Apple Privacy manifest file

You’ll have a manifest, per: Describing data use in privacy manifests | Apple Developer Documentation

as you’re required to have at least a link to your website privacy webpage:

Privacy Policy (Required): The URL to your publicly accessible privacy policy.

Probably want to have a chat with your organization’s legal people about what should be included on that webpage (if you don’t already have one), and what should be updated there and/or included in the manifest, too.

ravindra132 wrote:

We are not including any other developer code or any third party framework then do we need to add the manifest file or not?

I don't know anything about your app so I can't answer. For example, usage of certain APIs require an entry in the privacy manifest file. Also, there is a top-level boolean value in that file that you can simply set to false to declare that you aren't collecting any information. So why not use it?

etresoft wrote:

etresoft wrote:

What does it matter? How long does it take to add the file, click the + button, select "Privacy Tracking Enabled" and let it default to NO? How much time have you already spent trying to avoid that? Why?

Apparently, this is incorrect. A recent post on the Apple developers forums by an Apple DTS engineer says to avoid including an empty privacy manifest.

Given the URL is required, there can’t be an empty manifest.

ravindra132 wrote:

We are not including any other developer code or any third party framework then do we need to add the manifest file or not?

You’ll have a manifest file, per: Describing data use in privacy manifests | Apple Developer Documentation

as you’re required to have at least a link to your website privacy webpage included:

Privacy Policy (Required): The URL to your publicly accessible privacy policy.

I’d be surprised if you weren’t at least incidentally also collecting data, too. Bug reports or feedback or server logs, for instance.

MrHoffman wrote:

Given the URL is required, there can’t be an empty manifest.

I think you're referring to the privacy policy URL. That is required for App Store Connect. But there is little evidence that Apple actually checks that it is valid.

The privacy manifest is something else altogether. It serves several different proposes. Primarily it identifies apps whose primary function is personal data collection. These apps aren't banned, just identified. It also functions as a mini-entitlements file for various low-level APIs that aid in personal data collection. Again, developers don't need to ask permission to do this, they just need to declare it. And finally, it collects all of this information, and privacy manifests from bundled 3rd party frameworks to create a template for the privacy "nutrition label" to be setup in App Store Connect. The ultimate goal is to make it impossible for any developer to innocently disavow knowledge of personal data collection.

But it sounds like adding this file at all may flag an app for further inspection and tracking. In the end, it's just another tool to separate the wheat from the chaff.

ravindra132 wrote:

Yes, we can do that but can we assume that setting false to boolean(NSPrivacyTracking) is equal to not adding privacy manifest file at all?

What does it matter? How long does it take to add the file, click the + button, select "Privacy Tracking Enabled" and let it default to NO? How much time have you already spent trying to avoid that? Why?

ravindra132 wrote:

If we are not tracking or collecting any user data, do we mandatory to add Privacy Manifest file?

You are irrelevant. If you include code from other developers who are known to track and collect user data, then it is assumed that they will be doing this inside your app even if you are not.

ravindra132 wrote:

Yes, we can do that but can we assume that setting false to boolean(NSPrivacyTracking) is equal to not adding privacy manifest file at all?

Are y’all up to some shady stuff? Because if you’re not, generate the manifest file, set the URL, and move on.

etresoft wrote:

What does it matter? How long does it take to add the file, click the + button, select "Privacy Tracking Enabled" and let it default to NO? How much time have you already spent trying to avoid that? Why?

Apparently, this is incorrect. A recent post on the Apple developers forums by an Apple DTS engineer says to avoid including an empty privacy manifest.

MrHoffman wrote:

More info on what can trigger the need for this privacy manifest file, with links to docs and examples:

https://mastodon.social/@chockenberry/112095424613859371

That's incorrect.

According to Apple's documentation for NSUserDefaults:

With the exception of managed devices in educational institutions, a user’s defaults are stored locally on a single device, and persisted for backup and restore. To synchronize preferences and other data across a user’s connected devices, use NSUbiquitousKeyValueStore instead.

So, if developers use NSUbiquitousKeyValueStore instead of NSUserDefault, they get:

1) No need for privacy manifest

2) iCloud support

More info on what can trigger the need for this privacy manifest file, with links to docs and examples:

https://mastodon.social/@chockenberry/112095424613859371