Two weeks ago, Apple Inc. ("Apple") attempted to quietly change its app data collection rules in its App Store to restrict how app developers use, transmit, share, and even sell iPhone owners' personal information. In a regulatory and societal climate of increased concerns over the privacy and security of personal data, Apple tightened its app data collection rules in order to provide users with a greater ability to control their personal data in the App Store marketplace.

What do Apple's changes entail?

The influence of the General Data Protection Regulation ("GDPR")—recently enacted in the European Union ("EU")—is clearly having an impact in the United States, as domestic companies revise their personal data collection, use, sharing, and storage policies—regardless of location. In fact, the State of California has proposed the California Consumer Privacy Act, reflecting many of the core data protections contained in the GDPR, in particular, providing consumers with better control and access to their data.

On its own volition, Apple revised its App Store Review Guidelines to prevent app developers from engaging in certain app data collection activities in the future. Importantly, and irrespective of whether app developers obtain consent from iPhone owners, app developers are now prohibited from: (1) building a database of iPhone owners' digital address books; and (2) sharing databases with third parties and/or selling that information. Further, app developers are restricted from collecting and sharing personal data without permission from users and "must provide [users] access to information about how and where the data will be used." In addition, the new app data rules prevent app developers from:

  • using consent to access data—such as an address book—for one purpose, only to be used for another purpose without obtaining additional consent;
  • sharing data with third parties, unless the data is used to improve the app or for advertising purposes;
  • collecting information regarding other apps that are installed on a user's device;
  • sharing with third parties any data collected from Apple Pay for any purpose other than to "facilitate or improve delivery of goods and services;" and
  • contacting people using information collected from a user's contacts unless the user explicitly consents, on an individualized basis, and the developer provides a clear description of how the message will appear and who the message is from.

Apple's new app data collection rules appear to align with Apple's stated philosophy to forgo the monetization of customer data.

Repercussions for App Data Collection Rule Breakers

For those app developers who disregard Apple's new rules, they run the risk of being: (1) banned from the App Store; (2) sued by Apple for violating its rules; or (3) sued by the individual whose information was improperly obtained. Given the new restrictive App Store rules, mobile app operators should review their app data collection policies and be sure to keep records of consent from their users.

Related Blog Posts:

Tips for GDPR Compliant Privacy Policies

Update on California's Email Marketing Bill AB-2546

FTC Updates Guidance on COPPA Compliance

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.