Every app hosted on the Apple App Store must work properly, collect user data responsibly, and have a legally-compliant Privacy Policy. Apple sets strict rules about what your iOS App Privacy Policy must disclose. Your iOS app will be rejected from the App Store unless your Privacy Policy meets Apple's requirements.
This article will help you understand Apple's requirements and how to fulfill them with a legally-compliant Privacy Policy.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your mobile app. Just follow these steps:
Yes, your iOS app needs a Privacy Policy. Since October 2018, Apple has required all iOS apps to have a Privacy Policy:
Apple now gives this requirement in its App Store Review Guidelines:
All iOS apps must go through the App Store Review Process. Apple will reject your iOS app if you submit it without a compliant Privacy Policy.
Apple also states that every iOS app must comply with local law:
Therefore, you must also comply with the privacy laws that apply in your region, and any other regions in which your app is available.
Even if your iOS app doesn't collect any user data, you still need a Privacy Policy. In your Privacy Policy, you can explain that your app doesn't access any user data, or that it only does so locally (i.e., any data that the app processes remains on the device).
Here's how iPad photo editing app Pixelmator handles this:
personal information is collected" width="1000" height="482" />
Pixelmator provides a clear and reassuring explanation of its practices to its users. This is much more professional than simply not publishing a Privacy Policy. It also shows that you're aware of privacy laws and are complying rather than just hiding your privacy practices.
Apple's App Store Review Guidelines tell developers what an iOS Privacy Policy should contain:
Let's break that down. To comply with this section of the App Store Review Guidelines, your Privacy Policy must:
We're going to explain each of these obligations and give examples so you can understand exactly what Apple requires.
Apple's first Privacy Policy requirement is that the policy must "identify what data, if any, the app/service collects."
Note that Apple uses the term "data." Due to the context, you can reasonably conclude that "data" includes "personal information" and you should apply a very broad definition of this term.
Bear in mind that Apple doesn't allow iOS apps to collect unnecessary or excess personal information. Your app should collect user data sparingly. This is stated in this section of the App Store Review Guidelines on "data minimization":
Here's how iOS app Drafts discloses the types of data it collects:
Drafts breaks down the types of data it collects into categories to make it easier for users to understand.
Note that even if your app doesn't transmit user data from the device, you should still disclose any permissions that your app requests.
Your Privacy Policy must explain how your iOS app collects user data. Depending on what your app does, it might collect user data by requesting it (e.g., names, usernames, email addresses) or by collecting it automatically (e.g., device data, usage data, location data).
This might be quite a technical section of your Privacy Policy. You should try to explain your data collection practices in language that your users will understand.
Here's how Chemdata explains how it collects the data its users provide directly:
After this section, Chemdata describes how its app collects user data automatically:
Your Privacy Policy must explain how your app uses any data it collects. And, to reiterate: You must always have a good reason to collect user data.
Here's how Cultured Code explains its uses for the user data it collects:
Keep in mind that Cultured Code's Privacy Policy applies over all of its products, plus its mailing list and website. Your Privacy Policy should also cover any other means by which you collect personal information.
Apple places strict rules on how developers share user data with third parties. Your Privacy Policy must confirm that any third parties will take equally good care of your users' data as you do.
Your app must be compliant with Apple's privacy standards. Therefore, any third party your app shares user data with must also be compliant with Apple's privacy standards.
Apple gives some examples of the types of companies it considers third parties:
Sports news app Võrumaa Nutimängud is very specific. Its Privacy Policy identifies the specific third parties with whom it shares user data:
Apple states that your Privacy Policy must "describe how a user can revoke consent." Apple's App Store Review Guidelines states that you must only collect user data with consent. If a user revokes consent, you must stop collecting their data.
iOS apps will often ask for consent by using the permission request mechanisms provided in iOS SDKs. You can provide a method for your users to revoke this sort of consent within your app settings. Your Privacy Policy should explain how users can do this.
Here's how Võrumaa Nutimängud explains how its users can revoke consent:
In any situation where you have asked for a user's consent, they must be able to revoke it, and your Privacy Policy should explain how.
Apple states that your Privacy Policy must explain your "data retention/deletion policies." You must not keep user data longer than you need it. This means thinking carefully about how long you need to store user data and, if necessary, creating a retention schedule.
Your Privacy Policy should explain your data retention practices. Here's how Easybrain does this:
Be as specific as possible here with your timeframe, and make sure you're disclosing your actual practices.
Apple states that your Privacy Policy must "describe how a user can [. ] request deletion of the user's data." This implies that you must offer users a way to delete any user data you hold on them. Apple doesn't explicitly state that you need to do this in its App Store Review Guidelines.
However, Apple does require that you give users control over their data. Apple states this in a document called "Protecting the User's Privacy:"
Enabling your users to request the deletion of their personal information is also a legal requirement under several privacy laws, including the GDPR and the CCPA.
Your app could provide the user with the ability to delete their data. Or you can invite your users to send you an email to make a deletion request.
Here's how the alarm clock app EY presents this type of information in its Privacy Statement:
After you meet Apple's requirements, there are more you'll need to be familiar with.
