Explained: What are iOS 17 Privacy Manifests, and how do they impact app developers?

iOS 17 and Privacy Manifests enforcement date have huge implications for app developers and SDK developers

Apple is further expanding on providing app store customers with more visibility into the use of their data. The end goal is to make sure that an app user has full understanding and control over what data they share, and that users aren’t unwillingly paying with their data for the app content they consume. Below, we explain how this is achieved by Privacy Manifests, required reasons API process, and other privacy tools included with iOS 17. We will take a look at the implications around third-party SDKs, both from an app developer’s and an SSP’s perspective, and provide examples as Verve is getting ready to support the new privacy measures.

Privacy Manifests and fighting probabilistic attribution

Privacy Manifests are meant to provide further transparency into user data collection and usage. In a way, Privacy Manifests are likely to significantly complicate (if not eliminate) probabilistic attribution and fingerprinting, which have become the last resort for some advertisers and MMPs after the release of iOS 14.5 and introduction of ATT.

While App Tracking Transparency (ATT) allows users to choose whether or not their data is tracked across apps and websites for advertising purposes, the Privacy Manifests will help app developers create more informative and standardized Privacy Nutrition Labels, giving app users better insight into what data the app accesses.

The ATT feature requires user consent in order to track users’ behavior across different apps — but users grant consent in as little as (reportedly) 34% cases. This left ad platforms and app marketers clueless about the performance of their user acquisition campaigns. 

The industry was left scrambling for a solution. Some MMPs and ad networks resorted to “probabilistic attribution,” often considered a kind of fingerprinting. Essentially, this approach collects some data when a user clicks an ad, and other data when the app starts — and then matches those two chunks of data probabilistically.

Probabilistic matching is still a common practice, but is not compliant with Apple’s regulations. The change Apple is implementing now will likely remove this workaround for good, leaving advertisers with SKAdNetwork as the only viable option for measuring campaigns on users who opted out of tracking.

For app developers, the new policy is expected to be enforced via the App Store review process in spring 2024, as pictured in Apple's "Get started with Privacy Manifests" — yet some actions are already available since fall 2023 as recommendations.

UPDATE: Privacy manifests will be enforced beginning May 1, 2024. More details here.

Privacy Manifests explainer

The introduction of Privacy Manifests and the required reasons APIs will have an impact comparable to the introduction of ATT in 2021. Let’s look at Privacy Manifests first. 

Privacy manifests are essentially files (created in Xcode) that every SDK and app developer will need to fill and add to their app. These files describe which user data the app is accessing and how the app developer is intending to use it. The Nutrition Label is in fact a good metaphor for this: similar to how a consumer checks the amount of sugar or carbs while doing groceries, one can easily check the data points the user will be sharing, when deciding to install an app from the App Store. Apple is taking an important step with transparency and educating consumers, while letting the consumer make an informed privacy-related decision.

From Apple’s documentation:

The privacy manifest is a property list that records the types of data collected by your app or third-party SDK, and the required reasons APIs your app or third-party SDK uses.

Privacy Manifests will document the privacy practices of the app’s code. Moving forward, whenever an app developer is preparing the app for upload to the App Store, Xcode will combine privacy manifests of all third-party SDKs used by the app into one comprehensive privacy report. Developers will refer to this report when providing their app’s privacy details in App Store Connect.

The required reasons APIs

Additionally, there is a required reasons API process to further extend on the “privacy by design” logic. Does a Calculator or a Flashlight app require accessing a consumer’s keyboard APIs to check the languages a user is typing in? To avoid letting apps access unnecessary data points, there is now a list of APIs that require declaration and a list of approved reasons to use them. 

When apps are using APIs that could potentially be used for fingerprinting (prohibited by Apple), the developers will need to provide a legitimate reason for using the API in question, and indicate the API in their privacy manifest. The app can then only use the API for reasons declared in this app’s privacy manifest.

Starting from fall 2023, developers will get notifications when an app uses a required reasons API without enough explanation in the privacy manifest. Starting from 2024 the required reasons declaration in the privacy manifest will become mandatory.

Accountability and enforcement

The practice of mandating that apps and SDKs specify what data they require and why will likely sunset probabilistic matching/fingerprinting. The enforcement is coming on both the operation system level (consumer level) and on the app store level (publisher level).

