User Privacy and Data Use

The App Store is designed to be a safe and trusted place for users to discover apps created by talented developers around the world. Apps on the App Store are held to a high standard for privacy, security, and content because nothing is more important than maintaining users’ trust. Later this year, you’ll be required to provide information about some of your app’s data collection practices on your product page. And with iOS 14, iPadOS 14, and tvOS 14, you will need to ask users for their permission to track them across apps and websites owned by other companies.

Describing How Your App Uses Data

Later this year, the App Store will help users understand an app’s privacy practices before they download the app. On each app’s product page, users will be able to learn about some of the data types an app may collect, and whether the information is used to track them or is linked to their identity or device.

You will soon be required to provide information about your privacy practices in App Store Connect. If you use third-party code — such as advertising or analytics SDKs — you’ll also need to describe what data the third-party code collects, how the data may be used, and whether the data is used to track users.

Learn more

Asking Permission to Track

With iOS 14, iPadOS 14, and tvOS 14, you will need to receive the user’s permission through the AppTrackingTransparency framework to track them or access their device’s advertising identifier. Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.

Examples of tracking include, but are not limited to:

  • Displaying targeted advertisements in your app based on user data collected from apps and websites owned by other companies.
  • Sharing device location data or email lists with a data broker.
  • Sharing a list of emails, advertising IDs, or other IDs with a third-party advertising network that uses that information to retarget those users in other developers’ apps or to find similar users.
  • Placing a third-party SDK in your app that combines user data from your app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes. For example, using an analytics SDK that repurposes the data it collects from your app to enable targeted advertising in other developers’ apps.

The following use cases are not considered tracking, and do not require user permission through the AppTrackingTransparency framework:

  • When user or device data from your app is linked to third-party data solely on the user’s device and is not sent off the device in a way that can identify the user or device.
  • When the data broker with whom you share data uses the data solely for fraud detection, fraud prevention, or security purposes, and solely on your behalf. For example, using a data broker solely to prevent credit card fraud.

Using the AppTrackingTransparency Framework

To request permission to track the user and access the device’s advertising identifier, use the AppTrackingTransparency framework. You must also include a purpose string in the system prompt that explains why you’d like to track the user. Unless you receive permission from the user to enable tracking, the device’s advertising identifier value will be all zeros and you may not track them as described above.

The ID for Vendors (IDFV), may be used for analytics across apps from the same content provider. The IDFV may not be combined with other data to track a user across apps and websites owned by other companies unless you have been granted permission to track by the user.

For more information, see:
App Tracking Transparency
Human Interface Guidelines
AdSupport Framework

Frequently Asked Questions

Can I gate functionality on agreeing to allow tracking, or incentivize users to agree to allow tracking in the app tracking transparency prompt?

No, per the App Store Review Guidelines: 3.2.2 (vi).

Can I explain to users why I would like permission to track them before I show the tracking permission prompt?

Yes, so long as you are transparent to users about your use of the data in your explanation. Per the App Store Review Guidelines: 5.1.1 (iv), apps must respect the user’s permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access.

If I have not received permission from a user via the tracking permission prompt, can I use an identifier other than the IDFA (for example, a hashed email address or hashed phone number) to track that user?

No. You will need to receive the user’s permission through the AppTrackingTransparency framework to track that user.

If a user provides permission for tracking via a separate process on our website, but declines permission in the app tracking transparency prompt, can I track that user across apps and websites owned by other companies?

Developers must get permission via the app tracking transparency prompt for data collected in the app and used for tracking. Data collected separately, outside of the app and not related to the app is not in scope.

Can I fingerprint or use signals from the device to try to identify the device or a user?

No. Per the Developer Program License Agreement, you may not derive data from a device for the purpose of uniquely identifying it.

I have integrated an SDK from another company. Am I responsible for the data collection and tracking of users of my app by that company?

Yes. Developers are responsible for all code included in their apps. If you are unsure about the data collection and tracking practices of code used in your app that you didn’t write, we suggest contacting the developer of the SDK.

I have integrated single sign-on functionality provided by another company. Am I responsible for the data collection and tracking practices of that company?

Yes. Developers are responsible for all code included in their app, including single sign-on (SSO) functionality provided by third parties. If the user will be subject to tracking as a result of SSO functionality included in your app, you must use the app tracking transparency prompt to obtain permission from that user first.

What kind of company constitutes a data broker?

Data brokers are defined by law in some jurisdictions. In general, a data broker is a company that regularly collects and sells, licenses, or otherwise discloses to third parties the personal information of particular end-users with whom the business does not have a direct relationship.

Attributing App Installations

SKAdNetwork allows registered advertising networks to attribute app installations to a particular campaign by receiving a signed signal from Apple. This enables them to verify how many installations occurred from an advertisement and measure which campaigns are most effective, while maintaining user privacy.

Advertising networks using SKAdNetwork 2.0 or later also have access to Source App information, which identifies the specific app from which an installation occurred. This allows advertising networks who run advertisements on apps they don’t own to identify which app should be credited with initiating the download. SKAdNetwork 2.0 also identifies redownloads, which helps advertising networks measure the success of reengagement campaigns. If you’re an advertising network and would like to use SKAdNetwork for managing advertising attribution, contact us.

Learn more about using SKAdNetwork