Apple updates Privacy website alongside App Store 'nutrition labels'

article thumbnail

Apple has updated its privacy-related pages on its website, with the changes this time focusing on the App Store's new privacy nutrition labels, notifications advising of the kind of user data the app may consume or share.

Apple periodically updates its privacy policy to highlight new additions or to provide more transparency. For example, in November 2019 this took the form of a site design that covered hot-button topics like device tracking and message interception, as well as white papers going into deeper technical details for important elements.

For December 2020, the privacy changes are more muted but arguably more important to end users, as it centers around a new element of the App Store experience. On December 8, Apple started to require developers to advise of the different types of data collected by apps, and what the data is used for.

Now, Apple is making the results of those extra questions available for consumers to see via the privacy information section of the App Store listing for the app.

Monday's updates reflect those changes.

Privacy site

Apple has offered a privacy homepage for quite some time, promoting to consumers how it tries to uphold privacy within its apps and services in various ways. In the current iteration, the page gives per-service assurance on important consumer topics, such as how Apple doesn't store, sell, or use data points such as where a consumer uses Apple Pay, what they bought, or how much was paid to a retailer.

Earmarked with a "New" tag, an additional section for the App Store explains the changes "shows you what's in store for your data," referring to the additional "easy-to-read summaries" on app store listings.

"Every one of the more than 1.8 million apps on the App Store is required to follow strict privacy guidelines and report how it uses your data," the section reads, adding that each app is "rigorously reviewed" by its reviewing team. Now, users checking an app will see a summary of privacy practices that the app undertakes, "to help you decide if it works for you."

The section goes on to point out that apps being downloaded "need your permission to access information like your photos or location - and you can always change your mind about what you share."

The labels will largely consist of items in three sections, defining "Data used to track you," "Data linked to you," and "Data not linked to you," with each covering data tied to a user's identity, data that is generated and monitored but not in a way that is user-identifiable, and data used to actively track the user in some way. Under each are indicators advising of the type of data that is being shared, such as contact details, the user's location, financial information, purchases, and browsing history.

Apple also gives customers a heads-up about a feature arriving "in early 2021" for iOS 14 and iPadOS 14, which will require developers to gain permission "before tracking your activity across other companies' apps and websites for ads or data brokers."

Features

Under the Features section of the site, headlined "We're committed to protecting your data," Apple has also made alterations to the different subsections of the page, on an app-by-app basis.

For Safari, Apple references the Privacy Report, which shows all the cross-site trackers being blocked by the browser's Intelligent Tracking Protection. Password monitoring is where Safari actively checks to see if saved Keychain passwords have been compromised in data breaches, with checks performed using "secure and private cryptographic techniques," and users informed if the password was compromised, without the password being revealed to Apple at all.

Safari's Extension Controls also get a mention, bringing up how they can be used to track the user's online habits. Apple suggests users can grant extensions access to information "Just Once," "Just for this website," or "Always."

Under Photos, Apple brings up that other apps can request access to photos, but users can choose which images are shared rather than providing full access to the library. Apps are also able to add images without being able to see what else is in the library.

For the Health section, Apple includes details about Exposure Notifications, an element of its COVID-19 response. A brief explanation of how "random Bluetooth identifiers" are rotated every 10 to 20 minutes is included, as well as informing it can be manually turned on and off by the user.

"The system does not collect your device location, and people who report themselves as positive are not identified by the system to other users or to Apple," the section concludes.

Location Services has an addition for "Approximate location," where users can elect to tell an app where they are to "within an area of about 10 square miles" instead of their exact position. Apple suggests this will help keep a user's location private in cases where apps offer location-based services, but not with a need for high levels of precision, such as local weather reports.

The text for Sign In with Apple mentions developers can now offer users the ability to upgrade existing app accounts to use the secure sign-in service instead of other systems. Users will be able to use Face ID and Touch ID for two-factor authentication on signing in, and won't have to set up an entirely new account to do so.

