Adding Privacy Manifest to Swift Package

I have gone through (many times) the videos and documentation around adding privacy manifest support to applications and SDKs etc - specifically via the expected PrivacyInfo.xcprivacy file.

I am across adding it to the application, and to libraries that produce an xcframework (and signing those etc), however, I also have a series of Swift Package libraries available on GitHub which afaict will also require the privacy info file to declare the libraries privacy related intentions.

So my questions are:

  • Where should I add this file within the package setup?
  • Should there be a privacy info file per importable target?
  • Is it expected that the generated privacy report of an application will show info about the library?

I have tried within the sources area, and in the root/manifest section, but when I generate a privacy report on the archived application that utilities this library, I can't see any indication that the info is included in the report.

This is the generated privacy report from Xcode organiser:

My libraries do not actually track or access anything in the required API's list, however I also added some user tracking and linking etc to the privacy info file as a test, and it does not indicate that these are happening in the generated privacy report on the application.

Quick example/clarification:

I have tried putting the file here:

MyPackage
- Package.swift
> Sources
  > TargetName
      - PrivacyInfo.xcprivacy

and here

MyPackage
- Package.swift
- PrivacyInfo.xcprivacy
> Sources
  > TargetName

If there are docs that I have missed running through this, please link me 😅- I have searched for some clear answers through docs and forum questions but I can't seem to get clarification.

Answered by cheeky-ghost in 775992022

Yes the resources is the correct place, however I did want Apple to confirm some additional things. I got a response to my questions, and have been able to confirm some things too which is good:

So the original question of `Where should I add this file within the package setup?

You should add it as a resource file as described in Bundling resources with a Swift package.

Should there be a privacy info file per importable target? Or is it per library/package project?

It is per target. The target that builds the app or third-party SDK requiring a privacy manifest should only contain one privacy manifest. If your app links against a third-party SDK requiring a privacy manifest but doesn't collect data and use required reason API, then their target doesn't need to contain a privacy manifest file.

Is it expected that the generated privacy report of an application will show info based on flags within the package's manifest file? The generated privacy ​report will show all information inputted into the ​privacy manifest file.

However, it is worth noting that during my testing/validating - it only showed up in the report if there were tracking items.

For example, I purposely added a tracking item and included it in a sample project:

however, when the libraries privacy report had Privacy Tracking as NO and also no additional items or required reason api's it did not include in the report:

am assuming this is due to the report only highlighting flagged trackings/collections (at least that is my understanding of the available documentation)

I copy the PrivacyInfo.xcprivacy into the resource folder.

     .target(
            ...
            resources: [
                .copy("PrivacyInfo.xcprivacy")
            ],
Accepted Answer

Yes the resources is the correct place, however I did want Apple to confirm some additional things. I got a response to my questions, and have been able to confirm some things too which is good:

So the original question of `Where should I add this file within the package setup?

You should add it as a resource file as described in Bundling resources with a Swift package.

Should there be a privacy info file per importable target? Or is it per library/package project?

It is per target. The target that builds the app or third-party SDK requiring a privacy manifest should only contain one privacy manifest. If your app links against a third-party SDK requiring a privacy manifest but doesn't collect data and use required reason API, then their target doesn't need to contain a privacy manifest file.

Is it expected that the generated privacy report of an application will show info based on flags within the package's manifest file? The generated privacy ​report will show all information inputted into the ​privacy manifest file.

However, it is worth noting that during my testing/validating - it only showed up in the report if there were tracking items.

For example, I purposely added a tracking item and included it in a sample project:

however, when the libraries privacy report had Privacy Tracking as NO and also no additional items or required reason api's it did not include in the report:

am assuming this is due to the report only highlighting flagged trackings/collections (at least that is my understanding of the available documentation)

Adding Privacy Manifest to Swift Package
 
 
Q