What are Apple’s privacy manifests?

Privacy manifests, otherwise known as privacy manifest files, are one of Apple’s iOS 17 privacy features. Privacy manifests are designed to give app developers full transparency into how the third-party SDKs they work with collect and use data. One of iOS 17’s other privacy features are the required reason APIs, which are a key element that must be recorded in each privacy manifest.

Privacy manifests are, according to Apple, “a property list that records the types of data collected by your app or third-party SDK, and the required reason APIs your app or third-party SDK uses.”

Xcode, Apple’s integrated development environment, combines all privacy manifests provided by the SDKs in a given app and sends this information to the developer in one easy-to-read PDF report (the Privacy Report) at the time of publishing to the App Store. This report is both comprehensive and aggregated, and its goal is to enable developers to create accurate Privacy Nutrition Labels.

The Privacy Report app developers receive (combining all privacy manifests) looks like this:

There are several critical pieces of information that must be reported by all apps and SDKs in the privacy manifest. Starting with iOS 17, this will be required both when publishing a new app or when publishing a new update to an existing app.

1. Required reason APIs

   Fingerprinting has long been banned by Apple, and its new category of APIs, called required reason APIs, are the next step in combating this practice. Any apps or SDKs referencing an API on the list of APIs that require a reason will need to state an allowed reason for it within the privacy manifest. So, starting with iOS 17, when a new app is uploaded, or an existing app is updated to App Store Connect, which is using an API from the list, a notice will be sent if a reason has not been provided. By Spring 2024, a reason will be required to update or upload at all.

2. Data usage categories

   In addition to declaring an allowed reason for reference to required reason APIs, app developers also need to add a ‘dictionary’ to their privacy manifest. This dictionary will explain the usage of specific categories of data that their app or third-party SDK collects. The following four keys must be contained within the dictionary:

• The type of data collected.

• Whether this data is linked to end-users’ identities.

• If the data is used to perform any type of tracking.

• A list of reasons for which the data is being collected.

  For the list of reasons, Apple has a predefined set of purposes that can be referenced.

3. External domain usage

   Any external domains used in the app or in a third-party SDK must also be recorded in the privacy manifest. This is to ensure full transparency into the presence of all domains that could be used for tracking purposes. Domains that don’t comply with Apple’s latest privacy guidelines and App Tracking Transparency (ATT) requirements may be subjected to preventive blocking unless the user has opted-in.

You can find the most up-to-date information on Apple and iOS changes and privacy requirements on our blog, check out our SKAdNetwork (SKAN) and iOS Solutions here, or get in touch with your Adjust contact person for guidance on how to best tackle Privacy Manifests.