criteria, the developer must still provide the disclosure. In this context, tracking refers to linking data collected about a user or device with third-party data for advertising, advertising measurement purposes, or sharing data about a user or device with a data broker. Some examples of data types that do not need to be disclosed include optional feedback or customer service requests that are not part of the primary purpose of the application and otherwise meet all of the foregoing criteria.
- Businesses would be well-served to review their data collection practices and their third-party service providers’ data collection practices in advance of any updates to an existing application or the rollout of a new application.
- Additionally, contracts with third-party service providers should include representations and warranties regarding the collection and use of data obtained from the application and compliance with the application owner’s policies on collecting and using data.