Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

Apple's new requirement puts additional focus on consumer and data privacy

By Maria Henriquez
apple
November 11, 2020

Starting on December 8, Apple will require all third-party developers to detail their app’s privacy information, according to an Apple post.

Though developers can already share those details through the company’s App Store Connect website, this new policy is a  must for any new apps or updates they submit to Apple. With the new policy, developers will have to identify all of the data they or their third-party partners collect, unless the data meets all of the criteria for optional disclosure listed. By collect, Apple refers to any data that is transmitted off the device in a way that allows developers or their third-party partners to access it for a period longer than what is necessary to service the transmitted request in real time. Third-part partners refers to all analytic tools, advertising networks, third-party SDKs, or other external vendors whose code developers have added to their app.

Apple said that developers will be responsible for keeping responses accurate and up to date. If practices change, developers will have to update responses in the App Store Connect. If the data isn’t provided, the app won’t be allowed into the official iOS App Store or Mac App Store, Apple said.

According to Apple, data types that meet all of the following criteria will be optional to disclose: 

  • The data is not used for tracking purposes, meaning the data is not linked with Third-Party Data for advertising or advertising measurement purposes, or shared with a data broker. For details, see the Tracking section.
  • The data is not used for Third-Party Advertising, Advertising or Marketing purposes, or for Other Purposes, as those terms are defined in the Tracking section.
  • Collection of the data occurs only in infrequent cases that are not part of the app’s primary functionality, and which are optional for the user.
  • The data is provided by the user in the app’s interface, it is clear to the user what data is collected, the user’s name or account name is prominently displayed in the submission form alongside the other data elements being submitted, and the user affirmatively chooses to provide the data for collection each time.

If a data type collected by the app meets some, but not all, of the above criteria, it still must be disclosed in App Store Connect. Examples of data that may not need to be disclosed include data collected in optional feedback forms or customer service requests that are unrelated to the primary purpose of the app and meet the other criteria above. This information will be turned into “privacy labels” for apps, where users will see how their data is being handled. The labels will show up on apps’ pages in the App Stores.

Security experts note that this new update (iOS 14) puts additional focus on user privacy, and in particular gives users better visibility into their personal information that is shared with third parties. 

Chris Hazelton, Director of Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, explains that previously, iOS users only had the choice between sharing all their information when using apps, or declining to share and not having access to apps. And now Apple has created a new format in the App Store for users to more easily identify how they share personal information with developers and third parties. 

"The privacy changes in iOS 14 are part of an unstoppable trend to increase the protection of user privacy. This trend will not stop with tracking for advertisers. Developers that update their apps after December 8, won’t have their apps approved unless they include this information. macOS 10.15 Catalina kicked everyone out of the kernel, a privilege that endpoint security providers had since the beginning of desktop operating systems. With this move security vendors are now also limited in accessing user and system information, and must operate like any other app. Fighting this trend is like fight the ocean tides; you can't. You have to adapt to the trend and innovate or die. Mobile security providers innovated when they couldn't have kernel access and I am sure advertisers will find a way to innovate as well," adds Hazelton. 

Hazelton says this requirement to disclose third-party data collection, and whether it’s used for tracking will make it easier for users to understand how mobile apps collect personal data. "This format will clearly disclose personal data used to track users across other apps and websites. It will also disclose how data, like financial information, will be linked to other accounts, devices, or identities," he says. "Like nutrition labels in real life, the goal is to create a common, easily understandable format for users to see how personal data is collected and used by developers and partners. It will make it easier for users to question whether free services from developers are worth the cost of sharing sensitive personal information.”

At first glance, it is a welcome development and an important step on Apple's behalf towards making both the consumer and developer aware of privacy rights and obligations, says Emma Bickerstaffe, Senior Research Analyst at the Information Security Forum, a London-based authority on cyber, information security and risk management. "However, there are questions around how this self-assessment model will be implemented, and whether the consumer will have the inclination to read it when installing an app. Just as consumers now automatically accept cookies and agree to privacy policies, they may also ignore privacy labels in their rush to download an app."

