Our app uses Firebase Analytics as well as Firebase Crashlytics. We host no ads, nor intentionally track users. Analytics and Crashlytics are disabled by default and we ask the consent to enable these on our own default consent pages that are shown on app start.
Recently the app updates have been getting rejected with the following message:
Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing
We noticed your app accesses web content you own where you collect cookies. However, you do not use App Tracking Transparency to request the user's permission before collecting data used to track.
Collecting cookies is a form of tracking. Starting with iOS 14.5, apps on the App Store need to receive the user’s permission through the AppTrackingTransparency framework before collecting data used to track them.
Next Steps
Follow these steps to resolve this issue:
- If you haven't already, update your app privacy information in App Store Connect to disclose that you track users. You must have the
Account Holder or Admin role to update app privacy information. 2. Implement App Tracking Transparency. 3. Request permission using App Tracking Transparency before collecting data used to track the user. When you resubmit, indicate in the Review Notes where the permission request is located. 4. If the user does not allow tracking, do not collect cookies for tracking purposes.
You may also choose to remove the tracking functionality from your app, including tracking that occurs when accessing web content.
Resources
- Tracking is linking data collected from your app with third-party data for advertising purposes, or sharing the collected data with a
data broker. Learn more about tracking.
- See Frequently Asked Questions about the new requirements for apps that track users.
- Learn more about designing appropriate permission requests.
Please see attached screenshots for details. (screenshot of my analytics consent page)
This is how my App Privacy information looks like on App Store Connect:
As you can see, currently we have stated that we do not track users.
Apple defines tracking as follows (https://developer.apple.com/app-store/app-privacy-details/#user-tracking):
“Tracking” refers to linking data collected from your app about a particular end-user or device, such as a user ID, device ID, or profile, with Third-Party Data for targeted advertising or advertising measurement purposes, or sharing data collected from your app about a particular end-user or device with a data broker.
We have disabled the IDFV collection (GOOGLE_ANALYTICS_IDFV_COLLECTION_ENABLED is set to false), and the IDFA collection (we are using Firebase/AnalyticsWithoutAdIdSupport library).
Other than this, we do not set any custom user id for the Analytics, the Firebase Analytics SDK only uses the auto-generated app instance ID which (to my understanding, at least) can’t be linked to a particular end-user or device, or be shared for advertising targeting purposes by the third-party. Is this still considered tracking by Apple?
Then again, Apple states that:
"Tracking also refers to sharing user or device data with data brokers"
Out-of-the-box, Firebase Analytics collects some specs about the device (such as the model). Does this mean that using Firebase Analytics is tracking no matter what?
Have you come up with a solution for this, other than disabling Firebase Analytics, or implementing the ATT prompt, neither of which is something we would like to do?