Privacy Manifest for iOS Apps

Starting May 1, 2024, Apple requires all iOS apps on the App Store to include Privacy Manifests. These files, known as PrivacyInfo.xcprivacy, outline how apps and their dependencies handle user data. Non-compliance can result in app rejection or removal. Here’s what you need to know:

• What is a Privacy Manifest?
  A structured file that documents:

  • Data collected by your app and third-party SDKs.
  • APIs used for sensitive data or tracking.
  • Domains accessed by the app.

• Why does it matter?

  • Ensures transparency in data practices.
  • Keeps App Store Privacy Labels accurate.
  • Avoids app review delays or rejections.

• Key compliance steps:

  1. Use Xcode 15 or later to create and configure the PrivacyInfo.xcprivacy file.
  2. Document all APIs, data types, and tracking domains.
  3. Obtain Privacy Manifests from third-party SDK providers.
  4. Validate using Xcode’s Privacy Report.

• Deadlines:

  • May 1, 2024: Enforcement began.
  • Apps must now include Privacy Manifests to be approved.

Non-compliance risks include App Store rejection, legal issues, and loss of user trust. Tools like automated scanners and privacy generators can simplify the process. Stay proactive to ensure your app meets Apple’s privacy standards.

WWDC23: Get started with privacy manifests | Apple

Apple’s Privacy Manifest Rules

Apple’s privacy manifest introduces a requirement for transparent disclosure of data collection and API usage across all components of iOS apps.

To comply, developers must include a PrivacyInfo.xcprivacy file that outlines three critical elements:

• Required reason API declarations: Clearly state why specific APIs are being used.
• Data usage categories: Specify what types of data are collected and how they are used.
• Domain usage documentation: Detail the domains accessed by the app [3].

Compliance Deadlines

Apple has established firm deadlines for meeting these requirements:

These dates highlight the urgency for developers to align their apps with the new rules to avoid disruptions.

Non-Compliance Risks

Failure to comply with these guidelines can lead to severe consequences, including:

• Immediate App Store rejection: Non-compliant apps will not be approved for distribution.
• Legal exposure: Non-disclosure of data practices could result in regulatory action.
• Reputational damage: Users may lose trust in apps that fail to meet transparency standards [2].

“Apps using specific APIs must declare their intended use in a privacy manifest file, effective May 1, 2024.” – Apple [6]

For developers using over-the-air (OTA) update solutions like Capgo, compliance is especially important. These update mechanisms, along with data handling practices, must be explicitly documented.

Additionally, every SDK and framework integrated into your app must include its own privacy manifest, outlining its data collection and API usage. During the App Store submission process, Xcode will compile these individual manifests into a unified Privacy Report [3].

Required Tools and Setup

To implement Privacy Manifests in your iOS apps, you’ll need to set up your development environment with the necessary tools and credentials. These steps will help you prepare to create a compliant PrivacyInfo.xcprivacy file.

System Requirements

Make sure you have the following installed and configured:

• Xcode 15 or later: This is the minimum version that supports Privacy Manifests [1].
  • Available on the Mac App Store (stable release).
  • Beta versions can be downloaded from the Apple Developer portal [16].
• macOS: Use a stable version to ensure compatibility with Xcode.

Developer Credentials

To work with Privacy Manifests and submit your app to the App Store, you’ll need the following credentials:

To create your PrivacyInfo.xcprivacy file, open Xcode and go to New > File > iOS > Resource > App Privacy [1]. Place this file in the root directory of your app’s bundle resources to ensure it’s recognized during the build process.

Starting in Spring 2024, Apple will require all apps submitted to App Store Connect to include approved reasons for any listed API usage [7].

Once your tools and credentials are ready, you can move on to building the Privacy Manifest file directly in Xcode.

Building the Privacy Manifest File

Creating a Privacy Manifest file in Xcode can be straightforward with the right steps and tools. Here’s how you can set it up and streamline the process using automation.

