Privacy manifest requirement for SDKs

As the new requirement for Privacy manifests is coming this Spring 2024 (https://developer.apple.com/news/?id=r1henawx), Apple released a list of SDK's that need to comply with this requirement and provide a privacy manifest file: https://developer.apple.com/support/third-party-SDK-requirements/

I have some questions:

  1. Do i need to declare a privacy manifest file for the SDKs if i'm updating an old app that already includes one of these SDKs? Apple states "when you submit an app update that adds one of the listed SDKs as part of the update" which in my understanding applies only when an app adds an SDK for the first time in an app update.
  2. What happens with SDK's that are not in this list? Should every single SDK an app uses to include the privacy manifest file?

Any updates from anyone for the topic?

  1. Do i need to declare a privacy manifest file for the SDKs if i'm updating an old app that already includes one of these SDKs?

The new requirements apply to any new app or app update that you submit starting Spring 2024. if your app links against any of the listed SDK, then be sure to request an updated version of the SDK that includes the privacy manifest file.

2.What happens with SDK's that are not in this list? Should every single SDK an app uses to include the privacy manifest file?

Any app and third party SDK that collects data, uses required reason API, or both must include a privacy manifest file. If your app uses an SDK not listed but that falls under the mentioned requirements, then this SDK must include a privacy manifest.

While I agree with the manifests in general, this response from Apple is problematic in a couple of ways. I will likely write a separate thread detailing all the issues I know about currently, as this is going to be a huge pain point for many (perhaps an overwhelming majority) of iOS developers.

The new requirements apply to any new app or app update that you submit starting Spring 2024. if your app links against any of the listed SDK, then be sure to request an updated version of the SDK that includes the privacy manifest file.

"Request an updated version of the SDK" is an interesting way of stating this, and it is problematic, especially within the time table proposed.

Half the SDKs listed are maintained by FANG companies, meaning app developers have absolutely no leverage over whether or not they comply with Apple's manifest requirements. If Apple needs Google and Facebook to change their SDKs to help with international privacy law compliance then that is something that needs to happen at the trillion dollar corporation level, as app developers have no say in it.

Many of the rest are open source tools libraries that are compiled from source and have no official iOS frameworks to begin with. OpenSSL, nanapb, sqflite, etc. It's against our corporate policy to use unofficial third party compilations of open source software (for obvious reasons), so we would either have to create our own signed xcframeworks of someone else's code or convince all major open source tools libraries to release signed xcframeworks within the next few weeks.

Any app and third party SDK that collects data, uses required reason API, or both must include a privacy manifest file. If your app uses an SDK not listed but that falls under the mentioned requirements, then this SDK must include a privacy manifest.

This is mainly a problem because it was not expressed until four days ago. You had the list, now you tell us the list is "only a list" and EVERYTHING that "phones home" needs a manifest within the next few weeks. This is going to cause quite a bit of panic among a lot of framework developers who were under the impression that the requirements were going to be put only on the listed SDKs first, and then apply to all others later.

There are other issues that I think I should detail at length inside a separate thread, but those two are going to be problematic, especially since it's already January fifteenth and we do not have any hard date as to what part of "Spring" this refers to.

Let me add a bit of thing.

If your app uses an SDK not listed but that falls under the mentioned requirements, then this SDK must include a privacy manifest.

How to tell a SDK which doesn't have a Privacy Manifest file because it doesn't fall under the requirements or because they're just lazy and not working yet to fulfill the requirement?

If we had a simple tool to check if a library utilizes the APIs which fall under the requirement we can somehow tell that (although it'll be cumbersome), but no such method is provided nether.

The new requirements apply to any new app or app update that you submit starting Spring 2024. if your app links against any of the listed SDK, then be sure to request an updated version of the SDK that includes the privacy manifest file.

What about the listed SDKs that no longer provide active support like AFnetworking ? Do these need to be either removed from the application code and use an alternative. What about the ones that do not have an easy upgrade options like OpenSSL(for which no alternative exist) then application cannot be uploaded?

When an SDK adds only a "Privacy Accessed API Types" entry in the PrivacyInfo.xcprivacy file (without any "Privacy Nutrition Label Types" entry), does this information have to be displayed in the generated privacy report PDF (from Archive)?

When this is the case, this info (CA92.1 reason) it's not displayed in the PDF. Is this normal?

Has anyone received an informational email from Apple regarding reminders related to providing a Privacy Manifest after uploading to App Store Connect?

Thank you.

What I understand if you plan to update your app so you
All the used SDK third parties should add the privacy manifest : if they Collect data / use one of the required reason API and you should also add a privacy manifest in your app if you use one of the required reason API or you collect data of course !

@DTS Engineer Is there any word on when exactly the warning emails will start? It's getting very close to Spring 2024, which technically starts on March 19, and it's getting nerve-wracking with this deadline coming and no warning emails yet.

If Apple suddenly starts enforcing the privacy requirements without ever sending the warning emails, my guess is that hundreds if not thousands of apps will be rejected very soon afterwards, with no straightforward fix options. As @CDWelton's post above does a great job of explaining, it's going to be a long and difficult process for every app to get all of its SDKs in compliance, because we're at the mercy of third-parties that might not prioritize maintaining these SDKs. Without the warning emails, it's going to be difficult if not impossible to know exactly which SDKs need to add a privacy manifest, let alone pressure their authors to actually add them.

This post clearly states that the emails would be sent starting in Fall 2023. It's now more than four months past that point, and no one seems to have actually received one. So I'd ask that the warning emails start to be sent to everyone right away (including sending an "all clear" email for apps with no violations); and, given that they'll be coming four months late, the enforcement deadline should also be extended by at least four months, if not more.

I agree that Apple is doing this policy for personal information.

Apple might think that it's just to add the Privacy Manifest within the deadline

However, there are many developers who are in a difficult environment to track and respond to each of these things.

We need more information and examples, and time..

Even if I search the developer forum now, there are various situations. But there is no clear answer to that.

Hi Everyone, How to add PrivacyInfo.xcprivacy file for static library frameworks?

Apple just announced the exact timelines for this: warning emails are starting on March 13, and app rejections will start on May 1. This is coming up fast. Everyone needs to check which SDKs on this list that they're using, and contact those library authors asap if they haven't added/started to add a privacy manifest.

Although I agree 100% with @CDWelton's post above- this is going to be way easier said than done.

Privacy manifest requirement for SDKs
 
 
Q