Hey there Thunkers
This post is intended to help anybody who is currently publishing to the iOS App Store. A frequent issue that we see developers run into is a rejection email stating that they are engaged in some kind of tracking. The details below are to help you better understand what is and what constitutes tracking along with what might constitute private information.
The iOS App Store takes privacy very seriously and therefore you will need to comply with the rules and regulations listed below in order to make sure that your app can get published. It is important to be aware of any kind of tracking that may occur and we will continue as a company to try to provide clarification and clarity around what components to what type of tracking.
Ultimately it is up to you to understand these details above and to disclose any additional tracking that you may engage in yourself.
Tracking
You’ll need to understand whether you and/or your third-party partners use data from your app to track users and, if so, which data is used for this purpose.
“Tracking” refers to linking data collected from your app about a particular end-user or device, such as a user ID, device ID, or profile, with Third-Party Data for targeted advertising or advertising measurement purposes, or sharing data collected from your app about a particular end-user or device with a data broker.
“Third-Party Data” refers to any data about a particular end-user or device collected from apps, websites, or offline properties not owned by you.
Examples of tracking include:
- Displaying targeted advertisements in your app based on user data collected from apps and websites owned by other companies.
- Sharing device location data or email lists with a data broker.
- Sharing a list of emails, advertising IDs, or other IDs with a third-party advertising network that uses that information to retarget those users in other developers’ apps or to find similar users.
- Placing a third-party SDK in your app that combines user data from your app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes. For example, using a login SDK that repurposes the data it collects from your app to enable targeted advertising in other developers’ apps.
The following situations are not considered tracking:
- When the data is linked solely on the end-user’s device and is not sent off the device in a way that can identify the end-user or device.
- When the data broker uses the data shared with them solely for fraud detection or prevention or security purposes.
- When the data broker is a consumer reporting agency and the data is shared with them for purposes of (1) reporting on a consumer’s creditworthiness or (2) obtaining information on a consumer’s creditworthiness for the specific purpose of making a credit determination.
User Privacy and Data Use
The App Store is designed to be a safe and trusted place for users to discover apps created by talented developers around the world. Apps on the App Store are held to a high standard for privacy, security, and content because nothing is more important than maintaining users’ trust. In order to submit new apps and app updates, you need to provide information about some of your app’s data collection practices on your product page. With iOS 14.5, iPadOS 14.5,and tvOS 14.5 and later, you’re required to ask users for their permission to track them across apps and websites owned by other companies.
Describing Data UsageAsking Permission to TrackAttributing App InstallationsPrivate Click Measurement
Describing How Your App Uses Data
The App Store better helps users understand an app’s privacy practices before they download the app. On each app’s product page, users can learn about some of the data types an app may collect, and whether the information is used to track them or is linked to their identity or device.
In order to submit new apps and app updates, you must provide information about your privacy practices in App Store Connect. If you use third-party code — such as advertising or analytics SDKs — you need to describe what data the third-party code collects, how the data may be used, and whether the data is used to track users.
Asking Permission to Track
With iOS 14.5, iPadOS 14.5, and tvOS 14.5 and later, you need to receive the user’s permission through the AppTrackingTransparency framework in order to track them or access their device’s advertising identifier. Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.
Examples of tracking include, but are not limited to:
- Displaying targeted advertisements in your app based on user data collected from apps and websites owned by other companies.
- Sharing device location data or email lists with a data broker.
- Sharing a list of emails, advertising IDs, or other IDs with a third-party advertising network that uses that information to retarget those users in other developers’ apps or to find similar users.
- Placing a third-party SDK in your app that combines user data from your app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes. For example, using an analytics SDK that repurposes the data it collects from your app to enable targeted advertising in other developers’ apps.
The following use cases are not considered tracking, and do not require user permission through the AppTrackingTransparency framework:
- When user or device data from your app is linked to third-party data solely on the user’s device and is not sent off the device in a way that can identify the user or device.
- When the data broker with whom you share data uses the data solely for fraud detection, fraud prevention, or security purposes. For example, using a data broker solely to prevent credit card fraud.
- When the data broker is a consumer reporting agency and the data is shared with them for purposes of (1) reporting on a consumer’s creditworthiness, or (2) obtaining information on a consumer’s creditworthiness for the specific purpose of making a credit determination.
Using the AppTrackingTransparency Framework
To request permission to track the user and access the device’s advertising identifier, use the AppTrackingTransparency framework. You must also include a purpose string in the system prompt that explains why you’d like to track the user. Unless you receive permission from the user to enable tracking, the device’s advertising identifier value will be all zeros and you may not track them as described above.
While you can display the AppTrackingTransparency prompt whenever you choose, the device’s advertising identifier value will only be returned once you present the prompt and the user grants permission. Use the purpose string to explain what this data will be used for to help the user understand what they’re opting in to share. If the user allows apps to request to track, but has turned tracking off for your app, you can ask the user to change their preference for your app by providing a shortcut to Settings where they can change the tracking permission.
