In brief, Privacy Manifests are one of Apple’s initiatives, aimed at promoting greater transparency in terms of which End Users’ data is being processed and how it’s being used by mobile app developers and third-party SDK vendors.
What are Apple’s Privacy Manifests?
A Privacy Manifest, basically, is a file, which includes a property list, where a developer and/or a third-party SDK vendor discloses the entire scope of End Users’ data elements, which they collect/process and what exactly these are being used for.
From a technical standpoint, a privacy manifest file, created through Xcode and named PrivacyInfo.xcprivacy, must include a list of properties, where each string will describe each data category collected (NSPrivacyCollectedDataType), like the user’s name, email address and/or other contact information, location details, etc., as well as the information on whether this data is linked to a specific user (NSPrivacyCollectedDataTypeLinked) and whether it’s used for tracking purposes or not (NSPrivacyCollectedDataTypeTracking).
In addition, privacy manifests must also include the defined tracking purpose for each data category (NSPrivacyCollectedDataTypePurposes), i.e. app functionality, analytics, content personalization, developer’s own marketing/advertising and third-party advertising activities, just to name a few.
More importantly, the Privacy Manifest must also enlist connected domain/s, if any, if those are being used for tracking purposes, as determined by the App Tracking Transparency framework. Correspondingly, any network requests to such enlisted domains will be denied, unless/until the End User provides a relevant ATT consent to it.
The information disclosed in a Privacy Manifest by an app developer and their linked SDK providers can be further aggregated in a so-called app Privacy Report (which can be created using the Xcode, too).
The Adoption Time Frame
Apple publicly presented its Privacy Manifests initiative at the annual WWDC event in June 2023, apparently aiming to further decrease device fingerprinting risks and push forward a market-wide adoption of the previously introduced ATT framework.
As announced, in autumn 2023 Apple will begin reviewing updated and newly-submitted mobile apps to make sure that all so-to-speak “privacy impacting” SDKs they’re using have their Privacy Manifest files in place. If not, such app developers will be receiving an email notification, accordingly. And starting from spring 2023, the Privacy Manifest review will become an inevitable part of the app review process during its submission to Apple’s App Store.
In this respect, while app developers don’t need to submit information about the data collected by third-party SDKs via their mobile apps in their Privacy Manifests, they still need to ensure they’re declaring all details related to their own data processing practices.