Apple already requires a privacy policy for apps that access personal information, including apps that offer subscriptions, accept Apple Pay, or use Apple frameworks such as HomeKit, HealthKit, or CareKit. Now, the requirement will extend to all apps, including basic ones that do not share data in any way.
It does not appear that existing apps on the App Store will be affected by this move until they are updated on October 3 or later, so long-outdated apps may remain without a privacy policy if they are no longer maintained.
Apple detailed the upcoming changes in the News section of its App Store Connect portal for developers on Thursday:
Starting October 3, 2018, App Store Connect will require a privacy policy for all new apps and app updates in order to be submitted for distribution on the App Store or through TestFlight external testing. In addition, your app’s privacy policy link or text will only be editable when you submit a new version of your app.
To add or edit your privacy policy for the App Store:
1. Go to My Apps in App Store Connect, and click on your app.
2. Under App Store, click on App Information.
3. In the top right corner, add your privacy policy link for iOS apps or macOS apps, or enter text directly for tvOS apps.
4. Click Save.To add your privacy policy link to your app for external TestFlight distribution:
1. Go to My Apps in App Store Connect, and click on your app.
2. Under TestFlight, click Test Information.
3. Add your privacy policy link for iOS apps, or enter text directly for tvOS apps.
4. Click Save.
Apple elaborates on its privacy policy requirements in its App Store Review Guidelines, under Section 5.1.1:
Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner. The privacy policy must clearly and explicitly:
– Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.
– Confirm that any third party with whom an app shares user data (in compliance with these Guidelines) — such as analytics tools, advertising networks and third party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data — will provide the same or equal protection of user data as stated in the app’s privacy policy and required by these Guidelines.
– Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user’s data.
App Store Connect has long provided a privacy policy metadata field for developers to submit a link to their privacy policy webpage for iOS apps. On the Apple TV, there is no web browser, so App Store Connect has a text box for developers to past the full text of their privacy policy displayed in app.