The time has come, for Apple has released new App Store Guidelines.
Previously Apple updated their User Privacy and Data page, stating more information on the topic would be upcoming later this fall. On September 11th 2020, they posted an update to the App Guidelines. While this doesn’t answer all the questions it’s clear they are serious about this and the standard are very closely aligned to Europe’s General Data Protection Regulation (GDPR).
At the time of writing, the strongest data protection law in the USA is the California Consumer Privacy Act (CCPA). The CCPA uses an ‘Opt-Out of Sale” model. These guidelines however are “Opt In to collection” which is far more restrictive. Also, while the CCPA applies only to residents of California, the Guidelines apply to anyone who submits an app, regardless of their location or the location of their users. These guidelines, if enforced, will go on to become one of the strictest data protection standards in the USA to see wide spread adoption.
Developers are also required to upgrade their apps to be compliant with the current version of iOS/iPadOS/MacOS, or allow Apple to delist non-compatible versions. As a result these changes will be required to keep distributing on the App Store, as per the developer agreement. So brands can not selectively ‘not upgrade’ in order to bypass these requirements. Compliance is thus mandatory.
Note: I am not an Apple employee, nor a lawyer. I am not giving legal advice, but I am raising things to consider when designing and releasing your mobile app on the App Store. Should you have concerns, I strongly encourage a discussion with legal counsel.
Here’s what I believe the relevant sections to be concerned about from a data and analytics perspective are . The list below is not complete. The entire guideline policy printed out is roughly 24 pages, Again, I strongly advise reviewing the full policy to see which parts may be relevant to your specific scenarios.
With that out of the way – let’s cover some of the more interesting bits…
(vi) Apps should allow a user to get what they’ve paid for without performing additional tasks, such as posting on social media, uploading contacts, checking in to the app a certain number of times, etc. Apps should not require users to rate the app, review the app, watch videos, download other apps, tap on advertisements, enable tracking, or take other similar actions in order to access functionality, content, use the app, or receive monetary or other compensation, including but not limited to gift cards and codes.
https://developer.apple.com/app-store/review/guidelines/#unacceptable
Taken broadly, I take this to mean that apps must not close off or otherwise restrict access to the something they have paid for simply because a user disallows tracking.
(i) Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner. The privacy policy must clearly and explicitly:
https://developer.apple.com/app-store/review/guidelines/#data-collection-and-storage
- Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.
- Confirm that any third party with whom an app shares user data (in compliance with these Guidelines) — such as analytics tools, advertising networks and third-party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data — will provide the same or equal protection of user data as stated in the app’s privacy policy and required by these Guidelines.
- Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user’s data.
Privacy Policies should be standard for most businesses today, as they are required by both the California Consumer Protection Act and the General Data Protection Regulation, as well as a requirement for having Google Analytics installed on your website. They are also, as shown above, a requirement of the App Store.
Of note is the ‘explain the retention and deletion polices’ which require statement of how a user can revoke consent or request deletion of their data. This is already standard practice under GDPR and CCPA, and now is a cost of doing business on the app store even if you are not subject to those laws. Your organization is thus required to have a method of opt-ing out of collect once opt’d in, and a mechanic which deletes data previously collected.
(ii) Permission Apps that collect user or usage data must secure user consent for the collection, even if such data is considered to be anonymous at the time of or immediately following collection. Paid functionality must not be dependent on or require a user to grant access to this data. Apps must also provide the customer with an easily accessible and understandable way to withdraw consent. Ensure your purpose strings clearly and completely describe your use of the data. Apps that collect data for a legitimate interest without consent by relying on the terms of the European Union’s General Data Protection Regulation (“GDPR”) or similar statute must comply with all terms of that law. Learn more about Requesting Permission.
https://developer.apple.com/app-store/review/guidelines/#data-collection-and-storage
This is the large charge mentioned previously about requiring permission to track user data. As written, I take this to be clear. You must secure user consent prior or at the time of collection, regardless of if the data is anonymous, and you must provide ways to withdraw that consent once it has been granted. The way this is written leads me to believe this applies to Analytics as well, but I have yet to receive clarification on that.
(v) Account Sign-In: If your app doesn’t include significant account-based features, let people use it without a log-in. Apps may not require users to enter personal information to function, except when directly relevant to the core functionality of the app or required by law. If your core app functionality is not related to a specific social network (e.g. Facebook, WeChat, Weibo, Twitter, etc.), you must provide access without a login or via another mechanism. Pulling basic profile information, sharing to the social network, or inviting friends to use the app are not considered core app functionality. The app must also include a mechanism to revoke social network credentials and disable data access between the app and social network from within the app. An app may not store credentials or tokens to social networks off of the device and may only use such credentials or tokens to directly connect to the social network from the app itself while the app is in use.
https://developer.apple.com/app-store/review/guidelines/#data-collection-and-storage
One of the major concerns I saw voiced in the industry was that the WWDC changes announced in June would simply force the creation of ‘Account Walls’ to access mobile apps. It seems Apple has thought of this and decided to head it off.
