0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Forgotten your password?

Apps for Apple will need GDPR compliant privacy policies - update yours now!

5 October 2018

From this week - if you want to continue to offer your app via the apple store you’re going to need to have a GDPR compliant privacy policy in place.

After updating its App Store Review Guidelines back in June to require that all apps, including those being submitted for testing, must have a privacy policy in place, Apple has recently announced to its app developers that as of 3 October 2018 it will be enforcing these new guidelines. This means that going forward, you will no longer be able to submit an app for distribution through the App Store or through TestFlight for testing without providing a privacy policy.

The guidelines require that the privacy policy must include certain information, which is similar to the Article 13 and 14 ‘right to information’ requirements of the General Data Protection Regulation (GDPR).

If your app already has a GDPR compliant privacy policy then you do not need to take any action, though we recommend that if you are not confident that your current privacy policy is GDPR complaint, that you seek advice on this as soon as possible, as there is a now a risk your app may be removed from the App Store.

If you are developing a new app or considering updating your existing app, you will need to ensure you have a GDPR complaint privacy policy to accompany it as soon as possible and in any event before you submit it to testing or the App Store.

Under Apple’s new rules you will only be able to edit your policy when you submit a new version of your app, so it is imperative you get your policy right and GDPR compliant the first time, if not you will be in breach of the GDPR and will also expose yourself to the risk of a complaint to the Information Commissioner’s Office.

In our view, it’s not surprising that Apple are taking this more proactive approach and will be reviewing privacy policies themselves before allowing new/updated apps onto the App Store, meaning if your policy is not compliant when submitted it may hold up or block your app making it on to the App Store altogether.

So what does a GDPR compliant privacy policy look like?

Under the GDPR, the requirements for what must be contained in a privacy policy are much more onerous than under the previous legislation. It’s not going to be sufficient to use a generic one - you’re going to need to make sure it sets out the following as they relate to your own app:

  • purposes for processing
  • legal basis for processing
  • recipients or categories of recipients of the data
  • retention periods
  • details of any transfers of data outside the EEA
  • details of individual’s rights.

If you’d like a GDPR compliant privacy policy for your app, or would like a review of your privacy policy for GDPR compliance, please contact us at GDPR@brownejacobson.com.

Written by Ella Greenwood and Tom Nanson

Related opinions


The new Part A1 moratorium was introduced partly in response to the Covid-19 pandemic and its impact on businesses. The moratorium is not intended to be used to simply delay the inevitable insolvency of a company, but rather to allow breathing space for that company to restructure and/or achieve an effective rescue.

View blog

Equal pay at ASDA stores - appeal to the Supreme Court unsuccessful

35,000 workers working in ASDA’s retail business sought to compare themselves to workers at distribution depots for equal pay purposes. Find out more about this Employment Appeal Tribunal.

View blog

Covid-19 insolvency measures extension

From 26 March 2021 the Corporate Insolvency and Governance Act 2020 (Coronavirus) (Extension of the Relevant Period) Regulations 2021 will come into force with the effect of extending several of the temporary measures brought in by the Corporate Insolvency and Governance Act 2020 (CIGA).

View blog

Supreme Court confirms that sleep ins are not working time

The Supreme Court judgment represents the conclusion on whether or not “sleep in time” should be classified as working time, when calculating the National Minimum Wage (NMW).

View blog

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up