App privacy questions requirement starts December 8

Answering App Privacy Questions

What questions, you might ask? These questions.

App developers now have to answer a series of questions about what they collect and which data is used for tracking – this article covers how to approach and answer these questions appropriately.

The Best Policy – Honesty

It’s becoming common practice for app developers, and SDKs they integrate, to gather tons and tons of data as you interact with their apps. Fortunately, Apple now provides a way for developers to explicitly disclose precisely how those apps collect this data, as well as what they do with it. Even so, it’s understandable to be concerned about what you report to the App Store about how you collect data from your users.

Even the shadiest app developers that employ the shadiest and most invasive tracking are able to report that they don’t collect any data. This is exactly why we’re worried that our apps look bad in comparison to apps from developers who aren’t as open in their answers.

Still – this is your chance to set the bar, and be fully up front about what you gather from users. Apple may become more active in conducting app privacy audits in the future. We know that they already analyze your binary for the presence of certain libraries such as RevenueCat.

What data do you collect?

Answering these new app privacy questions requires you to first gather a list of the data that you collect. In this context, collecting data means transmitting data off of the device and keeping it beyond what’s required to service requests in real time. To ensure you are covering all of your bases:

  1. Make a list of all URLSession requests your app makes.
  2. For each request, check if it transmits any of the types of data listed here.
  3. Determine whether the data is kept beyond what is required to service the request in real time, because that means you collect that type of data.
  4. For each type of data that you collect determine the type of data use (from this list) and whether the data is linked to the user’s identity.
  5. For each type of data determine whether the data is used for tracking.

That will give you a fairly comprehensive list of the data types you collect, use, and track – but you can’t stop there. You still need to list the data types collected from your app by third-party SDKs that you’ve integrated.

What data do third-party SDKs in your app collect?

Your answers to these questions must also take into consideration the data that third-party code running in your app collects. You’ll need a different approach for determining the data collected here, because you may not have the ability to inspect this code.

As a developer, it’s your responsibility to give the best effort you can to determine the data collected by partner code running in your app. Here’s some ideas to keep in mind as you sleuth through this process:

  • Read the SDK documentation and privacy policy
  • Read the GDPR and California Consumer Privacy Act notices
  • Sniff the SDK’s network traffic using Charles Proxy
  • Disassemble the SDK using Hopper

For example – my app only uses the New Relic Mobile Monitoring SDK. Fortunately, New Relic includes a section covering data privacy in their SDK documentation. I was able to combine that information with the event attributes browser to understand all the private data they collect.

However, I noticed that their SDK, by default, saves a coarse location with each event. I don’t use this data, but because it gathers this data from my app, I would need to disclose it. New Relic allows you to configure a setting to drop specific attributes before it saves events. Utilizing that setting, I was able to prevent New Relic from collecting coarse location data.

How do you classify saving IP addresses with app events?

The list of data types doesn’t include IP addresses, but you can usually determine the approximate location of an IP address. It won’t give you a precise location, but it will give you a coarse location. I would classify collecting IP address as collecting coarse location, and I would disclose it as such.

Apple’s additional guidance has been updated to direct developers to declare collecting IP addresses based on how they are used such as for precise location, coarse location, device ID, or diagnostics.

Updated February 23, 2021

Do you need to disclose the data Apple collects from your app?

Apple automatically collects product interaction and crash data from users that opt-in. This data is made available to developers in App Analytics and in the “Crashes” tab in Xcode Organizer.

Do you need to include this data in your privacy answers? The way I read it you don’t, because Apple is the one collecting this data.

“You are not responsible for disclosing data collected by Apple.”


Nutrition Labels

These disclosures were introduced as an equivalent to food nutrition labels. This is a good analogy, because people will still use an app that’s the equivalent of a chocolate bar with a lot of sugar, yet it’s the responsibility of the developer to honestly disclose how their app collects, uses and tracks private data.

The terms used in these questions can be quite ambiguous, but I hope that this article will help you decipher them so that you can get back to building your app. If you enjoy articles like this please subscribe and share.