The ID for Vendors (IDFV), may be used for analytics across apps from the same content provider. The IDFV may not be combined with other data to track a user across apps and websites owned by other companies unless you have been granted permission to track by the user.
For more information, see:
Frequently Asked Questions
Can I gate functionality on agreeing to allow tracking, or incentivize users to agree to allow tracking in the app tracking transparency prompt?
No, per the App Store Review Guidelines: 3.2.2 (vi).
Can I explain to users why I would like permission to track them before I show the tracking permission prompt?
Yes, so long as you are transparent to users about your use of the data in your explanation. Per the App Store Review Guidelines: 5.1.1 (iv), apps must respect the user’s permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access.
If I have not received permission from a user via the tracking permission prompt, can I use an identifier other than the IDFA (for example, a hashed email address or hashed phone number) to track that user?
No. You will need to receive the user’s permission through the AppTrackingTransparency framework to track that user.
If a user provides permission for tracking via a separate process on our website, but declines permission in the app tracking transparency prompt, can I track that user across apps and websites owned by other companies?
Developers must get permission via the app tracking transparency prompt for data that’s collected in the app and used for tracking. Data collected separately, outside of the app and not related to the app, is not in scope.
Can I fingerprint or use signals from the device to try to identify the device or a user?
No. Per the Apple Developer Program License Agreement, you may not derive data from a device for the purpose of uniquely identifying it. Examples of user or device data include, but are not limited to: properties of a user’s web browser and its configuration, the user’s device and its configuration, the user’s location, or the user’s network connection. Apps that are found to be engaging in this practice, or that reference SDKs (including but not limited to Ad Networks, Attribution services and Analytics) that are, may be rejected from the App Store.
If I share data with a consumer reporting agency to conduct fraud checks, and separately share data with them as part of a credit check or for credit reporting purposes, do I need permission to track?
No. You do not need permission from the user when a data broker uses the data shared with them solely for fraud detection or prevention or security purposes. You also do not need permission from the user when sharing data with a consumer reporting agency and the data is shared with them for purposes of (1) reporting on a consumer’s creditworthiness, or (2) obtaining information on a consumer’s creditworthiness for the specific purpose of making a credit determination.
Do I need to use the AppTrackingTransparency framework to get user permission to use third-party deep-linking or deferred deep-linking tools?
Yes. If your application uses any third-party services that pass unique identifiers or create a shared identity of the user between applications from different companies for ad targeting, ad measurement or sharing with a data broker, your app will need to request permission from the user using the AppTrackingTransparency framework.
I have integrated an SDK from another company. Am I responsible for the data collection and tracking of users of my app by that company?
Yes. Developers are responsible for all code included in their apps. If you are unsure about the data collection and tracking practices of code used in your app that you didn’t write, we suggest contacting the developer of the SDK.
I have integrated single sign-on functionality provided by another company. Am I responsible for the data collection and tracking practices of that company?
Yes. Developers are responsible for all code included in their app, including single sign-on (SSO) functionality provided by third parties. If the user will be subject to tracking as a result of SSO functionality included in your app, you must use the app tracking transparency prompt to obtain permission from that user first.
What kind of company constitutes a data broker?
Data brokers are defined by law in some jurisdictions. In general, a data broker is a company that regularly collects and sells, licenses, or otherwise discloses to third parties the personal information of particular end-users with whom the business does not have a direct relationship.
What identifiers or data are governed by the “tracking” policy?
Any user or device level identifier that is used to join data from your app with data from third parties (including SDKs used in your app) for purposes of advertising or ad measurement or sharing with a data broker. This includes, but is not limited to, the device’s advertising identifier, session ID, fingerprint IDs, and device graph identifiers. If your app receives or shares any of these identifiers for the above listed purposes, you must use the AppTrackingTransparency framework to obtain user consent.
If tracking occurs within a webview inside an app, do I need to use the AppTrackingTransparency prompt?
Yes. If you are using a webview for app functionality, it should be treated the same way as native functionality in your app, unless you are enabling the user to navigate the open web.
What OS versions require AppTrackingTransparency permission to access the value of the IDFA?
To access the value of the IDFA for users on iOS/iPadOS version 14.5 and later, you will first need to receive permission from the user through the AppTrackingTransparency prompt. For additional guidance on tracking, please refer to App Store Review Guidelines: 5.1.1 (iv).
Can I add other permission requests in order to comply with regulations, such as ePrivacy or GDPR?
Yes, you can choose to include screens in order to comply with government regulations. However, your app must always respect the user’s response to the AppTrackingTransparency prompt, even if their response to other prompts conflicts. Guideline 5.1.1 (iv) states: “Apps must respect the user’s permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access.” This includes altering a user’s AppTrackingTransparency response by only respecting their response to other permission requests. You can use third-party Consent Management Platforms to add these permission requests, as long as no tracking takes place from such use.
