0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

apps for Apple will need GDPR compliant privacy policies - update yours now!

5 October 2018

From this week - if you want to continue to offer your app via the apple store you’re going to need to have a GDPR compliant privacy policy in place.

After updating its App Store Review Guidelines back in June to require that all apps, including those being submitted for testing, must have a privacy policy in place, Apple has recently announced to its app developers that as of 3 October 2018 it will be enforcing these new guidelines. This means that going forward, you will no longer be able to submit an app for distribution through the App Store or through TestFlight for testing without providing a privacy policy.

The guidelines require that the privacy policy must include certain information, which is similar to the Article 13 and 14 ‘right to information’ requirements of the General Data Protection Regulation (GDPR).

If your app already has a GDPR compliant privacy policy then you do not need to take any action, though we recommend that if you are not confident that your current privacy policy is GDPR complaint, that you seek advice on this as soon as possible, as there is a now a risk your app may be removed from the App Store.

If you are developing a new app or considering updating your existing app, you will need to ensure you have a GDPR complaint privacy policy to accompany it as soon as possible and in any event before you submit it to testing or the App Store.

Under Apple’s new rules you will only be able to edit your policy when you submit a new version of your app, so it is imperative you get your policy right and GDPR compliant the first time, if not you will be in breach of the GDPR and will also expose yourself to the risk of a complaint to the Information Commissioner’s Office.

In our view, it’s not surprising that Apple are taking this more proactive approach and will be reviewing privacy policies themselves before allowing new/updated apps onto the App Store, meaning if your policy is not compliant when submitted it may hold up or block your app making it on to the App Store altogether.

So what does a GDPR compliant privacy policy look like?

Under the GDPR, the requirements for what must be contained in a privacy policy are much more onerous than under the previous legislation. It’s not going to be sufficient to use a generic one - you’re going to need to make sure it sets out the following as they relate to your own app:

  • purposes for processing
  • legal basis for processing
  • recipients or categories of recipients of the data
  • retention periods
  • details of any transfers of data outside the EEA
  • details of individual’s rights.

If you’d like a GDPR compliant privacy policy for your app, or would like a review of your privacy policy for GDPR compliance, please contact us at GDPR@brownejacobson.com.

Written by Ella Greenwood and Tom Nanson

related opinions

Compulsory drone registration goes live on 1 October 2019

As part of the continued tightening of the restrictions on drone use within UK airspace, the latest amendments to the Air Navigation Order 2016 come into force on 30 November 2019.

View blog

IR35 changes - six months and counting...

In his 2018 Autumn Budget, the then Chancellor, Phillip Hammond, announced a significant change to the way liability for IR35 breaches will be dealt with for private sector companies from April 2020.

View blog

Marriott International: a look behind the ICO’s £99m fine and what this means for corporate acquisitions

Last month, the Information Commissioner’s Office (ICO) announced notice of its intention to fine (NOI) Marriott International, Inc. £99m for infringements of the GDPR.

View blog

SFO fail to secure individual criminal convictions following Deferred Prosecution Agreement

On 16 July 2019 the Serious Fraud Office released details of the Deferred Prosecution Agreement reached with Sarclad Ltd in July 2016.

View blog

mailing list sign up



Select which mailings you would like to receive from us.

Sign up