What Apple's new privacy 'nutrition' labels say about some of the biggest apps

Posted:
in General Discussion edited December 2020
Apple has launched its "mandatory" privacy labels for apps in the App Store, and while what it tells users about apps like Facebook is eye-opening, other big developers seem to think that the disclosure is optional.

The new App Store privacy labels are prominent, but only after you've scrolled far down an app's listing
The new App Store privacy labels are prominent, but only after you've scrolled far down an app's listing


With the release of iOS 14.3, Apple has brought out its promised privacy guidance on the App Store. The so-called "nutrition labels" are more prominent than was expected, and Apple is not giving the free ride it seemed to developers who flout the requirement.

The privacy label is still quite buried in an app's listings, though. It comes as a series of large card-like images, but they come after the app's title, new category details, a What's New description, previews or screenshots, a more general app description, and the Ratings & Reviews.

It remains true, too, that developers have not been forced to update their apps with this information. Apple had imposed a deadline of December 8, but shortly before then also told developers their existing apps would not be removed if they failed to provide the privacy details.

Consequently, searching through the App Store does show many prominent apps that have not complied. Where a developer has not provided information for this privacy label, Apple displays a label saying that they haven't.

When apps don't have privacy information

Apps that do not have a full "nutrition label" do still retain their link to the developer's privacy policy. But they also gain this label which says they haven't complied -- and that they will have to before any further updates will be accepted.

Some surprisingly large app developers, such as Disney, have yet to comply
Some surprisingly large app developers, such as Disney, have yet to comply


Apple has provided developers with documentation that specifies what details they must provide, and what they do not. Broadly speaking, if an app collects any data from a user and then uses it outside the app in any way, or for any company, that must be disclosed.

Developers have to fill out an online form with approximately 34 separate sections covering typical handling of user data. Some of these are very specific, such as those concerning health details, while others are broader, such as apps that track the taps or clicks a user makes in their app.

Major apps that lack privacy labels

In a random sample taken at time of writing, the apps that had not complied do include some surprisingly prominent ones.

Of the very largest developers, Google appears to have completely failed to provide any privacy labels. There are none displayed on Gmail, Google Maps, or the main Google search app.

There also isn't any privacy detail in Google-owned YouTube's main or Kids apps. Similarly, Amazon has not entered information for its main shopping app, Kindle, or Audible audiobooks apps.

Then of the medium-sized developers, 1Password, the secure password manager, has yet to update its information.

Even Disney+, and Endel, two of Apple's best apps of 2020 have not complied.

It is early days, but then it is also after Apple's original deadline. So we can expect most developers to provide the information, but presumably now not until they want to update their apps.

We're less concerned about the missed deadline from the independent developers than we are about Google, Amazon, and other big developers seemingly blowing this off.

An app can have one, all, or none of these. Tapping on any gives you a little more detail
An app can have one, all, or none of these. Tapping on any gives you a little more detail

When apps do have privacy information

Many of the randomly sampled titles did include new privacy details, and that includes major companies such as Microsoft.

Apple shows the detail it gets to users through a variety of labels. These range from one label with few details, through to two separate labels with much more.

OmniFocus is typical of most apps, showing little use of user data
OmniFocus is typical of most apps, showing little use of user data


Probably the most common situation is where few details are needed to be shown. For instance, To Do app OmniFocus gets a label headed Data Linked to You.

Within that, there is only the information that Purchases and Identifiers "may be collected and linked to your identity."

Tap on this, or any other privacy label, and you get the detail of what the developer has told Apple about what it does. It's not much more detail than in the main label, but there isn't always that much more to say.

The Data Linked to You section for the Fantastical calendar app, for instance, includes an entry labelled Diagnostics. Tapping to read the full description just explains that Crash Data is collected.

Privacy labels for Facebook and Whatsapp

All apps are now supposed to provide some information, and their details will vary across every possible use of a user's data. So far there appear to be three different types of "nutrition label."

As well as Data Linked to You, some apps contain a section called Data Not Linked to You. Fantastical, for instance, has location data in this category, but its use does not identify you.

Facebook gets two labels, and the detail in each one goes on for quite a few pages
Facebook gets two labels, and the detail in each one goes on for quite a few pages


There is also Data Used to Track You, and not surprisingly, social media apps such as Facebook get this one. Facebook lists that it uses your contact information, identities and "other data" to track you.

