Security news that informs and inspires

Privacy Labels for iOS and Mac Apps Are Coming


Starting Dec. 8, developers will need to provide information about what kind of data their apps collect and how the data will be used. Just as food manufacturers are required to print nutritional labels on food to provide nutrition information such as calories and ingredients, these apps will have “privacy labels” telling users upfront how the apps use information.

The developer-reported information—all the different types of data being collected, how the data is linked to the user (if at all), and whether the data is used for tracking purposes—will be displayed on the app’s page in the iOS App Store and Mac App Store, Apple said in the developer support page. There is no exception for this—new and existing apps must have this information if they are to remain in the app stores.

The goal is to make it easy for the user to know exactly what the app will do before installing the app.

Developers have to submit the information—such as names, email addresses, contact numbers, and physical addresses—through the App Store Connect website, and identify all possible uses for that data. That is the case even if the app is using it for limited purposes. For example, if the app needs the user’s location, it will be displayed on the label (even if it never gets shared with third parties).

Apple said it would start requiring developers to provide this information back during WWDC 2020 in June. The requirement goes hand-in-hand with iOS 14’s ad anti-tracking feature. The goal is to make that information readily available at the moment the app is being downloaded and installed, instead of making users scroll through lengthy and often confusing privacy policies.

Even the most privacy-conscientious users have a difficult time understanding what apps are doing with their data. A recent Duo Labs research found that data brokers have a lot of information about users that were collected via apps, but users rarely know which apps provided which piece of information to the brokers. The only way to even start untangling that snarl of data relationships is to look at what software development kits app developers are using, or to trace data partners from one app to another. It is time-consuming and the user still doesn't have a complete picture.

Apple’s requirement to force developers to reveal what apps are doing with user data is a good step for privacy, but the fact that this is developer-provided means there are too many loopholes. It is up to the developer to make sure the labels are up-to-date and reflect the latest information whenever changes are made or functionality added. There doesn’t seem to be a mechanism for Apple to verify developers are telling the whole truth about their data partnerships, so users are left hoping that maybe they know enough from the labels to make an informed choice.

The developer-provided responses should “follow the App Store review guidelines and applicable laws,” Apple said on its developer page. “Examples of data that may not need to be disclosed include data collected in optional feedback forms or customer service requests that are unrelated to the primary purpose of the app and meet the other criteria above. For the purpose of clarity, data collected on an ongoing basis after an initial request for permission must be disclosed.”