This clause states you can’t require login in most scenarios for app access. You can require personal information only when it is directly relevant for the app (like when completing a sale). So most apps will under these requirements likely have to support a ‘guest’ mode where the user can use the core app features without creating an account (Social networks are an exception to this).
(i) Unless otherwise permitted by law, you may not use, transmit, or share someone’s personal data without first obtaining their permission. You must provide access to information about how and where the data will be used. Data collected from apps may only be shared with third parties to improve the app or serve advertising (in compliance with the Apple Developer Program License Agreement). Apps that share user data without user consent or otherwise complying with data privacy laws may be removed from sale and may result in your removal from the Apple Developer Program.
https://developer.apple.com/app-store/review/guidelines/#data-use-and-sharing
While Apple is not clear about the definition of ‘personal data’ (not defined in the Guidelines or in the Developer Agreement) the statement is clear that permission is required to use, transmit off the device, or share data. The data can be shared with 3rd parties with consent, but it’s limited in how this is done as per the terms of the developer agreement.
It goes on to state that if you do not comply, they will delist your mobile app at minimum. You are required to not only comply with these guidelines but all privacy and data collection laws and regulations for the jurisdiction in regard to collection, use or disclosure as determined by the developer agreement.
Failure to do so may also result in termination of your developer account, preventing the ability to submit apps to the App Store.
(ii) Data collected for one purpose may not be repurposed without further consent unless otherwise explicitly permitted by law.
https://developer.apple.com/app-store/review/guidelines/#data-use-and-sharing
This means you must require consent for each use case. You can’t assume previously granted consent applies to the new scenario unless the legal regulations support that.
(iii) Apps should not attempt to surreptitiously build a user profile based on collected data and may not attempt, facilitate, or encourage others to identify anonymous users or reconstruct user profiles based on data collected from Apple-provided APIs or any data that you say has been collected in an “anonymized,” “aggregated,” or otherwise non-identifiable way.
https://developer.apple.com/app-store/review/guidelines/#data-use-and-sharing
Simply – you can not attempt to reverse engineer aggregate or anonymized data.
(vi) Data gathered from the HomeKit API, HealthKit, Clinical Health Records API, MovementDisorder APIs, ClassKit or from depth and/or facial mapping tools (e.g. ARKit, Camera APIs, or Photo APIs) may not be used for marketing, advertising or use-based data mining, including by third parties. Learn more about best practices for implementing CallKit, HealthKit, ClassKit, and ARKit.
https://developer.apple.com/app-store/review/guidelines/#health-and-health-research
There are many sections related to health data, and weather or not it’s required to be compliant with laws such as HIPPA (Health Insurance Portability and Accountability Act). Of note however is data gathered from the relevant APIs can’t be used for marketing or advertising – including by 3rd parties.
If you deal with data in the health realm, I strongly advise having your user cases validated by legal counsel familiar with health apps.
Apps intended primarily for kids should not include third-party analytics or third-party advertising. This provides a safer experience for kids. In limited cases, third-party analytics and third-party advertising may be permitted provided that the services adhere to the same terms set forth in Guideline 1.3.
https://developer.apple.com/app-store/review/guidelines/#kids
Once you start dealing with children under 13, you run into COPPA (Children’s Online Privacy Protection) which the Federal Trade Commission covers. Apple requires you to not include 3rd party analytics or advertising in apps targeted at children. You are still required to meet other requirements (from from the law, as well as from the guidelines). Should you operate in this space, I strongly recommend you reviewing the use case(s) to ensure compliance.
Conclusion
Organizations who have previously done the work to comply with the GDPR are going to be in good shape for this transition as a lot of the same work will be required. Many of those processes outlined for use with the EU customers likely could be easily translated to comply with the new requirements of the app store. With that said, they’ll still be work in adjusting the submission process and updating / using the new APIs.
For those that aligned with the CCPA (or haven’t aligned to CCPA/GDPR) the work will likely be a more uphill battle. CCPA by default allows “Opt-Out” of sharing (or ‘sale’), so all the mechanics of data collection have to be converted into an “Opt-in” for collection model. Additionally, this can affect some business models which subsidize parts of their app development or offerings through the collection and sale of data. Such avenues may be drastically reduced on iOS going forward. Developers will now need to offer the abilities previously only granted to residents of California to the entire iOS user base.
What remains to be seen is what effect, if any, this will have on which style of apps are offered on the AppStore, and what their pricing will be. Will developers raise the cost of apps to offset the money they may have earned from data sales? If they do, will consumers pay it? How many consumers will consent to collection? Will we see a resurgence in context advertising? How badly will Targeted advertising be affected?
Looking beyond the apps themselves… Will companies such as Bluekai (which recently announced plans to shut down in the EU due to GDPR) bow out of iOS? Will Facebook actually shut down their AudienceNetwork on iOS? These and more are real scenarios we may see play out over the next year. Will we ultimately see a contraction in the number of companies in the marketing industry?
These are currently all unanswered questions, but one thing is for sure the next year will be most interesting in observing the impact.