Additional guidance related to tracking / privacy issues
Your app has web views.
Data collected via web traffic must be declared, unless you are enabling the user to navigate the open web.
You collect and store IP address from your users.
Declare the relevant data types based on how you use IP address, such as precise location, coarse location, device ID, or diagnostics.
You offer in-app private messaging between users that are not SMS text messages.
Declare emails or text messages on your label. Text messages refer to both SMS and non-SMS messages.
Your app includes game saves, multiplayer matching, or gameplay logic.
Declare Gameplay Content on your label.
You collect different types of data from users depending on whether the user is a child, whether they are a free or paid user, whether they opt in, where they live, or for some other reason.
Please disclose all data collected from your app, unless it meets all of the criteria outlined in the Optional Disclosure section. You may use the Privacy Choices or Privacy Policy links to provide additional detail about how your data collection practices may vary.
You use Apple frameworks or services, such as MapKit, CloudKit, or App Analytics.
If you collect data about your app from Apple frameworks or services, you should indicate what data you collect and how you use it. You are not responsible for disclosing data collected by Apple.
You use location, device identifiers, and other sensitive data, but only on device, and the data is never sent to a server.
Data that is processed only on device is not “collected” and does not need to be disclosed in your answers. If you derive anything from that data and send it off device, the resulting data should be considered separately.
You collect precise location, but immediately de-identify and coarsen it before storing.
Disclose that you collect Coarse Location, since the precise location data is immediately coarsened and precise location is not stored.
Your app includes free-form text fields or voice recordings, and users can save any type of information they want through those mediums, including names and health data.
Mark “Other User Content” to represent generic free form text fields and “Audio Data” for voice recordings. You’re not responsible for disclosing all possible data that users may manually enter in the app through free-form fields or voice recordings. However, if you ask a user to input a specific data type into a text field, such as their name or email, or if you have a feature that enables users to upload a particular media type, such as photos or videos, then you’ll need to disclose the specific type of data.
You collect data to service a request but do not retain it after servicing the request.
“Collect” refers to transmitting data off the device and storing it in a readable form for longer than the time it takes you and/or your third-party partners to service the request. For example, if an authentication token or IP address is sent on a server call and not retained, or if data is sent to your servers then immediately discarded after servicing the request, you do not need to disclose this in your answers in App Store Connect.
What does this mean to you?
You may have just received an email from Apple indicating that you can’t publish your app yet due to a NSUserTrackingUsageDescription issue, or my may be about to publish your app for the first time. This thread answers two questions which naturally arise in relation to the User Tracking Usage Description (UTUD) property which is required by Apple for Publishing
If your app contains AdMob, Location Sensor, Push Notifications, or Web Viewer components then you are required to have a UTUD.
Please note: you do not need to include a permission string if your app contains a Web Viewer that only accesses a local HTML file.
How can I set a User Tracking Usage Description string in my Thunkable Project?
There are two places where you can set your Tracking Usage Description:
- Project Settings
- Publishing Wizard
What should I say in my Tracking Usage Description?
If your app does not contain AdMob, Location Sensor, Push Notifications, or a Web Viewer then you should leave the Tracking Usage Description field blank. Do not enter a string explaining that you are not tracking anything. If there is any text in this box Apple will think you are tracking your end users.
The requirements for a UTUD vary depending on what components your project uses.
If your app contains AdMob, Location Sensor, Push Notifications, or a Web Viewer then you will be required to inform your user why the app is requesting permission for user or device tracking.
AdMob
AdMob can use your end users’ location to show them relevant ads. Your end users need to consent to their location being used to show them relevant ads.
- Example: This identifier will be used to deliver personalized ads to you.
Push Notifications
OneSignal has the option of collecting user data. You must include this information in your Tracking Usage Description.
- Example: In-app activity is tracked to deliver relevant messaging at relevant times for the user
Web Viewer
Most websites collect or utilize some kind of user data. This includes but isn’t limited to: username, password, real name, medical issue, etc. Your end users need to consent to this data being tracked.
Note: you do not need to include a permission string if your Web Viewer only accesses a local HTML file.
- Example: This app accesses X website. Your data may be shared with this website to facilitate functionality.
Location Sensor*
Your end user’s location is sensitive data. If you include a Location Sensor and transmit the users location to an external service for any purpose, you must tell your end user exactly why you need to track their location.
- Example: This app uses your location to show you information relevant to your area.
Open Link Blocks
Most websites collect some kind of user data. Your end users need to consent to this data being tracked. It is your responsibility to identify and account for any data being tracked.
- Example: This app opens links in browsers that in turn ask for location information or mic access to provide a better end user experience.