At Apple’s Worldwide Developers Conference in June, the company announced it would soon require developers to disclose their app’s privacy practices to customers via new, glanceable summaries that appear on their apps’ product pages on the App Store. Today, these new app privacy labels are going live across all of Apple’s App Stores, including iOS, iPadOS, macOS, watchOS and tvOS.
On the developers’ side, Apple began requiring developers to submit their privacy practices with the submission of new apps and app updates. However, it hadn’t begun to publish this information on the App Stores until today.
The new labels aim to give Apple customers an easier way to understand what sort of information an app collects across three categories: data used to track you, data linked to you and data not linked to you. Tracking, Apple explains, refers to the act of linking either user or device data collected from an app with user or device data collected from other apps, websites or even offline properties (like data aggregated from retail receipts) that’s used for targeted advertising or advertisement measurement. It can also include sharing user or device data with data brokers.
This aspect alone will expose the industry of third-party adtech and analytics SDKs (software development kits) — basically code from external vendors that developers add to their apps to boost their revenues.
Meanwhile, “data linked to you” is the personal information tied to your identity, through your user account on the app, your device or other details.
Broken down, there are a number of data types apps may collect on their users, including things like personal contact information (e.g. address, email, phone, etc.); health and fitness information (eg. from the Clinical Health Records API, HealthKit API, MovementDisorderAPIs or health-related human subject research); financial information (e.g. payment and credit info); location (either precise or coarse); contacts; user content (e.g. emails, audio, texts, gameplay, customer support, etc.); browsing and search histories; purchases; identifiers like user or device IDs; usage and diagnostic info; and more.
Developers are expected to understand not only what data their app may collect, but also how it’s ultimately used.
For example, if an app shares user data with a third-party partner, the developer will need to know what data that partner uses and for what purposes — like displaying targeted ads in the app, sharing location data or email lists with a data broker, using data for retargeting users in other apps or measuring ad efficiencies. And while the developer will need to disclose when they’re collecting data from Apple frameworks or services, they aren’t responsible for disclosing data collected by Apple itself.
There are a few exceptions to the new disclosure requirements, including data collected in optional feedback forms or customer service requests. But, in general, almost any data an app collects has to be disclosed. Even Apple’s own apps that aren’t offered on the App Store will have their privacy labels published on the web.
The privacy information itself is presented on a screen in the app’s product listing page in easy-to-read tabs that explain what data is collected across the different categories, starting with “data used to track you.”
Apple says it will not remove apps from the App Store if they don’t include this privacy information, but it’s no longer allowing apps to update until their privacy information is listed. That means, eventually, all apps that haven’t been abandoned will include these details.
Apple’s decision to implement privacy labels is a big win for consumer privacy and could establish a new baseline for how app stores disclose data.
However, they also arrive at a time when Apple is pushing its own adtech agenda under the banner of being a privacy-forward company. The company is forcing the adtech industry to shift from the identifier IDFA to its own SKAdNetwork — a shakeup that’s been controversial enough for Apple to delay the transition from 2020 to 2021. The decision to delay may have been, as Apple stated, to give marketers panicked about the sizable revenue hit, time to adapt. But Apple is, of course, keenly aware that regulators were weighing whether the App Store was behaving in anticompetitive ways toward third-parties.
Facebook, for example, had warned businesses they would see a 50% drop in Audience Network revenue on iOS as a result of the changes that would remove personalization from mobile app ad install campaigns.
Apple, in the meantime, took some of the regulatory heat off itself by reducing its App Store commissions to 15% for developers making less than $1 million.
As all these consumer privacy changes are underway, Apple itself continues to use its customer data to personalize ads in its own apps, including the App Store and Apple News. These settings, which are enabled by default, can be toggled off in the iPhone’s Settings. App publishers, on the other hand, will soon have to ask permission from users to track them. And Apple now runs plenty of other services it could expand ads to in the future, if it chose.
It will be interesting to see how consumers react to these new privacy labels as they go live. Apps that collect too much data may find their downloads are impacted, as wary users pass them over. Or, consumers may end up ignoring the labels — much as they do the other policies and terms they “agree” to when installing new software.
Details about Apple’s privacy practices were also published today on a new website, Apple.com/privacy, which includes not only the changes to the App Store, but lists all other areas where Apple protects consumer privacy.