In WWDC23, Apple released the Privacy Manifest for Apps and Third-party SDKs, marking a pivotal update. This initiative requires developers to assume complete accountability for all code integrated into their applications. Moving forward, all apps and third-party SDKs distributed in various formats, such as XCFrameworks and Swift packages, as well as within Xcode projects, will contain a privacy manifest.
The Privacy Manifest is a property list file named PrivacyInfo.xcprivacy. This file serves as a comprehensive repository, detailing the types of data collected by apps or third-party SDKs, along with the explicit reasons for their collection.
Starting March 13, 2024, any new or updated app uploaded to App Store Connect that utilizes APIs requiring approved reasons will trigger a notification from Apple. This notification alerts developers if their app's approved reasons are absent. This requirement will become mandatory on May 1, 2024, spanning iOS, iPadOS, tvOS, visionOS, and watchOS platforms.
Apple has provided a list of commonly used SDKs, and it is required to incorporate the privacy manifest for any SDK from this list when submitting new apps to App Store Connect or updating existing apps to include these SDKs. Failure to do so may result in non-compliance with Apple's privacy guidelines.
- AFNetworking
- Alamofire
- Charts
- Cordova
- Firebase SDKs
- Flutter
- Google SDKs
- RxSwift
- SwiftyJSON
- more
Create a Privacy Manifest
To add a privacy manifest file to your app or third-party SDK in Xcode, follow these steps:
- Open an Xcode project.
- Go to the "File" menu.
- Select "New" and then "File."
- In the dialog, navigate to the "Resources" section.
- Select “App Privacy File.”
- Click "Next."
- Ensure the "Targets" list includes your app, extensions, or third-party SDK's targets.
- Click "Create" to generate the privacy manifest file.
Creating Privacy Manifest
While adding a privacy manifest to your app or third-party SDK target in Xcode, ensure to name the file "PrivacyInfo.xcprivacy" as it's the required filename for bundled privacy manifests. Add this file to all required targets to generate a comprehensive privacy report for the app. Xcode automatically places this file depending on the product type and the platform. The privacy manifest should be at the root of the app's bundle for iOS, iPadOS, tvOS, visionOS, or watchOS apps.
Depending on the target, you can use different placeholders to add the PrivacyInfo.xcprivacy property list file. For detailed instructions, refer to Apple's documentation here.
Building PrivacyInfo.xcprivacy
Let's initiate the creation process for the PrivacyInfo.xcprivacy file. At this initial stage, it's crucial to understand the supported keys that will form the foundation of the property list file. These keys, essential for structuring the dictionary within the file, delineate the fundamental aspects of data privacy and collection practices within the context of the app or third-party SDK. Embed PrivacyInfo.xcprivacy in the app or SDK with empty values if the app or SDK is not tracking any data.
Supported Keys:
- Privacy Tracking Enabled (NSPrivacyTracking): A boolean value indicating whether the app or third-party SDK uses data for tracking purposes as defined in the App Tracking Transparency framework.
- Privacy Tracking Domains (NSPrivacyTrackingDomains): If granted tracking permission through the App Tracking Transparency framework, set Privacy Tracking Enabled to true and provide an array of strings containing the internet domains your app or third-party SDK connects to for tracking purposes. If tracking permission is not granted, the app will receive an error and network requests to these domains will fail.
- Privacy Nutrition Label Types (NSPrivacyCollectedDataTypes): Within the PrivacyInfo.xcprivacy file, include an array of dictionaries outlining the data types collected by your app or third-party SDK. Each dictionary should detail specific data types along with their corresponding descriptions. Refer to the section 'Describe the data collected by the app or SDK' for guidance on the keys and values to use within these dictionaries.
- Privacy Accessed API Types (NSPrivacyAccessedAPITypes): Include an array of dictionaries within the PrivacyInfo.xcprivacy file to describe the API types accessed by your app or third-party SDK. Focus on APIs that require reasons for access. Consult the 'Describe the use of required APIs' section for guidance on the appropriate keys and values to use within these dictionaries.
Describe the Data Collected by the App or SDK:
We must describe the data collected by the app or third-party SDK in this section. To add appropriate values to the array of privacy, nutrition, and label types, we will construct a dictionary with specific keys (NSPrivacyCollectedDataTypes).
- Collected Data Type (NSPrivacyCollectedDataType): A string indicating the type of data collected, selected from Apple's provided list of categories with supported values. Choose a value from the list of data types offered by Apple that aligns with the nature of the data collected by your app or third-party SDK. For a comprehensive list of supported values, refer to Apple's documentation here.
- Linked to User (NSPrivacyCollectedDataTypeLinked): A boolean value indicating whether this specific data type is associated with the user's identity in your app or third-party SDK.
- Used for Tracking (NSPrivacyCollectedDataTypeTracking): A boolean value indicating whether your app or third-party SDK utilizes this data type for tracking purposes.
- Collection Purposes (NSPrivacyCollectedDataTypePurposes): An array of strings enumerating the reasons for which your app or third-party SDK collects the data. Choose these reasons from Apple's list, each corresponding to a specific code. Refer to the documentation for the complete list of supported values here.
Describe the Use of Required Reasons APIs:
Integrating APIs or SDKs into your apps or SDKs may facilitate core functionalities; it's important to list the APIs that may have the capability to track device signals, devices, or user data. Apple has categorized these APIs accordingly, and if you utilize any of them, you need to provide explicit reasons for their usage. Define and add to the array of Privacy Accessed API Types (NSPrivacyAccessedAPITypes).
- Privacy Accessed API Type (NSPrivacyAccessedAPIType): The string representing the category of required reason APIs that your app utilizes. Apple offers a list of supported values for each category. Select an appropriate value from the provided list. For the complete list of supported values, refer to Apple's documentation here.
- Privacy Accessed API Reasons (NSPrivacyAccessedAPITypeReasons): An array of reasons why your app utilizes the APIs. Apple provides a list of supported arguments. Select an appropriate value from the provided list. For the complete list of supported values, refer to Apple's documentation here.
Privacy Manifest
App Privacy Report:
This report provides valuable insights into the data collected by the app. It helps understand what kind of data the app is tracking and why. To generate a privacy report, follow these steps:
- Build your app and create an archive ("Product" → "Archive").
- Xcode will compile the archive and reveal it in the organizer.
- Control-click on the archive, and from the context menu, select "Generate Privacy Report."
- Choose the location to save the report.
Generating report
Sample Privacy Report:
Sample
Conclusion:
For developers, privacy manifests are a valuable tool for documenting the types of data collected, the purposes for collection, and any associated tracking activities. This facilitates compliance with privacy regulations and guidelines, such as those set forth by Apple's App Tracking Transparency Framework. By clearly outlining data practices, developers can build trust with users and mitigate potential privacy concerns. Privacy manifests provide users with valuable insights into apps' data-handling practices. By reviewing the App Privacy section in the App Store, users can make informed decisions about which apps to install and trust with their personal information. This empowers users to protect their privacy and make choices aligned with their preferences and values. Overall, privacy manifests play a pivotal role in providing transparency, accountability, and trust in the digital ecosystem, benefiting both developers and users.
Safari App Privacy