In June, Apple announced new SDK privacy controls that will be part of iOS 17. As iOS 17 is nearing public release, we wanted to provide a quick overview of these controls and what they mean for companies within the App Store.
Overview of Controls:
Privacy Manifests and Signatures. Starting in iOS 17, SDK developers can include a “privacy manifest” file within their SDKs. This privacy manifest will outline the data practices for the SDK. For example, the privacy manifest will describe the types of data collected through the SDK and the purposes of the collection. In addition, SDK developers can include a “signature” within their SDKs to validate that this version of the SDK came from the SDK developer. The purpose of the privacy manifest is to allow app developers to understand the data practices of any SDKs they incorporate into their apps, and ensure those practices align with the app developers’ expectations. In addition, app developers can create reports through Xcode that aggregate the privacy manifests of all SDKs within an app, and help build privacy nutrition labels for the App Store based on those reports.
Privacy-Impacting SDKs. At least initially, privacy manifests and signatures will be optional (although highly suggested) for most SDKs. However, Apple intends to publish a list of SDKs where the SDK developer will be required to include a privacy manifest and signature. We expect these “Privacy-impacting SDKs” to include SDKs from Meta, Google, and other well-known SDK developers.
Required Reason APIs. iOS allows app developers to receive certain data through Apple APIs. Some of these APIs have been used for device fingerprinting, which is a practice expressly prohibited by Apple’s terms. To limit this practice, Apple intends to require app developers to select an “allowed reason” for using data received through certain of these APIs.
Tracking Domains. Apple is providing new tools to help app developers detect unexpected tracking domains within SDKs. In addition, if a user has not consented to tracking within an app, iOS 17 will now automatically block domains listed as tracking domains in any privacy manifests for SDKs within the app.
Takeaways:
Positive Changes. Unlike prior years, we expect most companies will welcome these new privacy controls. These controls should help both app developers and SDK developers improve transparency and security, and ensure compliance with their respective legal obligations. App developers may be held responsible for the data practices of SDKs within their apps.
Aligned with Regulation. These new privacy controls are clearly a response to the recent wave of regulatory scrutiny around SDKs. In the past year, we’ve seen significant regulatory scrutiny from the FTC and other regulatory bodies relating to SDKs (and often sensitive data).
Still Uncertainty. There is still a lot we don’t know about how these tools will be implemented and enforced by Apple. Apple has indicated it will start checking privacy manifests in Fall 2023, and expects privacy manifests and signatures to become part of the App Store review in Spring 2023. We hope to see an FAQ from Apple prior to public release of iOS 17.
Next Steps. In accordance with Apple’s recommendations, app developers should begin requesting SDK privacy manifests and signatures, while SDK developers should starting adopting privacy manifests and signatures. We also suggest app developers and SDK developers use these tools to conduct due diligence and document internal processes regarding SDK approval and configurations.