Solving Apple’s New App Privacy Requirement

By and October 16, 2020Insights

Apple recently announced that it will require app developers to provide extensive, granular information about their app’s privacy practices on App Store Connect, such as the type of data collected from users as well as the identity of third parties and the specific purpose of the collection. (See https://developer.apple.com/support/app-privacy-on-the-app-store/.) NT Analyzer is equipped to provide organizations with a digestible and readily available report to meet this requirement.

Presumably, the failure to disclose this detailed information to Apple will get your proposed app (or new version of an existing app) barred from the app store.

Here’s specifically what Apple says:

Later this year, the App Store will help users understand an app’s privacy practices before they download the app on any Apple platform. On each app’s product page, users can learn about some of the data types the app may collect, and whether that data is linked to them or used to track them. You’ll need to provide information about your app’s privacy practices, including the practices of third-party partners whose code you integrate into your app, in App Store Connect starting this fall.

These requirements include, among other things:

  1. Answering app privacy questions: “You should identify all possible data collections and uses, even if certain data will be collected and used only in limited situations.”
  2. Data collection: “You’ll need to know the types of data that you and/or your third-party partners collect from your app before answering the questions in App Store Connect.”Apple provides a list of data, which includes not only traditional identifiers like email address, financial info, and name, but also: (i) precise and coarse location, (ii) user ID, (iii) device ID, (iv) advertising data, and (v) “any other data types not mentioned.”
  3. Data use: “You should have a clear understanding of how each data type is used by you and your third-party partners,” including: (i) third-party advertising, (ii) analytics, and (iii) app functionality.
  4. Data linked to the user: “You’ll need to identify whether each data type is linked to a user’s account, device, or identity by you and/or your third-party partners.”According to Apple, this notably includes, “‘Personal Information’ and ‘Personal Data,’ as defined under relevant privacy law” – i.e., CCPA and GDPR, respectively.
  5. Tracking: “You’ll need to understand whether you and/or your third-party partners use data from your app to track users and, if so, which data is used for this purpose” such as, “[d]isplaying targeted advertisements in your app based on user data collected from apps and websites owned by other companies.”

Product Note: Granular data detection and third party identification is what NT Analyzer does best. And it produces an easily digestible, verified report that includes a full range of data collected from users and transmitted to third parties, enabling organizations to meet Apple’s privacy disclosure requirements. The report includes, among other things, traditional identifiers such as name and email address, as well as location data, tracking IDs, technical IDs, advertising IDs, device IDs, and the identification of relevant third parties.

The NT Analyzer tool suite also identifies client-side privacy/security events and maps those technical events to legal compliance baselines, and includes recommendations and mitigations regarding the same.

Reach out today for a demo of NT Analyzer to learn how your organization can meet its data protection and privacy compliance needs, especially in a time when big B2C companies continue to change the landscape in an ever-growing privacy-conscious world.

Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa
Steven Roosa

Author Daniel Rosenzweig

Daniel B. Rosenzweig is a lawyer in Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group in the New York office. Daniel is part of the core team that oversees NT Analyzer to help clients navigate the complex data protection and privacy landscape.

More posts by Daniel Rosenzweig