Apple announces updated App Store Privacy requirements for developers

Apple announced last week upcoming changes to the App Store review process, with a focus on increased transparency and user privacy for third-party app developers. These changes take effect on May 1, 2024, and aim to provide users with a clearer understanding of how their data is used within apps.

Apple emphasizes its commitment to user privacy and security within the App Store. The company has implemented various features over the years to achieve this, including Privacy Nutrition Labels and app tracking transparency. A core principle is developer responsibility for all code within their apps, including third-party code from frameworks and libraries.

Previously, Apple established privacy manifests and signature requirements for specific third-party software development kits (SDKs). These manifests detail how user data is collected and used by the SDKs. Additionally, required reasons must be provided for certain APIs (application programming interfaces) used by the SDKs.

Changes Taking Effect May 1, 2024

Starting May 1, 2024, new or updated apps with newly integrated third-party SDKs from a designated list of commonly used SDKs will require the following submissions in App Store Connect according to Apple:

• Required reasons: Developers must specify the reasons for using each listed API within the SDK.
• Privacy manifests: Privacy manifests outlining data usage practices for the SDK must be included.
• Valid signatures: When an SDK is integrated as a binary dependency, a valid signature is required.

Apps that fail to meet these manifest and signature requirements will not be accepted by the App Store.

Additional Considerations

Apple has outlined specific scenarios where apps may also be rejected:

• Missing reasons for listed APIs: If a developer fails to provide a reason for using a listed API, the app will not be accepted.
• Dynamic frameworks and newly added SDKs: Integration of a new, listed third-party SDK via a dynamic framework embedded through the Embed Frameworks build phase can lead to app rejection.

Apple indicates that these required reason submissions will eventually encompass the entire app binary, not just third-party SDKs. This signifies a potential future where developers will need to justify all data collection practices within their apps.

Recommendations for developers

Apple encourages developers to:

• Review data usage by SDKs: Gain a clear understanding of how third-party SDKs within their apps utilize user data.
• Find alternative solutions: If an API cannot be justified with an approved reason, explore alternative solutions that meet user privacy expectations.
• Embrace transparency: These changes aim to improve transparency for users and strengthen the overall app ecosystem.

These updated App Store privacy requirements place greater emphasis on developer responsibility regarding user data within apps. By understanding and adhering to these guidelines, developers can ensure a smooth app review process and contribute to a more transparent and privacy-focused app ecosystem.