New Privacy Standards Coming to Apple & Google App Stores

App Privacy Requirements Added to the iOS App Store & Mac App Store

At WWDC 2020, back in June, Apple announced it would start asking app makers to disclose the data they access and collect so that users can make more informed decisions about the apps they download.

The update — which was pushed out last week — populates the app stores with all-new privacy labels that make that information transparent and easy to digest for users.

iOS and macOS developers are now required to provide detailed information about the data they collect, how their apps collect it, and what it’s used for. If makers fail to share this, the app may be banned from Apple platforms. The required information includes revealing any analytics tools, ad networks, third-party SDKs, or other vendor code added to the app.

The “privacy labels” show on the apps’ pages in the App Stores, so that users see how their data is handled before downloading instead of having to parse through hidden privacy policies.

It’s a move away from having users dig through lengthy privacy policies — which we know most people don’t read anyway.

Are App Privacy Labels Mandatory?

Apple allows data disclosure to be optional if ALL of the following conditions apply:

• if it’s not used for tracking, advertising, or marketing;
• if it’s not shared with a data broker;
• if the collection is infrequent, unrelated to the app’s primary function, and optional;
• and if the user chooses to provide the data in conjunction with clear disclosure, the user’s name or account name is prominently displayed with the submission.

What Information Do App Makers Need to Submit?

Developers are invited to submit the information via the App Store Connect website. Apple’s Developer site cautions that developers will be required to disclose all the information they and their third-party partners collect — including things like name, address, phone number, email, certain health and fitness data, payment info, location, contacts, text messages, photos, search and browsing history, purchase history — and keep their “labels” up to date.

There are two main categories of information to disclose:

1. data linked to a user, and
2. data used to track a user.

1. Data Used to Track a User

App makers need to analyze and submit any data that is used to track a user. This includes things like contact information, location, and identifiers. This also applies to third-party apps and websites.

So What Does This Mean for My App & Developers?

Start analyzing and inventorying what, how, and why your app collects users’ data.

This can range from how data is linked to other third parties, to what data is used to track a user. Mapping out how your app links and interacts with third parties will be key.

From a commercial perspective, you should consider that if a potential user sees you track and collect their personal data, then they may not want to download your app. Try building your app with a privacy by design approach (like we did with Convert), or find ways to reduce data tracking and collection.

Google Chrome Web Store

Privacy requirements will soon impact app makers on Google platforms too. Come next year, Google Chrome extensions will require more details on the data collected, as per Google’s new set of policies.

Starting January 2021, developers of Chrome extensions will have to

1. certify their data use and privacy practices, and
2. provide information about the data collected by the extension(s), in clear and easy to understand language, in the extension’s detail page in the Chrome Web Store.

Regarding what developers can do with the data they collect, Google has four new policies:

1. Ensuring the use or transfer of user data is for the primary benefit of the user and in accordance with the stated purpose of the extension.
2. Reiterating that the sale of user data is never allowed. Google does not sell user data and extension developers may not do this either.
3. Prohibiting the use or transfer of user data for personalized advertising.
4. Prohibiting the use or transfer of user data for creditworthiness or any form of lending qualification and to data brokers or other information resellers.

When this update rolls out, users will be able to get a fuller picture of how Chrome extensions treat their personal data. Every extension detail page in the Chrome Web Store will display information about what kind of data it collects in clear and concise language.

If a developer fails to provide these details, a notice will be shown informing users that the developer hasn’t certified their compliance yet.

Developers will be required to provide data usage disclosures when publishing or updating extensions, so it seems like most developers should get on board quickly.

Convert’s Google Chrome Debugger Extension

In October this year, we uploaded our updated Convert Debugger Chrome Extension to the Chrome Web Store and had to go through this privacy exercise ourselves.

Our extension isn’t collecting anything that could be used outside of the extension itself so these are all the checkboxes we ticked:

Aside from the extension-focused changes, Google has also been increasing its privacy requirements for Android apps distributed through Google Play, but its demands aren’t as extensive as Apple’s yet.

Positive Steps Towards a Privacy-Focused World

Most of these new features tie into our efforts to offer more transparency and control to users. We welcome Apple’s and Google’s move towards helping users understand privacy policies and how their data will be used and linked to an app/extension.

The problem with the latest privacy transparency push is that the companies shift the responsibility on app/extension users and developers. The penalties for developers who don’t comply with the store policies are not enough to stop those that are abusing them.

Will these changes stop users from downloading an extension that is not privacy focused? Will most users actually read the information provided in the Privacy practices tab? Will users stop interacting with apps that are tracking personal data?

Privacy rules tied to Europe’s GDPR and California’s CCPA have produced few actual changes in consumer behavior because they substantially place the burden on users to understand and engage with the opt-in/opt-out tools.

We hope that with Apple’s new labeling and Google’s new policies, many people may change the way they interact with apps and extensions and prioritize those that make efforts to respect their privacy.