Apple Privacy Manifest
The Apple Privacy Manifest is a document required for every app on the App Store, detailing the data the app collects and how that data will be used.
What is the Apple Privacy Manifest?
Apple requires every app in its App Store to have a Privacy Manifest. This is a file that must be added to the app’s code, setting out the type of data it collects and the reasons for the collection. Xcode summarizes these files into a report, then the information is scanned and uploaded into the app’s privacy information section on the App Store.
You can read Apple’s official documentation here.
Introduced at Apple’s Worldwide Developers’ Conference 2023 (WWDC23), the Privacy Manifest is part of Apple’s ongoing privacy initiatives aimed at enhancing user transparency and protecting personal data. It ensures developers clearly disclose their data collection practices, specifically in relation to third-party SDKs embedded within an app.
Before this requirement, app developers often didn’t know what data their third-party SDKs were collecting or where it was used.
Why did Apple introduce the Privacy Manifest?
In 2022, Apple announced Privacy Nutrition Labels, which required apps to provide information about an app’s privacy practices for an average user.
Privacy Manifests are the next iteration of Nutrition Labels, providing users with even more information about how their data is being collected and used. Since all apps, including third-party apps and plugins connected to your app, have their own Privacy Manifests, Apple simplifies the process by allowing you to roll them up into a single Manifest for your app.
This ultimately brings the industry closer to ending probabilistic attribution and fingerprinting, or data connected to a specific device like IP addresses, phone model, installed apps, and even GPS location. Requiring developers to declare their data usage prevents API misuse and ultimately pushes SKAdNetwork as the main attribution tool for advertisers.
What are the main features of an Apple Privacy Manifest?
Starting with iOS 17, every new or updated app must include the following information:
Data usage: NSPrivacyTracking
This is a key that indicates if the app asks for permission to track users across other companies’ apps and websites. It’s based on Apple’s App Tracking Transparency (ATT) framework, which mandates that apps must get user consent before engaging in any tracking.
External domains: NSPrivacyTrackingDomains
Any external domains used by the app or a third-party SDK must be listed in the Privacy Manifest to ensure transparency about potential tracking. Domains that don’t follow Apple’s latest privacy rules and ATT requirements may be blocked by Apple unless the user opts in.
Nutrition Labels: NSPrivacyCollectedDataTypes
These labels list the types of data your app or third-party SDK collects about users and why it’s collected. Developers can easily use Xcode to generate a privacy report, which provides a summary of the data collected by the app and any linked third-party SDKs.
Each NSPrivacyCollectedDataTypes will include:
- The type of data collected
- Indication if data is linked to the user
- Indication if data tracks the user
- Reasons for collecting data
Here’s an example of contact information being collected via Apple’s official documentation:
Required reasons API: NSPrivacyAccessedAPITypes
Fingerprinting is prohibited, even if a user consents to tracking. This eliminates fingerprinting whether in your own code or through a third-party SDK. In this section, you need to clearly explain why your app or third-party SDK on iOS, iPadOS, tvOS, visionOS, or watchOS uses these APIs, and ensure they’re only used for their intended purposes.
How to create and implement an Apple Privacy Manifest
Now that you understand all the pieces that go into the Apple Privacy Manifest, here’s a step-by-step guide to creating one of your own.
Step 1: Open Xcode
Step 2: Choose File > New File.
Step 3: Scroll down to “Resource” and select App Privacy File type.
Step 4: Click Next.
Step 5: Check your app or third-party SDK’s target in the Targets list.
Step 6: Click Create.
Note that the file is automatically named PrivacyInfo.xcprivacy, and this is the required file name for bundled Privacy Manifests. You will also need to add the Privacy Manifest file to your target’s resources for Xcode when you generate a privacy report.
Once the file is created, add the following keys to the dictionary at the top level of this property list file:
- NSPrivacyTracking
- NSPrivacyTrackingDomains
- NSPrivacyCollectedDataTypes
- NSPrivacyAccessedAPITypes
Key takeaways
- The Apple Privacy Manifest is a required document for all App Store apps, outlining the data collected and its intended use.
- Introduced to enhance transparency and build on Privacy Nutrition Labels, it helps prevent fingerprinting and pushes SKAdNetwork for attribution.
- It includes key components like tracking permissions (NSPrivacyTracking) and external domain declarations (NSPrivacyTrackingDomains).
- Developers must list the types of data collected (NSPrivacyCollectedDataTypes) and the APIs used (NSPrivacyAccessedAPITypes), ensuring compliance with Apple’s rules.
- Developers can easily create a Privacy Manifest in Xcode, following a straightforward process to meet Apple’s privacy standards.