Privacy Manifest (Third-Party SDKs requirements)
Introduction
Ensuring user privacy remains Apple’s paramount concern, and it must not be compromised under any circumstances. To reinforce this commitment, Apple has introduced stringent requirements for third-party SDKs. While these SDKs offer valuable functionality for apps, they also have the potential to impinge upon user privacy through data collection and tracking. As the custodian of the SDKs and third-party integrations within your app, it is incumbent upon you to stay vigilant regarding data collection practices and uphold user privacy standards.
In response to evolving privacy concerns, Apple has introduced new developer requirements. Effective since 2023, developers have been notified via email that by spring 2024, they must include a privacy manifest file for listed SDKs when submitting app updates or new apps to the App Store. Additionally, signatures are now mandatory for binary dependencies associated with these SDKs, as specified by Apple. These measures aim to enhance transparency and accountability in data handling practices within apps distributed through the App Store.
Privacy Manifest
The Privacy Manifest File follows a standardized format akin to the Info.plist. As you prepare to release your app, Xcode amalgamates all privacy manifests from the third-party SDKs used in your app. Subsequently, you can generate a comprehensive summary report.
Create privacy manifest files
Creating a privacy manifest file in Xcode involves creating a PrivacyInfo.xcprivacy file and populating it with the necessary keys and values. Here’s how you can do it:
- Open Xcode: Launch Xcode on your Mac.
- Go to “File” > “New” > “File…” or press Command+N.
- Choose “App Privacy” under the “Resource” section and click “Next.”
- Do not rename the file keep saving it as it is (PrivacyInfo).
It comprises four keys within a dictionary, each corresponding to the APIs utilized in your application. These keys are outlined below:
NSPrivacyTracking (Privacy Tracking Enabled)
A boolean value that indicates the app or third party is SDK’s used data for tracking which is under the AppTrackingTransparency (ATT) framework. If you are not using the App Tracking Transparency Framework, then you can mark it as false.
NSPrivacyTrackingDomains(Privacy Tracking Domains)
A list of internet domains in your app or any third-party SDKs that are engaged in tracking. If you have set NSPrivacyTracking to true, then you have to mention at least one domain in the NSPrivacyTrackingDomains; otherwise, you can mark it as zero
NSPrivacyCollectedDataTypes (Privacy Nutrition Label Types)
Within this section, you must include the types of collected data, specifying whether they are linked to the user or not. This is achieved through boolean indicators denoting whether the data is used for tracking purposes or not, along with their intended purpose of collection. It aligns with the App Store nutrition label guidelines, which are already outlined in your developer account.
NSPrivacyAccessedAPITypes (Privacy Accessed API Types)
Within this section, you are required to list all Privacy Accessed API Types as specified here. You must then select the relevant reasons according to your app’s behavior.
How to generate an app privacy report
Xcode has the capability to generate a privacy report by combining the privacy information from your app and any third-party software development kits (SDKs) it’s associated with. This report is invaluable for gaining insights into the data your app gathers and whether it monitors user activity. To create the privacy report for your app, follow these steps:
- Open your project in Xcode.
- Choose Product > Archive. Xcode creates the archive and reveals it in the organizer.
- Control-click the archive in the organizer and choose Generate Privacy Report.
- Choose a location to save the privacy report.
The report is saved in PDF format. It encompasses a comprehensive overview of both the SDKs and your app. If you haven’t encountered any reports related to third-party SDKs, please ensure that you’re using the latest SDK version with privacy manifest support. Afterward, archive your project again and generate the report. This document solely contains your app’s privacy “nutrition labels” and third-party SDKs. You can use this report as a reference when providing privacy details for your app in App Store Connect.
Assumption cum queries
- Apple will typically send a reminder email if any third-party provider fails to include necessary keys in the privacy manifest file. Failure to rectify these omissions before the deadline (usually May 1, 2024) may result in app rejection. To address this issue, we can proactively add the missing key to our privacy files on behalf of the third-party SDK. Ultimately, we are accountable for ensuring compliance and therefore must take appropriate action to meet requirements.
- Apple mentioned that All versions of a listed SDK and any SDKs that package or include those listed are subject to the requirement. It is hard to identify any SDKs (which our app is currently using) are currently using any listed SDKs or not.
- If the privacy report only includes nutrition labels, then how will Apple demonstrate to the end user the NSPrivacyAccessedAPITypes and NSPrivacyTrackingDomains accessed by the app.(somewhere on the App Store page? )
- In the near future, Apple will extend these requirements to apply to all third-party SDKs. For now, this is only for listed SDKs.
- What should be done if a third-party provider no longer offers support for their SDKs and we are currently using it? We are responsible for adding the necessary values to our app’s privacy file in such cases. Or we can remove that from the app and use any alternate.
Reference:
1. https://developer.apple.com/support/third-party-SDK-requirements/
3. https://developer.apple.com/documentation/bundleresources/privacy_manifest_files?language=objc