Security & Privacy

Understanding Apple’s New App Privacy Information

Posted on by

With the release of its latest operating system updates – macOS 11.1 and iOS 14.3 – Apple has introduced a new system that shows users what data apps collect. Available in both the Mac App Store and the iOS/iPadOS App Store, these "nutrition labels," as Apple has called them, display in which of 14 data categories apps collect data, and further information is available to find exactly what types of data are collected.

Long available for Android apps in the Google Play Store, this information will help users of Apple devices better understand what data developers collect about them. Here’s what this App Privacy information means, how to understand it, and why it may not change the way users work with apps.

Viewing App Privacy information

If you look at any app page in one of Apple’s App Stores, and scroll down a bit, you’ll see an App Privacy section. In it, you’ll see one of three types of information.

Some apps collect no data at all. If so, they display the following:

Another possibility, which you’ll probably see for a while, is No Details Provided. Apple has required that developers add app privacy information, and will add that information to the App Stores when apps are next updated.

Finally, for apps that have provided the necessary information, you will see one or two sections displaying Data Linked to You and/or Data Not Linked to You. Here’s Data Linked to You from Facebook Messenger on the Mac:

And here is Data Not Linked to You from the Shazam app on the Mac:

Understanding App Privacy information

The 14 data categories are a bit vague, but you can find out more by tapping See Details in the App Privacy section. Facebook is a good app to examine, because they seem to have checked every data type in every category. Here’s a brief video showing the Facebook app in the iOS App Store, and the types of data it collects:

When you look at this information, it may not be very clear, since even the granular data types are a bit vague. The App privacy details on the App Store page on the Apple developer site gives more detailed information. For each of the 14 categories, the data types are defined. For example, User Content includes emails or text messages, photos or videos, audio data ("The user’s voice or sound recordings"), gameplay content, customer support ("Data generated by the user during a customer support request"), and other user content.

This does not mean that, when an app says it may collect this information, it will collect all of it. For example, the above User Content could be collected at any time, but it doesn’t mean that an app will be harvesting all your emails and text messages; however, it doesn’t say that it won’t either.

Many of these data types are vague, because the precise information collected can’t be easily quantified. The first time you want to post a photo on Instagram, for example, the app will ask you for permission to access your photo library. This is only because iOS needs you to grant that permission so the app can use photos you want to post, not because it’s going to snarf up all your photos. The same is true for emails, contact information, browsing history, and more.

In fact, it’s this vagueness that may be worrisome. While Facebook claims that they may collect any of the data types they mention, you have no idea what they collect and when. This should give you pause; do you really want to use apps that collect that much data? It’s worth pointing out that you can use Facebook in your web browser, as is the case for a number of social media apps, such as Twitter, Instagram, and others. If you do, they can’t collect anywhere near the same amount of data. They’ll still have data linked to your Facebook or Twitter account, but nothing more.

Enforcing App Privacy disclosure

While this information is useful, one could argue that there is too much of it. It’s somewhat like a website’s privacy policy; does anyone read it? Yes, this data is presented with easy to understand categories, but I don’t think most people will pay attention to it.

All app privacy data is self-declared; it’s not clear how Apple is going to enforce this if developers lie about the data their apps collect. Presumably if an app is found to collect other data than what’s declared, Apple will react, but it is hard to know exactly what apps do and whether their developers are honest.

In addition, if apps aren’t updated, developers aren’t required to submit this information. So we’ll be seeing a lot of older apps that are never updated to reflect this information.

In the meantime, at least Apple has caught up with what Google has been doing for years. Whether this is useful or not remains to be seen. But if it does give you pause when you see how much data an app like Facebook collects, that’s a good thing.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →