Your App Will Get Rejected: Privacy updates for App Store submissions 2024 — iOS
How to handle Privacy Manifests as a Developer
Since you are here, you have definitely heard the Apple’s news about including the app’s privacy manifest while uploading a new build over app store. If you haven’t, here a quick summary.
Privacy Manifests and Signatures for SDKs: Starting May 1, 2024, developers submitting apps that use certain third-party SDKs will need to include a privacy manifest for the SDK. This document explains how the SDK collects and uses user data. Additionally, signatures will be required to ensure the authenticity of the SDK.
Approved Reasons for Using APIs: Apple requires developers to declare a reason for using certain APIs in their app’s privacy manifest. The list of approved reasons has been expanded to cover more use cases. This helps ensure apps are only using APIs for legitimate purposes.
⚠️ Thus, starting May 1, 2024, apps that don’t describe their use of required reason API in their privacy manifest file aren’t accepted by App Store Connect.
These updates are designed to give users a clearer picture of how their data is being used by apps and third-party SDKs.
This article will give a quick demonstration about implementing Privacy Manifests as a developer. For a detailed knowledge, you can browse through the apple’s documentation. It’s well explained there, and I have taken references from them only.
Here, for the demonstration, I will be creating a PrivacyInfo.xcprivacy file for a demo-app that uses user's Photos or videos
and also uses UserDefaults
for in-app functionality.
• Create a privacy manifest
• Updating NSPrivacyCollectedDataTypes
• Updating NSPrivacyAccessedAPITypes
• Updating NSPrivacyTracking and NSPrivacyTrackingDomains
• Conclusion
Step 1: Create a privacy manifest
To add the privacy manifest to your app or third-party SDK in Xcode, follow these steps:
• Choose File > New File.
• Scroll down to the Resource section, and select App Privacy File type.
• Click Next.
• Check your app or third-party SDK’s target in the Targets list.
• Click Create.
By default, the file is named PrivacyInfo.xcprivacy
; this is the required file name for bundled privacy manifests.
Privacy manifest is divided into four categories:
NSPrivacyCollectedDataTypes
: An array of dictionaries that describes the data types your app or third-party SDK collects.NSPrivacyAccessedAPITypes
:An array of dictionaries that describe the API types your app or third-party SDK accesses that have been designated as APIs that require reasons to access.NSPrivacyTracking
: A Boolean that indicates whether your app or third-party SDK uses data for tracking as defined under the App Tracking Transparency framework.NSPrivacyTrackingDomains
: An array of strings that lists the internet domains your app or third-party SDK connects to that engage in tracking. If the user has not granted tracking permission through the App Tracking Transparency framework, network requests to these domains fail and your app receives an error. If you have setNSPrivacyTracking
totrue
then you need to provide at least one internet domain inNSPrivacyTrackingDomains
, otherwise, you can provide zero or more domains.
Step 2: Updating NSPrivacyCollectedDataTypes
This section holds the categories of data that your app or third-party SDK collects about the person using the app, and the reasons it collects the data. The categories range from contact information about the user (such as email/phone number or photos/videos), to Location and Purchases.
For each type of data you declare for your app or your SDK, you have to add a dictionary to the NSPrivacyCollectedDataTypes
array in your privacy information file. The dictionary will have the following keys :
NSPrivacyCollectedDataType
: A string that identifies the type of data your app or third-party SDK collects.NSPrivacyCollectedDataTypeLinked
: A Boolean that indicates whether your app or third-party SDK links this data type to the user’s identity.NSPrivacyCollectedDataTypeTracking
: A Boolean that indicates whether your app or third-party SDK uses this data type to track.NSPrivacyCollectedDataTypePurposes
: An array of strings that lists the reasons your app or third-party SDK collects the data. Choose values from the dropdown list of purposes below that match the reasons your app or third-party SDK collects this data type.
Let’s implement this step for our demo-app.
We have assumed above that our demo-app may collect data as user photos or videos only. So, for the dictionary entries, we will select the
CollectedDataType
asPhotos or videos
from the dropdown. Also, this data type is related to the user, soCollectedDataTypeLinked
will be true. Additionally, this data is not used for user tracking,CollectedDataTypeTracking
will be false. Also,CollectedDataTypePurposes
is just for app functionality.
You can check the Apple’s documentation for all the categories available.
Step 3: Updating NSPrivacyAccessedAPITypes
This section holds the categories of APIs that your app uses to deliver its core functionality. For example; File timestamp APIs
, System boot time APIs
, Disk space APIs
, Active keyboard APIs
and User defaults APIs
.
For each Privacy Accessed API
, you have to add a dictionary that describe the Accessed API Type
your app or third-party SDK accesses and Accessed API Reasons
that identifies the reasons your app uses the respective API.
Let’s implement this step for our demo-app.
We have assumed earlier that our demo-app uses
UserDefaults
for in-app functionality. Since, our application or SDK uses one of the above mentioned APIs, so, we need to list it with an appropriate reason(s).
So, we will need to:
● ListNSPrivacyAccessedAPICategoryUserDefaults
as theNSPrivacyAccessedAPIType
.
● UseCA92.1
inside theNSPrivacyAccessedAPITypeReasons
.
You can check the Apple’s documentation for all the listed APIs available and its full description.
Step 4: Updating NSPrivacyTracking and NSPrivacyTrackingDomains
A Boolean that indicates whether your app or third-party SDK uses data for tracking as defined under the App Tracking Transparency framework.
Since, our demo-app i.e. our application or SDK doesn’t fall into that definition, we need to mark false as the value for NSPrivacyTracking and we can exhale.
But, if you have to mark true as the NSPrivacyTracking, then you must supply all the domains your application or SDK uses for the purpose of tracking as part of NSPrivacyTrackingDomains
.
By now, you must be asking yourself, why I am making a big fuss about this. Well, it has to do with the fact that Apple will block all requests to any domain listed under NSPrivacyTrackingDomains
if the user doesn’t allow the application to track him/her. Get it? You will now need to re-route network requests differently based on whether the user has given consent to be tracked or not.
Conclusion
After updating all the details into our app or SDK privacy manifest file, our final demo-app PrivacyInfo.xcprivacy file look like this :-
Also, you can generate a privacy report file.
In Xcode, archive your app (Product → Archive). Control-click the archive in the organizer and choose “Generate Privacy Report.” Save the generated report for future reference.