Introducing Apple Privacy Manifest Generator: Automate privacy report to expedite App Store approval
As of May 1st, 2024, Apple is enforcing all requirements for its new privacy manifest reports that must be submitted with new apps or app updates.
At Privado, we’re excited to announce a new feature that automates these new reports to meet all of Apple’s requirements.
With our Apple Privacy Manifest generator, app developers and product teams can complete reports accurately in a matter of minutes, saving an enormous amount of time and avoiding costly App Store rejections.
Privacy manifest reports must be submitted for any app using a third party SDK (software development kit) on this list from Apple or using any other third party SDK that collects any personal data.
Instead of having developers manually review how each third party SDK is implemented or waiting for third parties complete questionnaires, Privado automatically populates reports by scanning all code and SDKs within an app.
Each time an app update is submitted to the App Store, Privado can run a scan and automatically update the privacy manifest report to ensure it is up-to-date.
The privacy manifests and data maps generated by Privado can also help app developers quickly update the Privacy Nutrition Labels already required by Apple. Starting in 2020, Apple began requiring app developers to submit a form that transparently shows users in the App Store what personal data is collected and what it is used for.
With Privado’s existing automated Google Play data safety report, app developers can now seamlessly generate privacy reports to expedite approval for both Apple and Google app stores.
The new Apple Privacy Manifest requirements
Apple began notifying apps that were not in compliance with the privacy manifest requirements on March 13, 2024 and began rejecting non-compliant apps on May 1, 2024.
These requirements apply to any type of app submitted to the Apple App Store: mobile, iPad, Apple TV, Apple Watch, and VR.
The purpose of the privacy manifest is to notify Apple of all the personal data that apps are sending to third parties to ensure apps are in line with Apple’s privacy policies and what is communicated to app users. Each app’s privacy manifest must include the following information:
- All personal data elements shared with third parties and the reason for sharing
- All third parties receiving personal data via SDK or API
- The types of “required reason APIs” used and the reason for usage
Apple requires apps to disclose use of sensitive “required reason APIs” that have the potential of being misused to access device signals and identify the device or user, also known as fingerprinting.
Privacy manifests can be created for each third party SDK in an app or as one master report for the app.
To complete privacy manifests for each app, developers typically spend hours manually reviewing how each third party SDK is implemented. The third party SDK code and/or documentation is often unclear, causing developers to spend even more time requesting the information from the third parties themselves.
Even after this arduous process, the app could be rejected if the manifest is not filled out correctly, causing a significant delay to an app launch or update. Additionally, the reason for Apple’s rejection may not be clear from their notice, and the developer team will have to spend even more time redoing the manifest.
How Privado automates Apple Privacy Manifests
Builds full lifecycle personal data maps
Privado’s core privacy code scanning technology builds comprehensive data maps that power the privacy manifest generator and rest of Privado’s data visibility and privacy governance capabilities.
Privado maps how all personal data is collected, used, shared, and stored by scanning a company’s entire codebase. For companies with large software engineering teams, their internal codebase contains the logic for how personal data is moved in and out of their websites, user-facing applications, and backend systems.
Autopopulates privacy manifest report
Privado has built a templated report that autopopulates the required privacy manifest information. The app owner only has to validate the information and check boxes indicating the reason for personal data and API usage.
With the click of a button, Privado autopopulates the following information:
- Whether the app uses data for tracking (yes or no)
- The domains used for tracking
- All personal data elements shared with third parties, including data category (e.g., financial, online identifiers, etc.) and Apple data type (e.g., payment info, device ID, etc.)
- All third parties receiving personal data via SDK or APIs; app owners don’t have to waste time figuring out which SDKs need to be included
- The types of APIs used that Apple requires a reason for (e.g., user default API)
For example, see screenshots below showing the personal data elements, third parties, and required reason APIs automatically identified for a sample open-source mobile application
Links responses to code for quick validation
All autopopulated responses in the report are linked to each instance in the app’s codebase that generated the response. For example, if Privado finds four instances where email address is shared with a third party, the app owner can click into that finding and immediately validate all four times the code is directing email address to be shared. This feature saves teams a lot of time from having to manually review code and/or ask third party vendors for this information.
The screenshot below shows an example where email address is being shared with Facebook, Google Analytics, Amplitude, and Mixpanel.
If the app owner wants to investigate further, each code snippet finding is linked to the exact code in their GitHub account, where the app’s entire codebase lives.
Additionally, if more than one person needs to review the privacy manifest report, the report’s link can easily be shared and worked on at the same time.
Exports complete manifest files ready for submission
Once the report is reviewed and the boxes are checked indicating the reason for personal data and API usage, Privado exports one comprehensive privacy manifest file that can be submitted for the entire app. The app owner simply needs to place that file in the app’s codebase as directed by Apple, and the process is done.
Next time the app is updated and needs to be reviewed again by the App Store, the app owner can simply refresh the privacy manifest report in Privado, review, and export. Privado automatically runs a code scan each time an app’s code is updated, and any changes to data flows will automatically update data maps and reports in Privado.
Start automating privacy manifest reports
Start automating privacy manifest reports to save hours of valuable developer time and minimize costly App Store rejections. For more information on how to start using the Apple Privacy Manifest Generator, reach out to your customer success manager.
Ben leads product marketing at Privado