Apple & ATT

Apple & ATT

App privacy details on the App Store:
https://developer.apple.com/app-store/app-privacy-details/


Data collection

“Collect” refers to transmitting data off the device in a way that allows you and/or your third-party partners to access it for a period longer than what is necessary to service the transmitted request in real time.

“Third-party partners” refers to analytics tools, advertising networks, third-party SDKs, or other external vendors whose code you’ve added to your app.

You will have to declare that data is collected.

  • Usage Data
    • Product Interaction
    • Advertising Data

Data Use

You should have a clear understanding of how each data type is used by you and your third-party partners.
Apple's table on types of data

We collect usage data to understand how the app is used.
The data is analysed to discover patterns in how the app is interacted with.

  • Third-Party Advertising.
    We use the pattern of behaviour (how an app is interacted with) to determine which Ad Creative should be returned in a bid response.
  • Analytics.
    We use the pattern of behaviour (how and app is interacted with) to improve the app & service.

Data linked to the user

You’ll need to identify whether each data type is linked to the user’s identity (via their account, device, or other details) by you and/or your third-party partners. Data collected from an app is often linked to the user’s identity, unless specific privacy protections are put in place before collection to de-identify or anonymize it, such as:

Stripping data of any direct identifiers, such as user ID or name, before collection.
Manipulating data to break the linkage and prevent re-linkage to real-world identities.
Additionally, in order for data not to be linked to a particular user’s identity, you must avoid certain activities after collection:

You must not attempt to link the data back to the user’s identity.
You must not tie the data to other datasets that enable it to be linked to a particular user’s identity.
Note: “Personal Information” and “Personal Data”, as defined under relevant privacy laws, are considered linked to the user.

There is no data linked to a user.

  • There are no direct identifiers.
  • The data can't be linked to real-world identities.

Tracking

You’ll need to understand whether you and/or your third-party partners use data from your app to track users and, if so, which data is used for this purpose.

“Tracking” refers to linking data collected from your app about a particular end-user or device, such as a user ID, device ID, or profile, with Third-Party Data for targeted advertising or advertising measurement purposes, or sharing data collected from your app about a particular end-user or device with a data broker.

“Third-Party Data” refers to any data about a particular end-user or device collected from apps, websites, or offline properties not owned by you.

Examples of tracking include:

  • Displaying targeted advertisements in your app based on user data collected from apps and websites owned by other companies.
  • Sharing device location data or email lists with a data broker.
  • Sharing a list of emails, advertising IDs, or other IDs with a third-party advertising network that uses that information to retarget those users in other developers’ apps or to find similar users.
  • Placing a third-party SDK in your app that combines user data from your app with user data from other developers’ apps to target advertising or measure advertising efficiency, even if you don’t use the SDK for these purposes. For example, using a login SDK that repurposes the data it collects from your app to enable targeted advertising in other developers’ apps.

Nefta does not track users in any capacity.

We do not link data collected from your app about a particular end-user or device with any third-party data.
We do not share any data collected from your app with anyone.


Additional:

"It is worth emphasizing that ATT only applies to third-party data and has no bearing on the use of first-party data
for any company. Companies that do not use third-party data for advertising, do not track users,
and do not share data with data brokers do not need to request permission from users under ATT"

ATT does not restrict iOS apps’ ability to collect or use first-party data. ATT only applies to third-party data and has no bearing on the use of first-party data. ATT does not place any restrictions on iOS apps’ use of first-party data. ATT does not in any way prohibit companies from collecting first-party data, even when users decline permission for tracking. iOS apps can serve users targeted ads, measure the effectiveness of ad campaigns, and otherwise use any first-party data they collect without prompting users for permission to track. They can do this with firstparty data collected either within an app or across different apps owned by the same company. This means that companies that do not use third-party data for advertising are not impacted by ATT at all.

Source

Nefta:

Kinshuk Jerath Ph.D., Professor of Business at Columbia, funded by Apple to write a paper and report on ATT, which is subsequently hosted by Apple under the privacy docs, clearly states the spirit behind the letter of their policies.

From this history of the industry, to GDPR, to CCPA, to ATT, the commentary surrounding ATT; it is clear that first-party data is permitted and in good spirit, whereas third-party data practices and tracking users are absolutely not.