Bickerstaffe adds that in terms of transparency, it is likely that the big players who have more at stake in terms of their reputation and brand image, will be more accurate and vigilant in meeting this requirement than independent developers. "As a self-assessment model with no in-built verification to enforce transparency, its long-term impact remains up for debate," she notes. "Perhaps we are seeing the very start of DevSecOps transforming into DevSecPrivOps – just as developers have become more aware of and now integrate security requirements into development, this step by Apple will mean they will also have to come to terms with privacy requirements, an extra bow to their ever-growing skillset. A potential stumbling block is that the emphasis may turn to privacy rather than security, which should remain at the forefront of application development.”

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions notes this is an important move by Apple to provide more visibility and transparency to what apps are doing on iOS devices, allowing the user to decide what is ok and what is not ok.  For too long, developers have gotten away with hiding mass data collections of users personal data and Apple is now making it visible. I believe it will be great if we can simplify it with a grading system, along with clear risk labels, as you would get on typical consumer products that are bad for your health."

"The thing with Apple’s App Store is that it is the Apple way or the highway. This continues the recent improvements on feature such as the label on when iOS camera or microphone is being used," Carson says. "The only challenge and concern I see is that while time is the most valuable asset, we have way more than data and oil. Companies, like Apple, want you to spend more time and money using their products, however, I hope it is more time being productive, rather than just wasted.”

Commenting on the news, Hilary Wandall, TrustArc's SVP, Privacy Intelligence and General Counsel, says: "Apple's new app privacy requirements are a significant milestone in the long-running debate between consumable privacy transparency and legal privacy notices. While multi-stakeholder attempts for more than a decade at layered privacy notices, privacy notice icons, privacy nutrition labels and other forms of privacy notice templates have failed to gain broad traction, Apple's requirements should serve as the tipping point for making privacy nutrition labels mainstream. This simplified, standardized, visual approach to transparency about the data sharing that is hardest to understand, is an excellent example of how market-driven approaches to addressing privacy can drive better practices across an entire ecosystem and serve as an example for regulators and legislators as they try to tackle how best to address privacy concerns and rights via laws, regulations, and enforcement actions.  

"These new requirements also raise the bar for app developers to know their data, data practices, and data sharing in order to update their apps or launch new ones starting December 8th.  While apps have been complying with the requirement to post a privacy notice for years now, few organizations are experienced in developing and maintaining the data inventories and data flows that are needed to comply with Apple's requirements. This new business driver for app developers is bound to drive a growing interest in the privacy automation necessary to comply."

Doug Dooley, COO from Data Theorem, has concerns: “We are hearing from developers this will be tough on a lot of businesses. There is a significant new burden added to security and developer (DevSecOps) teams for every new application launch/update going through Apple’s App Store and Mac Store. The necessary level of tracking of an application is not there for most companies. Most application publishers are not even aware of how many different third-party SDKs and open source libraries they use on a per application basis. Each of those third-party code snippets is often connected to backend API services sharing data. We have capabilities added to our platform, such as the “Data Leak Dashboard,” to make it easier to automate the discovery and inspection of third-party SDK/OS libraries so application (Mobile, Web, API) data privacy practices are easier to monitor and fully disclose. However, for the vast majority of the industry, this level of data privacy tracking will be a big hurdle to overcome. If we can pull together and get this sorted out, consumers of apps will be the biggest winners without hurting app publishers for improper disclosure of privacy.”

KEYWORDS: cyber security data protection privacy regulation risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • data privacy

    New Minnesota Consumer Data Privacy Act is introduced

    See More
  • data privacy

    The California Consumer Privacy Act Has Data Security at its Core

    See More
  • social media

    Facebook criticizes Apple's new iOS privacy policies

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!