Xcode Setup Steps

1. Create the Privacy Manifest File

   Open Xcode, navigate to File > New > File, and select “App Privacy File” under the Resource section. Make sure your app’s target is selected during this process [8].

2. Configure Required Keys

   Add the following keys to your newly created PrivacyInfo.xcprivacy file:

   Key	Description	Required Value
   NSPrivacyTracking	Indicates if the app uses data for tracking	Boolean (true/false)
   NSPrivacyTrackingDomains	Lists domains used for tracking	Array of domains
   NSPrivacyCollectedDataTypes	Data types collected	Array of dictionaries
   NSPrivacyAccessedAPITypes	API access details	Array of dictionaries

3. Validate Configuration

   After configuring the file, verify your setup by generating a privacy report in Xcode. To do this:

   • Create an archive by going to Product > Archive.
   • Right-click the generated archive.
   • Select Generate Privacy Report [8].

Using automation tools can help cut down on repetitive tasks and ensure consistency.

Automation Methods

Privado.ai Integration
Privado’s Privacy Manifest generator, introduced in June 2024, simplifies the process by automating code scanning and report generation. This tool:

• Scans your code and SDK dependencies.
• Maps out data collection practices.
• Auto-fills privacy reports.
• Links responses directly to the corresponding sections of your source code [10].

App Privacy Manifest Fixer
Launched in April 2025, this tool uses shell scripts to:

• Analyze your manifest and automatically resolve compliance issues.
• Seamlessly integrate with your existing build processes.
• Support custom templates for different project types [11].

For consistent results, include these tools in your project directory. This ensures smooth manifest generation across your team and CI/CD pipelines.

When utilizing over-the-air updates through platforms like Capgo, ensure your Privacy Manifest reflects any data collection or API usage tied to update functionality. Maintaining transparency here is key to staying compliant with App Store requirements while benefiting from modern update features.

Data Collection and API Documentation

Once you’ve built your manifest file in Xcode, the next step is documenting your app’s API usage and data collection practices. This is essential not only to meet Apple’s compliance requirements but also to establish trust with your users.

API Usage Documentation

Your PrivacyInfo.xcprivacy file must list all APIs that access sensitive information. When documenting API usage in your Privacy Manifest, include both the API categories and the approved reasons for their usage.

Here’s a quick overview of what needs to be documented:

This level of detail ensures a seamless connection between your manifest file and your data collection practices.

“You are responsible for all code included in your apps, per the App Store Review Guidelines. This includes any data collection and tracking practices.” - Tony, Privacy Engineering, Apple [5]

When implementing over-the-air updates, pay particular attention to disk space API declarations. For instance, Firebase Analytics version 10.24.0 resolved ITMS-91053 errors in April 2024 by addressing issues related to NSPrivacyAccessedAPICategoryDiskSpace and NSPrivacyAccessedAPICategoryUserDefaults [12].

Data Types and Categories

Your Privacy Manifest must clearly outline all data types collected and categorize them appropriately. Specifically, you need to document the following:

• Whether the data links to the user’s identity.
• Whether the data is used for tracking purposes.
• If both apply, specify the approved purpose from Apple’s predefined list.

For apps using third-party SDKs, ensure each SDK includes its own privacy manifest. For example, Persona SDK v2.18.0+ automatically declares the following data types:

• Coarse location (e.g., IP address)
• Device ID (device-level identification)
• User ID (account-level identification)
• Diagnostic data (e.g., error logs)
• Product interaction (e.g., flow events)

To stay compliant, regularly audit your codebase to identify APIs that require inclusion in your Privacy Manifest [13]. This kind of proactive review can help avoid submission delays and keep your app aligned with Apple’s evolving privacy standards.

Third-Party SDK Management

Third-party SDKs must align with Apple’s Privacy Manifest standards to comply with regulations and maintain user trust. These standards, discussed earlier, are equally important for third-party SDKs. Below, you’ll find details on managing OTA updates in Capacitor apps and ensuring SDK compliance.

