Please help me clarify the current situation regarding the necessity of a privacy manifest file in 3rd party SDKs. It would be nice to have a reply from someone working at Apple, to have a reliable answer. A quick summery of the events from last year https://developer.apple.com/support/third-party-SDK-requirements/ : "Starting in spring 2024, you must include the privacy manifest for any SDK listed below when you submit new apps in App Store Connect that include those SDKs, or when you submit an app update that adds one of the listed SDKs as part of the update." Last autumn, we started receiving warning emails from Apple after initiating app reviews, even when our apps did not have a newly added SDK: ITMS-91061: Missing privacy manifest - Starting November 12, 2024, if a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a privacy manifest file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. According to this warning message, app updates which do not contain any new SDKs are still not affected. Since then, at one point in time the deadline changed, as now we have February 12, 2025 in the privacy manifest documentation: https://developer.apple.com/documentation/bundleresources/adding-a-privacy-manifest-to-your-app-or-third-party-sdk However, this page does not contain any mention of the circumstances, it only states in general that apps you submit for review in App Store Connect must contain a valid privacy manifest file for a certain number of commonly used third-party SDKs. My questions Does the February deadline apply to every app update, even if they do not contain any newly added SDKs? Or does it still affect only the app updates "that adds one of the listed SDKs as part of the update." ? If the former, the 3rd party requirements page should be updated in my opinion. And if the latter, why does the documentation not contain this important piece of information? We have a basic product which then gets customised for the clients so we upload several different apps based on the same code with the same dependencies. How is it possible that during autumn, Apple sent ITMS-91061: Missing privacy manifest warnings for some of our apps, but did not send it for others? Does Apple not validate all the apps but only some of them randomly? Also, the warning still states that it should be relevant if "an app update adds a new privacy-impacting SDK", but that was not the case for us, we did not add anything newly to our apps - why did we even get these warnings then? Just in general: when the deadlines change, is there any channel where Apple communicates these, besides the warning emails? I did not see any posts on the Apple Developer site's News page about this February date, I just found it by accident. I don't even remember seeing a notice about the original November deadline, we just started receiving the email warnings without expecting them. Thank you in advance for anyone sharing an answer.

Please help me understand the phrasing from Apple's articles about this topic. Of course, I am referring to the SDKs from the official list, as only those are affected by the new regulations. 1, https://developer.apple.com/support/third-party-SDK-requirements/ Starting in spring 2024, you must include the privacy manifest for any SDK listed below when you submit new apps in App Store Connect that include those SDKs, or when you submit an app update that adds one of the listed SDKs as part of the update. That states 2 cases in which fresh SDK versions are needed, containing privacy information: If you submit a completely new app If your app update contains a framework which was not present in the previous version of the app So, according to my understanding, if I create an app update, which does not contain any new SDKs, only the ones that I have been using for a while now, I can keep using these older SKD versions. And it is not mandatory to update them to newer versions. Does Apple state anywhere that we have to update every SDK from the list this spring in every case? Because that would contradict what I quoted from the article. 2, https://developer.apple.com/news/?id=3d8a9yyh And if you add a new third-party SDK that’s on the list of commonly used third-party SDKs, these API, privacy manifest, and signature requirements will apply to that SDK. Again, this states that you have to use a fresh version of an SDK in case you add it newly to your app. This seems to reinforce my point that if a 3rd party SDK was already used in previous app versions, the new requirements do not apply to that SDK and I can keep using its older release which does not have its own privacy manifest file. My main concern here is that there are many 3rd party SDKs from the list that we already use in our projects, and it would be a huge effort if my team had to update all those SDKs in every project by May. But if I'm right, it is not mandatory for us. (Of course, it would be wise to update the SDKs every now and then, but that's not the point here.) Can anybody confirm whether my understanding is correct? Maybe link some proof if I'm not right? It would be nice to have a reply from someone working at Apple, to have a reliable answer.