Clarification on Privacy Manifest requirements for SDKs

Hello Apple Developer Community,

I'm reaching out to seek clarification on a specific post in the forum, referenced here: https://developer.apple.com/forums/thread/743295

Lets say our current live App in App Store uses below mentioned third-party SDKs

SDKs listed in commonly used SDKs:

  1. Firebase
  2. GoogleUtilities
  3. AppAuth
  4. RxSwift
  5. RxCocoa

SDKs not listed in commonly used SDKs:

  1. SDK1 (uses required reason API)
  2. SDK2 (uses required reason API)
  3. SDK3 (uses required reason API)

Note: All the above mentioned SDKs are already integrated in the current live app, not adding for the first time

We are going to update our app soon (lets say after May 1, 2024)

I have some questions:

  1. If I’m updating SDKs listed in commonly used SDKs and updating an old app that already includes these SDKs. Do I need to declare a privacy manifest file for these SDKs?
  2. If I’m not updating SDKs listed in commonly used SDKs and updating an old app that already includes these SDKs. Do i need to declare a privacy manifest file for these SDKs?
  3. If I’m updating SDKs not listed in commonly used SDKs and updating an old app that already includes these SDKs. Do I need to declare a privacy manifest file for these SDKs?
  4. If I’m not updating SDKs not listed in commonly used SDKs and updating an old app that already includes these SDKs. Do I need to declare a privacy manifest file for these SDKs?

Considering how we're getting close to the timeline and 1) App Store Connect still doesn't issue any warnings regarding these frameworks and 2) Apple doesn't answer any threads about it, I'm assuming they didn't think this thing through and predicting none of this will actually be applied in practice. On top of your questions, another very important thing that the docs don't mention is what exactly are you supposed to do when the frameworks in question are linked statically.

Clarification on Privacy Manifest requirements for SDKs
 
 
Q