Apps are now accountable for the third-party SDKs they include. Apps without or with misleading Privacy Manifests (including the report on their third-party SDKs) won’t pass the App Store publishing review.

Apple’s review process is notoriously meticulous. For developers aiming to ship fast and get app approval ASAP, they can’t afford risking to postpone app store publishing due to failed editor review, or even getting the app banned from the app store as the worst case scenario. This will likely cause change, with developers paying more attention to each of their third-party SDKs' privacy practices. If no ATT consent is granted, iOS will block requests to tracking domains containing additional device or user information that could be used for fingerprinting. Essentially, in the case when Allowing App To Track is not granted via ATT, the OS will block internet connection for URLs with certain domains defined in the SDK's privacy manifest tracking domains list.

Impact on SDKs

These changes from Apple mean that SDK developers need to take care of two things:

1.) Be ready with their own privacy manifest — as Xcode will be combining all SDKs' privacy manifests into one for each individual app.

With changes from Apple iOS 17, SDK developers must describe data use in privacy manifests. This means declaring the data collected by your app or by third-party SDKs.
Source: Apple

2.) Make it easy for app developers to quickly understand their privacy practices and be confident about including the SDK in their build. This means maximizing transparency for their publishers, aiming to be very straightforward and unambiguous about their use of data.

Impact on app developers

First and foremost, app developers will need to introduce the new process and require maximum transparency on data collection and tracking from their SDK and API partners to ensure smooth generation of privacy-related reports and to minimize risk of not passing the app store review. 

Apart from the obvious extra load of being accountable for the third-party SDK and API usage and being more careful about data, developers will need to embrace the challenge of being left in the unknown with their user acquisition campaigns. App marketers will have to invest more into privacy-first marketing practices — from contextual targeting to ensuring proper SKAN configuration and looking into media mix modeling and other tools and to help measure and optimize user acquisition.

Get in touch

If you have any questions about how Privacy Manifests and how other Apple privacy tools/protocols are handled at Verve, or if any implications for your business are unclear — let’s talk. If you’re a customer, please get in touch with your account manager directly. Not a client of Verve? Please use this contact form, and we'll get back to you quickly.

Apple is further expanding on providing app store customers with more visibility into the use of their data. The end goal is to make sure that an app user has full understanding and control over what data they share, and that users aren’t unwillingly paying with their data for the app content they consume. Below, we explain how this is achieved by Privacy Manifests, required reasons API process, and other privacy tools included with iOS 17. We will take a look at the implications around third-party SDKs, both from an app developer’s and an SSP’s perspective, and provide examples as Verve is getting ready to support the new privacy measures.

Privacy Manifests and fighting probabilistic attribution

Privacy Manifests are meant to provide further transparency into user data collection and usage. In a way, Privacy Manifests are likely to significantly complicate (if not eliminate) probabilistic attribution and fingerprinting, which have become the last resort for some advertisers and MMPs after the release of iOS 14.5 and introduction of ATT.

While App Tracking Transparency (ATT) allows users to choose whether or not their data is tracked across apps and websites for advertising purposes, the Privacy Manifests will help app developers create more informative and standardized Privacy Nutrition Labels, giving app users better insight into what data the app accesses.

The ATT feature requires user consent in order to track users’ behavior across different apps — but users grant consent in as little as (reportedly) 34% cases. This left ad platforms and app marketers clueless about the performance of their user acquisition campaigns. 

The industry was left scrambling for a solution. Some MMPs and ad networks resorted to “probabilistic attribution,” often considered a kind of fingerprinting. Essentially, this approach collects some data when a user clicks an ad, and other data when the app starts — and then matches those two chunks of data probabilistically.

Probabilistic matching is still a common practice, but is not compliant with Apple’s regulations. The change Apple is implementing now will likely remove this workaround for good, leaving advertisers with SKAdNetwork as the only viable option for measuring campaigns on users who opted out of tracking.

For app developers, the new policy is expected to be enforced via the App Store review process in spring 2024, as pictured in Apple’s “Get started with Privacy Manifests” — yet some actions are already available since fall 2023 as recommendations.

