With the new iOS14 update, Apple now requires developers to provide information about your privacy practices when submitting new apps and app updates across the Apple App Store, subject to certain exceptions. Some of these new requirements involve providing granular detail about your data collecting and sharing practices.
So what information is required? To meet Apple’s new App Store privacy requirements, your company will need to identify:
The types of data collected from users;
The purposes for data use; and
Whether each data type is linked to the user’s identity (e.g., through the user’s account, device, or other details), by your company or your third-party.
What do I need to know about the data my app collects?
Apple requirements list 14 categories of data including “Contact Information”, “Usage Data” and “Identifiers.” Within each data category, your company will be required to select the specific data elements your app collects, unless an exception applies. Examples of data elements include:
Name, email address, and phone number under Contact Information;
Product interaction and advertising data under Usage Data; and
User ID and device ID under Identifiers.
What do I need to know about how my app uses data?
For every data category your app collects from users, developers must also provide the purpose for data collection used by both the developer and third parties.
“Purpose of collection” includes actions such as evaluating user behavior, displaying first-party ads, sending marketing communications, user authentication, and tracking such as sharing data with third parties for targeted advertising.
What do I need to know about how my app links data to users?
Developers must identify the types of data linked to a user (e.g., Contact Information, Usage Data, and Identifiers). The result will show users which data types are:
To compile the information required to publish an app, developers need to understand, in fairly granular detail, their own data use as well as all third-party partners’.
How can my company gather information to meet these requirements?
Although Apple’s App Store privacy requirements are new, companies subject to privacy regulations, such as the GDPR and CCPA, may have this information readily available and documented in a data inventory as part of a larger privacy program.
Compiling a data inventory is the first step to understanding the detailed information a company collects. Data inventories document all third-party vendors, specific pieces of information collected, how this information is used, security measures protecting this information, and information flows, including sharing and transfer internally and externally.
To learn more about how complying with Apple App Store privacy requirements fits into your company’s overall privacy compliance program, check out our next blog post.
How can Aleada help?
Schedule a free 30-minute consultation with Aleada Consulting to discuss how Aleada can help your company with building or updating a Data Inventory and providing required information about your privacy practices to Apple. Contact us at [email protected].
*** This is a Security Bloggers Network syndicated blog from "Ask Aleada" Blog - Aleada Consulting authored by Kamarin Takahara. Read the original post at: https://www.aleada.co/ask-aleada-blog/2021/3/18/how-do-i-comply-with-apples-new-app-store-privacy-requirements