All App Store apps must have a privacy policy beginning October 3

A screenshot showing off the App Store Connect app for iPhone

Beginning Wednesday, October 3, all new App Store submissions are required to have a privacy policy, according to yesterday’s change to the section 5.1.1 Data Collection and Storage of Apple’s official App Store Review Guidelines.

As first discovered by AppleInsider, the new rule extends the existing requirement for iPhone, iPad and iPod touch apps with subscriptions to all new apps and updates to exiting apps.

Apple told developers that new submissions starting October 3 must include a privacy policy link in the App Store Connect metadata field. Furthermore, the privacy link must be accessible from within the app in an “easily accessible manner.”

Previously, only apps that require a subscription had had to include the privacy policy link. Starting October 3, all new apps and app updates, free or paid, with or without subscriptions, must come with a privacy link that has to be accessible even if the app does not need an Internet connection to function.

Apple’s goal here is to strengthen privacy protections for their customers in the aftermath of Silicon Valley’s biggest privacy-related scandals of late, like the massive Facebook data leak. There’s only that much Apple can do once an app has collected data from users because the company has no control over whether a developer sold or shared user data to another party.

Apple only requires that the privacy policy identify the type of data being collected and that any third-party the data is shared with provide the “same or equal protection of user data”. Users, unfortunately, cannot simply delete an app to have the data it shared with another party automatically deleted from their servers.

While apps and services are legally obliged to let you revoke consent and request deletion of your data, this isn’t something regular Joes can find and do on their own. Which is saying Apple’s probably implementing this change for legal reasons. But then again, putting a privacy policy front and center will probably amount to anything because who reads this boring legal stuff?

Thoughts?