All New and Updated App Store Apps Required to Have a Privacy Policy Starting October

Friday August 31, 2018 5:43 am PDT by Joe Rossignol
Apple has announced that, starting October 3, 2018, all new apps and app updates will require a privacy policy in order to be submitted for distribution on the App Store or through TestFlight for beta testing purposes.


Apple already requires a privacy policy for apps that access personal information, including apps that offer subscriptions, accept Apple Pay, or use Apple frameworks such as HomeKit, HealthKit, or CareKit. Now, the requirement will extend to all apps, including basic ones that do not share data in any way.

It does not appear that existing apps on the App Store will be affected by this move until they are updated on October 3 or later, so long-outdated apps may remain without a privacy policy if they are no longer maintained.

Apple detailed the upcoming changes in the News section of its App Store Connect portal for developers on Thursday:
Starting October 3, 2018, App Store Connect will require a privacy policy for all new apps and app updates in order to be submitted for distribution on the App Store or through TestFlight external testing. In addition, your app's privacy policy link or text will only be editable when you submit a new version of your app.

To add or edit your privacy policy for the App Store:

1. Go to My Apps in App Store Connect, and click on your app.
2. Under App Store, click on App Information.
3. In the top right corner, add your privacy policy link for iOS apps or macOS apps, or enter text directly for tvOS apps.
4. Click Save.

To add your privacy policy link to your app for external TestFlight distribution:

1. Go to My Apps in App Store Connect, and click on your app.
2. Under TestFlight, click Test Information.
3. Add your privacy policy link for iOS apps, or enter text directly for tvOS apps.
4. Click Save.
Apple elaborates on its privacy policy requirements in its App Store Review Guidelines, under Section 5.1.1:
Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner. The privacy policy must clearly and explicitly:

- Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.

- Confirm that any third party with whom an app shares user data (in compliance with these Guidelines) — such as analytics tools, advertising networks and third party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data — will provide the same or equal protection of user data as stated in the app's privacy policy and required by these Guidelines.

- Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user's data.
App Store Connect has long provided a privacy policy metadata field for developers to submit a link to their privacy policy webpage for iOS apps. On the Apple TV, there is no web browser, so App Store Connect has a text box for developers to past the full text of their privacy policy displayed in app.

Tags: App Store, App Store Review Guidelines, privacy
[ 46 comments ]

Top Rated Comments

(View all)

Avatar
Mac Fly (film)
17 months ago
I think Apple should change policy on allowing apps access to people's contacts (such as WhatsApp). I don't like that they can—often with a single single tap, without knowing too much of what's being asked—hit "Ok" and upload their full address book (including my entry) to Zuckerberg's servers without my more acute understanding re potential consequences of said seemingly innocuous action. And without our permission. What did one dev. say, "it's the wild-west of data collection". Given how much Apple care about security, I'm surprised Apple still allows this.
Rating: 13 Votes
Avatar
Bathplug
17 months ago
Can’t wait to read them.
Rating: 11 Votes
Avatar
AngerDanger
17 months ago
In the not-too-distant future…



Rating: 11 Votes
Avatar
69Mustang
17 months ago
I think this will help with transparency (great) but I see another ancillary benefit of weeding out low quality non-viable apps. Devs are going to have to decide if their apps are worth the effort and those that choose not to update with privacy info will find their apps in the realm of abandonware (hopefully)... sort of a self cleaning roomba for the app store.
Rating: 5 Votes
Avatar
pete2106
17 months ago

I think Apple should change policy on allowing apps access to people's contacts (such as WhatsApp). I don't like that they can—often with a single single tap, without knowing too much of what's being asked—hit "Ok" and upload their full address book (including my entry) to Zuckerberg's servers without my more acute understanding re potential consequences of said seemingly innocuous action. And without our permission. What did one dev. say, "it's the wild-west of data collection". Given how much Apple care about security, I'm surprised Apple still allows this.


that's the single reason I've never used WhatsApp. I hate the thought that I have to give them access to the phone numbers, addresses, and email addresses of my friends and family without them being able to consent.
Rating: 5 Votes
Avatar
cmaier
17 months ago
Just wrote mine. What a pain. I don’t collect any information. Would be nice if we could just check a “we don’t collect anything” box in appstoreconnect.
Rating: 5 Votes
Avatar
Supermacguy
17 months ago
How are single devs supposed to deal with this? Let's say you just use Google Analytics (or Firebase). How complicated must this be? More importantly, WHAT IF APPLE STARTS APPROVING OR DENY BASED ON HOW DETAILED YOUR POLICY TEXT IS?
Rating: 3 Votes
Avatar
recoil80
17 months ago
I didn't check but I think it will impact the B2B store as well, but a standard privacy page should be enough. One of the advantages of working for companies with the enterprise membership is avoid dealing with iTunes Connect and all the boilerplate that goes into publishing an app.

As a user I'm ok with more transparency given to the customer, but I think very few people actually read that stuff
Rating: 3 Votes
Avatar
ChrizON
17 months ago

How are single devs supposed to deal with this? Let's say you just use Google Analytics (or Firebase). How complicated must this be? More importantly, WHAT IF APPLE STARTS APPROVING OR DENY BASED ON HOW DETAILED YOUR POLICY TEXT IS?

That’s my concern too.
Another aspect I’ve read is that the app must include a link to the privacy details whether the app is web enabled or not. So without more clarification it looks like a small developer would have to then have a website that the app can connect to just to tell the user that they’re not collecting anything and that except for that link it wouldn’t otherwise have even connected to the net?
Rating: 3 Votes
Avatar
mtneer
17 months ago
If this just means more reams of fine print in very legal language, then people will generally not read them or understand it. Apple should instead force developers to disclose the ramifications in terms of what can go wrong - kind of like the "Risk" sections in a SEC 10Q or 10K form. Give me a list of reasons why anything I do with this app can go (horrendously) wrong - "my security team is my dog, and he may not keep your health records secure for long"
Rating: 3 Votes

[ Read All Comments ]