Apple has launched its "mandatory" privacy labels for apps in the App Store, and while what it tells users about apps like Facebook is eye-opening, other big developers seem to think that the disclosure is optional.
With the release of iOS 14.3, Apple has brought out its promised privacy guidance on the App Store. The so-called "nutrition labels" are more prominent than was expected, and Apple is not giving the free ride it seemed to developers who flout the requirement.
The privacy label is still quite buried in an app's listings, though. It comes as a series of large card-like images, but they come after the app's title, new category details, a What's New description, previews or screenshots, a more general app description, and the Ratings & Reviews.
It remains true, too, that developers have not been forced to update their apps with this information. Apple had imposed a deadline of December 8, but shortly before then also told developers their existing apps would not be removed if they failed to provide the privacy details.
Consequently, searching through the App Store does show many prominent apps that have not complied. Where a developer has not provided information for this privacy label, Apple displays a label saying that they haven't.
When apps don't have privacy information
Apps that do not have a full "nutrition label" do still retain their link to the developer's privacy policy. But they also gain this label which says they haven't complied — and that they will have to before any further updates will be accepted.
Apple has provided developers with documentation that specifies what details they must provide, and what they do not. Broadly speaking, if an app collects any data from a user and then uses it outside the app in any way, or for any company, that must be disclosed.
Developers have to fill out an online form with approximately 34 separate sections covering typical handling of user data. Some of these are very specific, such as those concerning health details, while others are broader, such as apps that track the taps or clicks a user makes in their app.
Major apps that lack privacy labels
In a random sample taken at time of writing, the apps that had not complied do include some surprisingly prominent ones.
Of the very largest developers, Google appears to have completely failed to provide any privacy labels. There are none displayed on Gmail, Google Maps, or the main Google search app.
There also isn't any privacy detail in Google-owned YouTube's main or Kids apps. Similarly, Amazon has not entered information for its main shopping app, Kindle, or Audible audiobooks apps.
Then of the medium-sized developers, 1Password, the secure password manager, has yet to update its information.
Even Disney+, and Endel, two of Apple's best apps of 2020 have not complied.
It is early days, but then it is also after Apple's original deadline. So we can expect most developers to provide the information, but presumably now not until they want to update their apps.
We're less concerned about the missed deadline from the independent developers than we are about Google, Amazon, and other big developers seemingly blowing this off.
When apps do have privacy information
Many of the randomly sampled titles did include new privacy details, and that includes major companies such as Microsoft.
Apple shows the detail it gets to users through a variety of labels. These range from one label with few details, through to two separate labels with much more.
Probably the most common situation is where few details are needed to be shown. For instance, To Do app OmniFocus gets a label headed Data Linked to You.
Within that, there is only the information that Purchases and Identifiers "may be collected and linked to your identity."
Tap on this, or any other privacy label, and you get the detail of what the developer has told Apple about what it does. It's not much more detail than in the main label, but there isn't always that much more to say.
The Data Linked to You section for the Fantastical calendar app, for instance, includes an entry labelled Diagnostics. Tapping to read the full description just explains that Crash Data is collected.
Privacy labels for Facebook and Whatsapp
All apps are now supposed to provide some information, and their details will vary across every possible use of a user's data. So far there appear to be three different types of "nutrition label."
As well as Data Linked to You, some apps contain a section called Data Not Linked to You. Fantastical, for instance, has location data in this category, but its use does not identify you.
There is also Data Used to Track You, and not surprisingly, social media apps such as Facebook get this one. Facebook lists that it uses your contact information, identities and "other data" to track you.
When you tap to learn more, you are informed that, "identities" means your User ID and device ID. But the extra detail about the "Other Data" element reads, in total, "Other Data Types."
Interestingly, Whatsapp has only the Linked to You label, with entries to do with your user content, and your location. Whatsapp has previously complained that Apple's broad labelling will mean it gets lumped in with apps that might be more invasive.
However, one element of the privacy details that Whatsapp has had to list concerns location. While it's true that any app using your location may have to list that fact, the extra detail for Whatsapp does qualify it. Whatsapp uses only your "coarse location."
Benefits and limitations of privacy labels
Perhaps the single best impact of the new labels will be in how their very existence educates us all to be mindful of our privacy. You don't have to even see the privacy notice before you buy an app, though, so it's a particularly strong barrier against apps which do more than you might want.
That's chiefly down to how buried the privacy label is, typically coming after six other sections in the App Store listings.
However, the information is still rather vague. A developer may very well provide much more explanation on their own site, though.
Yet that is also an issue. We and, quite possibly Apple, have to go by what the developer has said and there's no obvious way to verify that information.
Hopefully Apple's teams have systems for ensuring that the data is accurate before they allow an app or an update on to the App Store.
Nonetheless, there is more to the "nutrition label" idea than it had seemed there was going to be. Plus if the information is not detailed, its presence will help you if you're concerned about an app.
And if nothing else, it will make us more aware that we should be concerned.
Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.
14 Comments
This article is misleading. Developers are not required to disclose this information until the next time they submit a new app or app update after December 14. Therefore, there is nothing to "comply with" until the developer submits a new app or app update. Gmail has not been updated in 2 weeks, and therefore Google cannot be categorized as "ignoring" or having to "comply with" the requirement.
Also, the article makes is sound like WhatsApp is hiding something by stating only that it collects "Other Data Types," however, the labels and descriptions are not chosen by the developer. There is no option to enter custom information.
Just doing a cursory browse of some of the "sensitive" titles on the app store (social media apps, "secure" chat and dating apps, etc.) and have already found an app which claims to collect no details (thus earning the big blue tick from apple) - yet if you click through to their privacy policy for the app it clearly states that they do collect data, and a lot of it.
So what vetting process are Apple actually applying here?
Late in Q4 is a really bad time to drive a compliance campaign. Most businesses of any size are totally focussed on operations till January. Poor timing imho.