UPDATE: Privacy manifests will be enforced beginning May 1, 2024. More details here.

Privacy Manifests explainer

The introduction of Privacy Manifests and the required reasons APIs will have an impact comparable to the introduction of ATT in 2021. Let’s look at Privacy Manifests first. 

Privacy manifests are essentially files (created in Xcode) that every SDK and app developer will need to fill and add to their app. These files describe which user data the app is accessing and how the app developer is intending to use it. The Nutrition Label is in fact a good metaphor for this: similar to how a consumer checks the amount of sugar or carbs while doing groceries, one can easily check the data points the user will be sharing, when deciding to install an app from the App Store. Apple is taking an important step with transparency and educating consumers, while letting the consumer make an informed privacy-related decision.

From Apple’s documentation:

The privacy manifest is a property list that records the types of data collected by your app or third-party SDK, and the required reasons APIs your app or third-party SDK uses.

Privacy Manifests will document the privacy practices of the app’s code. Moving forward, whenever an app developer is preparing the app for upload to the App Store, Xcode will combine privacy manifests of all third-party SDKs used by the app into one comprehensive privacy report. Developers will refer to this report when providing their app’s privacy details in App Store Connect.

The required reasons APIs

Additionally, there is a required reasons API process to further extend on the “privacy by design” logic. Does a Calculator or a Flashlight app require accessing a consumer’s keyboard APIs to check the languages a user is typing in? To avoid letting apps access unnecessary data points, there is now a list of APIs that require declaration and a list of approved reasons to use them. 

When apps are using APIs that could potentially be used for fingerprinting (prohibited by Apple), the developers will need to provide a legitimate reason for using the API in question, and indicate the API in their privacy manifest. The app can then only use the API for reasons declared in this app’s privacy manifest.

Starting from fall 2023, developers will get notifications when an app uses a required reasons API without enough explanation in the privacy manifest. Starting from 2024 the required reasons declaration in the privacy manifest will become mandatory.

Accountability and enforcement

The practice of mandating that apps and SDKs specify what data they require and why will likely sunset probabilistic matching/fingerprinting. The enforcement is coming on both the operation system level (consumer level) and on the app store level (publisher level).

Apps are now accountable for the third-party SDKs they include. Apps without or with misleading Privacy Manifests (including the report on their third-party SDKs) won’t pass the App Store publishing review.

Apple’s review process is notoriously meticulous. For developers aiming to ship fast and get app approval ASAP, they can’t afford risking to postpone app store publishing due to failed editor review, or even getting the app banned from the app store as the worst case scenario. This will likely cause change, with developers paying more attention to each of their third-party SDKs’ privacy practices. If no ATT consent is granted, iOS will block requests to tracking domains containing additional device or user information that could be used for fingerprinting. Essentially, in the case when Allowing App To Track is not granted via ATT, the OS will block internet connection for URLs with certain domains defined in the SDK’s privacy manifest tracking domains list.

Impact on SDKs

These changes from Apple mean that SDK developers need to take care of two things:

1.) Be ready with their own privacy manifest — as Xcode will be combining all SDKs’ privacy manifests into one for each individual app.

2.) Make it easy for app developers to quickly understand their privacy practices and be confident about including the SDK in their build. This means maximizing transparency for their publishers, aiming to be very straightforward and unambiguous about their use of data.

Impact on app developers

First and foremost, app developers will need to introduce the new process and require maximum transparency on data collection and tracking from their SDK and API partners to ensure smooth generation of privacy-related reports and to minimize risk of not passing the app store review. 

Apart from the obvious extra load of being accountable for the third-party SDK and API usage and being more careful about data, developers will need to embrace the challenge of being left in the unknown with their user acquisition campaigns. App marketers will have to invest more into privacy-first marketing practices — from contextual targeting to ensuring proper SKAN configuration and looking into media mix modeling and other tools and to help measure and optimize user acquisition.

Get in touch

If you have any questions about how Privacy Manifests and how other Apple privacy tools/protocols are handled at Verve, or if any implications for your business are unclear — let’s talk. If you’re a customer, please get in touch with your account manager directly. Not a client of Verve? Please use this contact form, and we’ll get back to you quickly.