For the App Store, the section mentions the new privacy information section, as well as the inbound app tracking feature, and App Clips. When users use App Clips, the app can only ask for a limited set of data, and requires the same consent as a full app for access to items such as location or the camera.

App Clips also "aren't allowed to ask your permission to track you across other companies' apps and websites - only full apps can do that."

Control

The Control page, which covers how a user can manage what data is being shared on their devices, only has one major change, under the section titled "Learn about privacy settings and controls."

The element is about the privacy information section in the App Store, where developers offer "self-reported summaries of some of their privacy practices in a simple, easy-to-read format." There is also a link to a further section that teaches about privacy information on the App Store.

Privacy policy

Along with the main easier-to-understand consumer site, Apple also made changes to its privacy policy to reflect the changes. However, probably the biggest change is structural, to make the entire document much easier to read for newcomers.

At the top is the same description of what the privacy policy is for, as well as links relating to California privacy disclosures, commercial electronic message information in Canada, and the Apple Health Research Apps privacy policy. New here is a link for visitors to download their own local copy of the privacy policy.

The structural changes start after this section, with Apple framing it into easy to understand chunks covering "What is Personal Data at Apple?", "Your Privacy Rights at Apple," "Personal Data Apple Collects from You," "Personal Data Apple Receives from Other Sources," "Apple's Use of Personal Data," "Apple's Sharing of Personal Data," "Protection of Personal Data at Apple," "Children and Personal Data," "Cookies and Other Technologies," the "Transfer of Personal Data Between Countries," "Our Companywide Commitment to Your Privacy," and "Privacy Questions."

Apple then uses plain language to explain its stance for each portion, in what could be considered a bid to be as transparent as possible. Furthermore, the effort to simplify the policy also goes as far as to directly categorize and list the types of data that Apple could collect and use about a user, including how it can be used by the company.

There's also breakdowns on the kinds of data required to perform general actions, such as how it needs to know information to process a transaction, or to "Comply with Law."

Towards the bottom of the document is the "Privacy Questions" section, where it encourages concerned users to contact the company's Data Protection Officer via a web form, or to contact their local Apple Support number.

Third-party pushback

The latest version of its privacy pages is a continuation of the company's efforts to try and keep the privacy of users intact as far as possible. However, as you might expect, Apple has received quite a lot of criticism about its latest efforts.

The most recent pushback Apple's had cover its main two additions, namely the privacy information details and its upcoming tracking-protection features.

For the former, the Facebook-owned WhatsApp has called the privacy label unfair, as it claims Apple's own Messages app doesn't require the same information since it is preinstalled on iPhones by default. "We believe it's important people can compare these 'privacy nutrition' labels from apps they download with apps that come pre-installed, like iMessage," a spokesperson claimed.

Furthermore, the app's developers feel Apple's template doesn't go far enough, and wants to enable apps to offer an explanation about how the data is being used or protected. It is thought that this information about security and privacy features of the app may be lost without being seen by the user, due to the use of overly-broad labels.

Facebook has also warned that the ad-tracking limitations of iOS 14 may affect the company's revenue, as it anticipates many users to refuse to allow the tracking to occur. It was suggested the feature may make it harder for app developers to "grow using ads on Facebook and elsewhere" because of its implementation.

Apple intends to expel apps from the App Store that do not abide by the ad tracking measures.

Advertisers in Europe have cried out about the anti-tracking system, declaring in July that Apple was ignoring the GDPR, strong data protection rules that already apply to the continent. The marketer's argument was that users had to be effectively asked for permission to track twice, increasing the chance users will say no.

In November, a European privacy advocate filed legal complaints in Spain and Germany against Apple over the ad-tracking plans, attacking Apple's IDFA, an Identifier for Advertisers that the complaint claims could be used to track a person without their permission. Apple has responded by calling the claims "factually inaccurate," and that it complies with all European privacy laws.