Apple’s new rules require that each app have its own privacy policy so that consumers are better informed about how the app will use, collect, distribute or protect their privacy. These changes came into force on October 3, 2018 and apply not only to new apps, but app updates as well. These new requirements apply regardless of whether or not an internet connection is required for the app to function.
How is the data being used?
According to the new rules, an iOS app’s privacy policy must contain information including the kind of data the app collects and how it is used. For example, all apps must have explicit consent to use information from Contacts, Photos or other APIs that store user data. Similarly, your app should neither attempt to develop user profiles based on collected data, nor encourage others to do so. This is true even if the data is collected in an “anonymized”, “aggregated”, or otherwise non-identifiable way.
Who is using the data?
Generally speaking, businesses are not allowed to transmit or share someone’s personal information – and apps are no exception. In line with this approach to data protection, your app’s privacy policy needs to advise users of any third parties you share data with, such as analytics tools, advertising networks, etc. Are there any parent companies or subsidiaries that will be accessing the data? This needs to be included in the policy so consumers have a full understanding of how their data will be used and who will use it.
In line with current and emerging privacy laws, apps should collect only the minimum of data required for the relevant task. Minimizing gratuitous data collection is a key component of most privacy regimes at this time and Apple’s new rules reflect this concern.
Consent to Collect Data Required
If your app collects data from users, the user must consent to this. Likewise, the app must include a mechanism for the user to withdraw their consent at a later time. Withdrawing consent must be easy to do and understandable for the average user.
The Right to be Forgotten
The right to be forgotten has become a buzz phrase in the privacy world with the advent of Europe’s GDPR. Users or consumers in Europe, and possibly soon in Canada as well, have the right to have their data deleted. This is referred to as “the right to be forgotten”. This needs to be worked into the app’s policy as well if you have users in the EU. The policy needs to explain the data retention and deletion policies and describe how a user can revoke their consent.
Additional Considerations
Making sure your apps comply with these new policy requirements will not only allow you to avoid issues with Apple, but will go a long way to ensuring your app is in compliance with the law across multiple jurisdictions. It also helps create a relationship of trust between your company and its customers.
While it may be tempting to mine the data collected through your app, data collection has to be done carefully and with consent of the users. Today’s privacy landscape goes a long way toward protecting consumers. If your policies run afoul of this new trend, you risk public condemnation and a loss of consumer confidence in your business model.
Whether you already have some iOS apps, or you’re considering building some, it’s important to talk with an expert in privacy and data management. This will ensure your plans and strategies are consistent with current and emerging policies.