Along with Apple's Privacy Policy requirements, you need to obey the law. Privacy and data protection laws strictly regulate how you handle your users' personal information, and determine what you need to disclose in your Privacy Policy.
The law will give different Privacy Policy requirements depending on where you and your users are based.
Note: You must obey the privacy law of the regions where your users are based and not just where you are based.
Effectively, the State of California sets privacy standards in the United States. As long as your app is accessible to California consumers, you must obey the state's strict privacy laws.
All commercial websites and apps must comply with the California Online Privacy Protection Act (CalOPPA).
Read our guide to creating a CalOPPA Privacy Policy to understand your obligations under this law.
Read our guide to creating a CCPA (CPRA) Privacy Policy.
The EU has the strictest privacy standards in the world. The EU General Data Protection Regulation (GDPR) sets extensive rules regarding what information you should provide in your Privacy Policy.
Read our guide to creating a GDPR Privacy Policy.
Canada's privacy standards are also high. If your app has users in Canada, you must comply with the Personal Information Processing and Electronic Documents Act (PIPEDA).
Read our guide to creating a PIPEDA Privacy Policy.
Where these or any other privacy laws apply to you, you must ensure that your Privacy Policy is compliant with them.
You can download these instructions as PDF file.
Once you've hosted your Privacy Policy online, Apple requires you to:
The best place to host your Privacy Policy is your company's website if you have one. If you by chance don't have a website, you can set up a simple WordPress site, or even a publically-available Google Doc.
Apple states that "all apps must include a link to their privacy policy in the App Store Connect metadata field."
To get your app hosted in the App Store, you first need to add it to your App Store Connect account. When you add an app to your App Store Connect account, you must provide Apple with certain app information, including the URL of your Privacy Policy.
If you're submitting an app bundle (up to ten apps sold together at a reduced price), you should submit your Privacy Policy along with your app bundle's primary app. You don't need to submit a Privacy Policy with each bundled app you submit.
Apple explains this in its App Store Connect Help for bundles:
Once your iOS app is approved, your Privacy Policy will show alongside other information about your app in the App Store. Here's how it looks:
This is important because it gives potential users the opportunity to check out your privacy practices before deciding to download your app. If the link wasn't available before downloading and you collect any information during the download process or before the Privacy Policy was available within the app, you can see how this would violate privacy rights of your users.
Apple requires that you provide users access to your Privacy Policy "within the app in an easily accessible manner." Most apps provide Privacy Policy access via a "Settings," Legal," or "About" menu, or something similar. Here's an example of how the Fitbit app displays its Privacy Policy.
Users must click on the main Account icon to open the Account menu. From here, there's a Legal menu:
Within the Legal menu, users can find the Privacy Policy within the list of important legal information:
When a user clicks on the Privacy Policy link, a mobile browser opens up and takes the user to a mobile version of the company's Privacy Policy:
This is a good example of how to make a Privacy Policy accessible within an app.
You could also link to your Privacy Policy directly within your app's "Settings" menu, or even as an item within your app's side or drop-down menu, like WeatherBug does here:
You need to make sure your users can access your Privacy Policy at any time, and keeping a static link somewhere in your app accomplishes this.
Although Apple doesn't require it, you also should link to your Privacy Policy whenever you ask your users to provide personal information. Some such areas include when users sign up for an acccount with your app, or on a checkout page for an ecommerce app.
For example, here's how SoundHound directs users to its Privacy Policy when signing up for an account:
Here's how Amazon links users to its Privacy Policy when confirming a purchase:
Take every reasonable opportunity to appear transparent in your privacy practices by making your Privacy Policy link available often.
To meet Apple's requirements, your iOS app Privacy Policy must disclose:
Your iOS app Privacy Policy must also be legally compliant.
Comply with the law with our agreements, policies, and consent banners. Everything is included.
Disclaimer
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
Last updated on
Appears in
Related articles
Is it a good idea to use AI to create your legal agreements, such as Terms and Conditions agreements, Privacy Policies, EULAs, Cookies Policies, Return and Refund Policies, and Disclaimers? We believe it is not a good idea, and this article will explain why. We used a popular AI tool, ChatGPT.
Twitter Remarketing allows businesses to use Twitter to reach a larger audience of potential customers and gain more followers for Twitter account of a business. Because remarketing tracks visitors' activities and uses cookies to do so, issues of privacy are raised. If you use any form of remarketing, your Privacy Policy must.
Your Privacy Policy needs to accurately disclose your privacy practices to the world and to legal authorities. This is a legal requirement, but it also helps make your company trustworthy in the eyes of the public. This article will explain why this is so important, and what stepsp you can take.
Comply with the law with our agreements, policies, tools and cookie consent banners. Everything you need is included.
Disclaimer: Legal information is not legal advice, read the disclaimer. The information provided on this site is not legal advice, does not constitute a lawyer referral service, and no attorney-client or confidential relationship is or will be formed by use of the site.
Copyright © 2012 - 2024 TermsFeed ® . All rights reserved.