Apple has begun to publish privacy summaries in all of its app stores across iOS, iPadOS, macOS, watchOS, and tvOS, with developers now needing to answer a questionnaire as part of submitting an app or update.
Cupertino says this requirement applies to all developers including itself. Developers are required to tell Apple whether apps collect information such as names, email address, phone numbers, home addresses, and health and fitness data.
The information provided into the summary is broken down into three types: Data used to track you, data linked to you, data not linked to you.
The first category is defined as data that is combined with data from other apps or sites for the purposes of advertising or harvesting from data brokers, and the linked category is data that is tied to a user account on the app or device.
Users are still able to deny permissions within the app if they so choose.
The summary is based entirely on the answers provided by the developer, with the existing app review process remaining separate.
On the question of how developers will know what the privacy implications of the libraries they use are, Apple said it is seeing SDK makers updating their documentation in a way that provides information on privacy, but it remains the responsibility of developers to answer for the whole application.
Apple said it may follow up with developers if the information provided is found to be incorrect or users report a discrepancy, and failure to honestly answer the questions has the potential to lead to delisting. The company added that national data regulators could treat the privacy summary as a public statement on which to regulate and base decisions upon.
The current summary is not set in stone, with Apple saying it would evolve the requirement as time passes. The new information was first flagged in July.
Next year, Apple will begin forcing developers to show users the new app tracking permission prompt when apps want to track users. The prompt arrived in the recent iOS 14 release.
Cupertino also unveiled a privacy policy update on Monday, which was touted as complying with European GDPR definitions.
“We treat any data that relates to an identified or identifiable individual or that is linked or linkable to them by Apple as ‘personal data’, no matter where the individual lives,” the policy states.
“This means that data that directly identifies you — such as your name — is personal data, and also data that does not directly identify you, but that can reasonably be used to identify you — such as the serial number of your device — is personal data.”
The policy says Apple does not use “algorithms or profiling” to make decisions that would significantly impact customers without a human conducting a review.
The updated policy also applies to its partners and service providers, which includes the likes of Goldman Sachs.
Apple said the data it collects from browser cookies is treated as “nonpersonal data”, but when combined with other personal data it holds, it falls under the personal data remit.