Capacitor and OTA Updates

When using over-the-air (OTA) updates in Capacitor apps, it’s crucial to configure your privacy manifest accurately. For apps employing live update solutions, you need to declare specific API usage in the privacy manifest:

Capgo simplifies this process by integrating privacy manifest compliance into its OTA update system. It automatically declares the required APIs and data access, ensuring your app remains compliant while benefiting from real-time updates.

Now, let’s explore the key steps for verifying SDK compliance.

SDK Compliance Checks

After addressing OTA update declarations, it’s essential to ensure all integrated SDKs meet the necessary standards. With 88% of organizations using thousands of cloud apps [16], robust SDK compliance checks are a must.

• Automated Scanning
  Use tools like Ostorlab.co to scan your app’s IPA file [1]. This complements the insights provided by your Xcode Privacy Report, offering a thorough analysis of your app’s compliance.

• Version Management
  If an SDK lacks a privacy manifest, you’ll need to manually declare its data usage in your app’s PrivacyInfo.xcprivacy file [14]. This step ensures transparency and adherence to Apple’s guidelines.

• Security Implementation
  Mismanaged SDKs can lead to significant consequences. For instance, Tilting Point Media faced a $500,000 settlement on June 18, 2024, for CCPA and COPPA violations due to improperly configured SDKs [15]. To avoid similar pitfalls:

  • Encrypt sensitive data before it’s handled by SDKs.
  • Apply least-privilege access principles to limit unnecessary permissions.
  • Continuously monitor SDK usage within your app.
  • Regularly audit SDK policies to ensure they remain compliant.

Testing and Submission Process

Before you submit your app, you’ll need to test your Privacy Manifest implementation following Apple’s required procedures, effective May 1, 2024 [9].

Xcode Privacy Report

Once you’ve set up your Privacy Manifest, the next step is testing its accuracy. Using Xcode 15, archive your project and generate a Privacy Report [8]. This report provides an overview of your app’s declared data types, SDK practices, API usage, and tracking domains.

“Xcode 15 can aggregate all the privacy manifests in your app’s project, and produce a privacy report that summarizes the declared data uses… This helps you review, understand, and describe the privacy practices of your app and its dependencies.” - Tony, Privacy Engineering, Apple [5]

For further validation, you can use the Points of Interest instrument in Xcode 15 to detect any connections to tracking domains [5].

Submission Requirements

After reviewing the Privacy Report, ensure the following key components are ready for submission:

Important Steps to Verify:

• Link the Privacy Manifest to your app target [17].
• Confirm that third-party SDKs include their privacy bundles [17].
• Accurately document and declare all tracking domains [5].

“Check that the privacy manifest matches your understanding of the third-party SDK’s functionality.” - Tony, Privacy Engineering at Apple [5]

For a practical example, take the CodeWithChris team. In October 2023, they successfully implemented Apple’s privacy requirements while building their mood tracker app. They relied on Xcode’s privacy report to ensure every aspect of their app met Apple’s new standards before submission [18].

Updates and Maintenance

Keeping your Privacy Manifest up-to-date is just as important as maintaining your app’s codebase. As privacy policies evolve, regular updates ensure compliance and streamline the approval process.

Policy Update Tracking

Staying aligned with Apple’s privacy policies is critical for maintaining App Store compliance. Since the May 1, 2024 enforcement deadline, developers have been required to keep a close eye on changes to privacy regulations and API specifications.

For instance, InMobi’s SDK version 10.7.2 included a detailed privacy manifest, which serves as a strong example of third-party documentation [4].

“Developers are responsible for all code included in their apps” - Apple [4]

Version Control

Beyond monitoring policy updates, systematic version control is essential for ensuring long-term compliance with Apple’s evolving requirements. This step builds on earlier measures, helping developers maintain consistency and accountability.

• Automated Verification
  Automated checks can improve deployment success rates by identifying compliance issues in real time. They also enable quick rollbacks if problems arise, reducing downtime.

