By Mircea Patachi 

At the end of August, Apple announced it would be cracking down on its third party app developers which do not already have privacy policies. As of October 3rd, all news apps and updates in the App Store, including those in testing, will be required to provide users with a link to a privacy policy outlining how their personal data is being processed.

Apple’s decision follows a series of data breaches involving major tech companies, most notably in March, when it was revealed that more than 50 million Facebook profiles were harvested by Cambridge Analytica in 2016. The breach severely tarnished the company’s reputation and heightened public demands for more transparency in data processing.  

By tightening privacy rules, Apple is trying to enforce its reputation as a company which takes data protection seriously. The tech giant has led the way in data protection standards vis-á-vis its competitors, having used encryption for messaging services since their inception and by employing data mining tools which attempt to anonymise user data. The company also advocates the idea of  privacy by default – that is, designing products to collect only the minimum amount of user data necessary for a particular service.  

New laws and stricter rules on privacy

Apple’s privacy crackdown may also be a response to the adoption of new legislation in Europe and North America – notably the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) – which set far stricter rules for how companies process data. Notably, the legislation expands the definition of personal data to include automatically-collected identifiable information, such as personal or device identifiers, IPs, and navigation history, which were previously not considered as personal data and collected unbeknownst to users.

This particular legal development holds great significance for Apple: each time an app from the App Store is installed, a large amount of identifiable user information stored by the company is transferred by default to third party developers, without user consent. Even small apps, which don’t require users to enter personal information for download, will still receive personal data such as IPs and device information from Apple. For this reason, all third party App Store developers will need to have privacy policies for Apple to avoid potential sanctions under new data protection laws.

Moreover, article 26 of GDPR obliges ‘joint controllers’ of personal information to specify how they are using data. That means that Apple and App Store developers which process the same user data must clarify exactly what they are doing with that information. Obliging third party developers to construct privacy policies is thus a good means for Apple to ensure it meets its obligations under GDPR.

The importance of well-constructed privacy policies

For any company operating online, constructing a robust privacy policy is an essential task, but not a simple one. For a privacy policy to be successful, companies must undertake rigorous data mapping to gain a comprehensive understanding of how they collect and use personal information from a wide range of users (i.e. customers, site visitors, employees).

They need to know exactly what data they collect, how it is processed and the legal basis for collecting data under article 6 of GDPR. Additionally, companies must be aware of how privacy rules differ between different types of user information – for example between automatically-collected and user-provided data. If personal information leaves the country it was collected in, organisations need to know who it was shared with, what country it was shared to and the data privacy regulations of that country. Moreover, a company must have well-defined mechanisms in place for protecting user data, as well as a platform for collating and responding to requests from users to access, delete and modify their personal information, or restrict data processing.

Data mapping is the foundation of an effective privacy policy and a key stepping stone to meeting various other obligations under the GDPR and CCPA. Knowing what, where and how data is processed allows an organisation to better protect their users’ information and swiftly respond to data breaches.

For Apple, enforcing privacy among its third party developers will help create a broader data map that allows them to better understand how developers use their customers’ personal data. Knowing where user data resides enhances Apple’s understanding of how a data breach could adversely impact their users and subsequently boosts their capacity to design apt countermeasures for protecting personal information.

What to expect in the future

Improving data protection depends on the ability of third party developers to comply with stricter regulations, many of whom are small-scale development houses or individuals with little expertise in data privacy. Enforcing tighter data protection standards will help Apple verify whether App Store developers are collecting and processing data in accordance with new legislation.

In coming years, other app marketplaces will likely launch similar initiatives, to meet new legal obligations, protect their data and also maintain a reputation as a transparent organisation which cares about customer privacy.

Mircea Patachi  is CEO and co-Founder of Clym LTD – a computer software company which helps companies comply with data privacy regulations.Twitter: @mpatachi

Privacy policy stock photo by