When you tap to learn more, you are informed that, "identities" means your User ID and device ID. But the extra detail about the "Other Data" element reads, in total, "Other Data Types."

Interestingly, Whatsapp has only the Linked to You label, with entries to do with your user content, and your location. Whatsapp has previously complained that Apple's broad labelling will mean it gets lumped in with apps that might be more invasive.

However, one element of the privacy details that Whatsapp has had to list concerns location. While it's true that any app using your location may have to list that fact, the extra detail for Whatsapp does qualify it. Whatsapp uses only your "coarse location."

Benefits and limitations of privacy labels

Perhaps the single best impact of the new labels will be in how their very existence educates us all to be mindful of our privacy. You don't have to even see the privacy notice before you buy an app, though, so it's a particularly strong barrier against apps which do more than you might want.

That's chiefly down to how buried the privacy label is, typically coming after six other sections in the App Store listings.

However, the information is still rather vague. A developer may very well provide much more explanation on their own site, though.

Yet that is also an issue. We and, quite possibly Apple, have to go by what the developer has said and there's no obvious way to verify that information.

Hopefully Apple's teams have systems for ensuring that the data is accurate before they allow an app or an update on to the App Store.

Nonetheless, there is more to the "nutrition label" idea than it had seemed there was going to be. Plus if the information is not detailed, its presence will help you if you're concerned about an app.

And if nothing else, it will make us more aware that we should be concerned.



Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.

Comments

  • Reply 1 of 14
    flydogflydog Posts: 1,123member
    This article is misleading.  Developers are not required to disclose this information until the next time they submit a new app or app update after December 14.  Therefore, there is nothing to "comply with" until the developer submits a new app or app update. Gmail has not been updated in 2 weeks, and therefore Google cannot be categorized as "ignoring" or having to "comply with" the requirement.  

    Also, the article makes is sound like WhatsApp is hiding something by stating only that it collects "Other Data Types," however, the labels and descriptions are not chosen by the developer.  There is no option to enter custom information.

    williamlondonjohnfrombeyondgatorguywatto_cobra
  • Reply 2 of 14
    Just doing a cursory browse of some of the "sensitive" titles on the app store (social media apps, "secure" chat and dating apps, etc.) and have already found an app which claims to collect no details (thus earning the big blue tick from apple) - yet if you click through to their privacy policy for the app it clearly states that they do collect data, and a lot of it.

    So what vetting process are Apple actually applying here? 
    gatorguywatto_cobra
  • Reply 3 of 14
    y2any2an Posts: 187member
    Late in Q4 is a really bad time to drive a compliance campaign. Most businesses of any size are totally focussed on operations till January. Poor timing imho. 
    williamlondon
  • Reply 4 of 14
    Rayz2016Rayz2016 Posts: 6,957member
    Just doing a cursory browse of some of the "sensitive" titles on the app store (social media apps, "secure" chat and dating apps, etc.) and have already found an app which claims to collect no details (thus earning the big blue tick from apple) - yet if you click through to their privacy policy for the app it clearly states that they do collect data, and a lot of it.

    So what vetting process are Apple actually applying here? 
    By the looks of it, none. And I can see why it would be very hard to do without looking at the source code, or running the app and seeing what it sends out 

    They need penalties for outfits that are found to be lying. 
    edited December 2020 williamlondonwatto_cobrajony0
  • Reply 5 of 14
    Rayz2016Rayz2016 Posts: 6,957member
    Of the very largest developers, Google appears to have completely failed to provide any privacy labels. There are none displayed onGmail, Google Maps, or the main Google search app.

    They’re probably still filling in the form …


    williamlondonradarthekatwatto_cobraTRAGjony0
  • Reply 6 of 14
    MplsPMplsP Posts: 3,911member
    flydog said:
    This article is misleading.  Developers are not required to disclose this information until the next time they submit a new app or app update after December 14.  Therefore, there is nothing to "comply with" until the developer submits a new app or app update. Gmail has not been updated in 2 weeks, and therefore Google cannot be categorized as "ignoring" or having to "comply with" the requirement.  

    Also, the article makes is sound like WhatsApp is hiding something by stating only that it collects "Other Data Types," however, the labels and descriptions are not chosen by the developer.  There is no option to enter custom information.