• SDK Integration Tracking
  Keep a detailed log of SDK versions and their associated privacy manifests. For example, Spotify’s mobile team reduced app crashes by 15% over 30 days through precise SDK tracking and targeted fixes in August 2024 [20].

• Change Management
  Document every change thoroughly:

  • Record the reasons for updates
  • Note affected APIs and data types
  • Maintain an audit trail to simplify compliance reviews

Using version control tools with automated build and version management capabilities can make this process smoother. For example, Appcircle’s versioning system allows developers to manage build numbers and track versions through environment variables or Xcode integration [20].

Summary and Resources

Staying compliant with Apple’s privacy standards requires ongoing attention and the right tools. Managing a Privacy Manifest is not a one-and-done task - it demands accuracy and regular updates. Recent findings reveal that many developers still fall short of compliance [1].

Here are some essential tools and resources to help streamline implementation:

These tools simplify the process of maintaining compliance, especially when it comes to validation and documentation. Developers can also explore automated solutions for privacy manifest management. For instance, Capgo provides a live update feature for Capacitor apps, enabling quick updates while adhering to App Store requirements.

Starting in Spring 2024, Apple will require apps to resolve all privacy manifest and Required Reason API issues before they can be submitted or updated in the App Store [5]. To stay ahead, developers should:

• Collect privacy manifests from third-party SDK providers.
• Document all tracking domains and Required Reason API usage.
• Regularly validate manifests using Xcode’s privacy report.
• Keep thorough records of data collection practices.

For further guidance, these resources are indispensable:

• Apple Developer Website: Access updates on privacy requirements and policy changes [19].
• App Store Connect: Review submission guidelines and requirements [19].
• WWDC Videos: Watch technical sessions for privacy-related insights [21].

FAQs

::: faq

What happens if iOS app developers don’t meet Apple’s Privacy Manifest requirements by May 1, 2024?

Failing to meet Apple’s Privacy Manifest requirements by May 1, 2024, could have serious repercussions for iOS app developers. Your app might face rejection during the App Store review process, lose certain features, or even be removed from the store altogether.

Beyond that, non-compliance could subject future app submissions to greater scrutiny, potentially delaying approval times. These setbacks don’t just affect your app’s availability - they can also erode user trust and diminish your app’s presence in the marketplace. Staying ahead of the deadline helps ensure your app remains compliant and accessible to your audience. :::

::: faq

How can developers ensure third-party SDKs in their iOS apps meet Apple’s Privacy Manifest requirements?

To meet Apple’s Privacy Manifest requirements, developers must include a PrivacyInfo.xcprivacy file in their app or SDK. This file needs to clearly detail the types of data being collected and explain the purpose behind using specific APIs. Additionally, developers should confirm whether the third-party SDKs they rely on fall under Apple’s guidelines for requiring a privacy manifest and signature.

Starting May 1, 2024, every app submitted to the App Store must comply with these rules. It’s important for developers to work closely with their SDK providers to ensure accurate reporting of data practices, making it easier to align with the app’s privacy manifest. Following these steps not only helps avoid App Store rejections but also fosters user trust by promoting transparency in data handling. :::

::: faq

How can developers create and maintain a Privacy Manifest for their iOS apps to comply with Apple’s policies?

Developers working on iOS apps can create and manage a Privacy Manifest by adhering to Apple’s guidelines and utilizing available tools. Apple’s official documentation provides detailed instructions on setting up a PrivacyInfo.xcprivacy file, which specifies the data your app collects and any third-party SDKs in use. For step-by-step assistance, Apple’s WWDC23 video on privacy manifests is an excellent resource, covering how to identify privacy practices and generate privacy reports using Xcode 15 or later.

To streamline compliance, tools such as mobile app consent software can help manage SDKs and ensure proper user consent is obtained. These tools make it easier to stay aligned with Apple’s data-sharing policies while fostering transparency with users. For developers using Capacitor apps, platforms like Capgo offer real-time update capabilities while maintaining compliance with privacy requirements. :::