What Apple's new privacy 'nutrition' labels say about some of the biggest apps
Apple has launched its "mandatory" privacy labels for apps in the App Store, and while what it tells users about apps like Facebook is eye-opening, other big developers seem to think that the disclosure is optional.
With the release of iOS 14.3, Apple has brought out its promised privacy guidance on the App Store. The so-called "nutrition labels" are more prominent than was expected, and Apple is not giving the free ride it seemed to developers who flout the requirement.
The privacy label is still quite buried in an app's listings, though. It comes as a series of large card-like images, but they come after the app's title, new category details, a What's New description, previews or screenshots, a more general app description, and the Ratings & Reviews.
It remains true, too, that developers have not been forced to update their apps with this information. Apple had imposed a deadline of December 8, but shortly before then also told developers their existing apps would not be removed if they failed to provide the privacy details.
Consequently, searching through the App Store does show many prominent apps that have not complied. Where a developer has not provided information for this privacy label, Apple displays a label saying that they haven't.
When apps don't have privacy information
Apple has provided developers with documentation that specifies what details they must provide, and what they do not. Broadly speaking, if an app collects any data from a user and then uses it outside the app in any way, or for any company, that must be disclosed.
Developers have to fill out an online form with approximately 34 separate sections covering typical handling of user data. Some of these are very specific, such as those concerning health details, while others are broader, such as apps that track the taps or clicks a user makes in their app.
Major apps that lack privacy labels
In a random sample taken at time of writing, the apps that had not complied do include some surprisingly prominent ones.
Then of the medium-sized developers, 1Password, the secure password manager, has yet to update its information.
It is early days, but then it is also after Apple's original deadline. So we can expect most developers to provide the information, but presumably now not until they want to update their apps.
We're less concerned about the missed deadline from the independent developers than we are about Google, Amazon, and other big developers seemingly blowing this off.
When apps do have privacy information
Many of the randomly sampled titles did include new privacy details, and that includes major companies such as Microsoft.
Apple shows the detail it gets to users through a variety of labels. These range from one label with few details, through to two separate labels with much more.
Probably the most common situation is where few details are needed to be shown. For instance, To Do app OmniFocus gets a label headed Data Linked to You.
Within that, there is only the information that Purchases and Identifiers "may be collected and linked to your identity."
Tap on this, or any other privacy label, and you get the detail of what the developer has told Apple about what it does. It's not much more detail than in the main label, but there isn't always that much more to say.
The Data Linked to You section for the Fantastical calendar app, for instance, includes an entry labelled Diagnostics. Tapping to read the full description just explains that Crash Data is collected.
Privacy labels for Facebook and Whatsapp
All apps are now supposed to provide some information, and their details will vary across every possible use of a user's data. So far there appear to be three different types of "nutrition label."
As well as Data Linked to You, some apps contain a section called Data Not Linked to You. Fantastical, for instance, has location data in this category, but its use does not identify you.
There is also Data Used to Track You, and not surprisingly, social media apps such as Facebook get this one. Facebook lists that it uses your contact information, identities and "other data" to track you.
When you tap to learn more, you are informed that, "identities" means your User ID and device ID. But the extra detail about the "Other Data" element reads, in total, "Other Data Types."
Interestingly, Whatsapp has only the Linked to You label, with entries to do with your user content, and your location. Whatsapp has previously complained that Apple's broad labelling will mean it gets lumped in with apps that might be more invasive.
However, one element of the privacy details that Whatsapp has had to list concerns location. While it's true that any app using your location may have to list that fact, the extra detail for Whatsapp does qualify it. Whatsapp uses only your "coarse location."
Benefits and limitations of privacy labels
Perhaps the single best impact of the new labels will be in how their very existence educates us all to be mindful of our privacy. You don't have to even see the privacy notice before you buy an app, though, so it's a particularly strong barrier against apps which do more than you might want.
That's chiefly down to how buried the privacy label is, typically coming after six other sections in the App Store listings.
However, the information is still rather vague. A developer may very well provide much more explanation on their own site, though.
Yet that is also an issue. We and, quite possibly Apple, have to go by what the developer has said and there's no obvious way to verify that information.
Hopefully Apple's teams have systems for ensuring that the data is accurate before they allow an app or an update on to the App Store.
Nonetheless, there is more to the "nutrition label" idea than it had seemed there was going to be. Plus if the information is not detailed, its presence will help you if you're concerned about an app.
And if nothing else, it will make us more aware that we should be concerned.