    This is a huge loophole and there’s really no justification for it. 
    williamlondonwatto_cobra
  • Reply 7 of 14
    If people find an app that is not complying and especially telling porkies then why not name and shame them. Make sure that you include the version number.
    Then people can make an informed decision about using or not using the app.
    williamlondonwatto_cobra
  • Reply 8 of 14
    Rayz2016 said:
    Just doing a cursory browse of some of the "sensitive" titles on the app store (social media apps, "secure" chat and dating apps, etc.) and have already found an app which claims to collect no details (thus earning the big blue tick from apple) - yet if you click through to their privacy policy for the app it clearly states that they do collect data, and a lot of it.

    So what vetting process are Apple actually applying here? 
    By the looks of it, none. And I can see why it would be very hard to do without looking at the source code, or running the app and seeing what it sends out 

    They need penalties for outfits that are found to be lying. 
    The security model in iOS would as a minimum give Apple scope to know some of data that is being used based on the entitlements requested by the app.

    Secondly a basic reporting feature might be worth adding to the store, so users can directly bring attention to such apps. 
    radarthekatwatto_cobra
  • Reply 9 of 14
    cpsrocpsro Posts: 3,192member
    Google’s privacy label: “Oh, fuck it”
    lkrupp0ID0christopher126radarthekatwatto_cobraDogpersonjony0
  • Reply 10 of 14
    flydog said:
    This article is misleading.  Developers are not required to disclose this information until the next time they submit a new app or app update after December 14.  Therefore, there is nothing to "comply with" until the developer submits a new app or app update. Gmail has not been updated in 2 weeks, and therefore Google cannot be categorized as "ignoring" or having to "comply with" the requirement.  

    Also, the article makes is sound like WhatsApp is hiding something by stating only that it collects "Other Data Types," however, the labels and descriptions are not chosen by the developer.  There is no option to enter custom information.

    Are you on Google payroll?
    watto_cobra
  • Reply 11 of 14
    I only use Apple's first-party apps.

    Failing that, I use Safari to access sources I need, Amazon, Ai, etc.

    Search, I use Duck, Duck Go.

    Obviously, I have a banking app (CU) And that's about it. Am I wrong?

    watto_cobra
  • Reply 12 of 14
    radarthekatradarthekat Posts: 3,842moderator
    I suspect this is a multi-step process that will evolve over time.  Apple may add requirements to spell out in more detail what is being done with data for each section, and may add more sections, ultimately absorbing all of the pertinent detail from the vendors’ own privacy disclosure documents into a standardized format that Apple allow customers to filter against when browsing for apps.  They may also develop means to verify against each category and detail to flag apps that are not fully reporting, as well as rank higher those that are good citizens.  A comprehensive self-reporting/programmatical audit system might yield a number of benefits, including a bit of competition among vendors to rank higher in customer privacy. 
    williamlondonwatto_cobra
  • Reply 13 of 14
    0ID0 said:
    flydog said:
    This article is misleading.  Developers are not required to disclose this information until the next time they submit a new app or app update after December 14.  Therefore, there is nothing to "comply with" until the developer submits a new app or app update. Gmail has not been updated in 2 weeks, and therefore Google cannot be categorized as "ignoring" or having to "comply with" the requirement.  

    Also, the article makes is sound like WhatsApp is hiding something by stating only that it collects "Other Data Types," however, the labels and descriptions are not chosen by the developer.  There is no option to enter custom information.

    Are you on Google payroll?
    He is just clarifying something. 

    If you follow his posting history you'll know that he is far from being a Google apologist. Or an Apple apologist, for that matter. 
    edited December 2020 muthuk_vanalingamwatto_cobra
  • Reply 14 of 14
    Rayz2016Rayz2016 Posts: 6,957member
    0ID0 said:
    flydog said:
    This article is misleading.  Developers are not required to disclose this information until the next time they submit a new app or app update after December 14.  Therefore, there is nothing to "comply with" until the developer submits a new app or app update. Gmail has not been updated in 2 weeks, and therefore Google cannot be categorized as "ignoring" or having to "comply with" the requirement.  

    Also, the article makes is sound like WhatsApp is hiding something by stating only that it collects "Other Data Types," however, the labels and descriptions are not chosen by the developer.  There is no option to enter custom information.

    Are you on Google payroll?
    I have no idea if he is or not, but he’s still correct: developers are only required to include the label on their next update. If the label isn’t included then, Apple will presumably reject the app during review. 
    gatorguymuthuk_vanalingamwatto_cobra
Sign In or Register to comment.