Apple Cracking Down On Apps That Send Location Data To Third Parties

Apple has been removing some apps that share location data with third parties and informing developers that their app violates two parts of the App Store Review Guidelines. "The company informs developers via email that 'upon re-evaluation,' their application is in violation of sections 5.1.1 and 5.1.2 of the App Store Review Guidelines, which pertain to transmitting user location data and user awareness of data collection," reports 9to5Mac. From the report: Apple explains that developers must remove any code, frameworks, or SDKs that relate to the violation before their app can be resubmitted to the App Store. Apple's crackdown on these applications comes amid a growing industry shift due to General Data Protection Regulation, or GDPR, in the European Union. While Apple has always been a privacy-focused company, it is seemingly looking to ensure that developers take the same care of user data.

In the instances we've seen, the apps in question don't do enough to inform users about what happens with their data. In addition to simply asking for permission, Apple appears to want developers to explain what the data is used for and how it is shared. Furthermore, the company is cracking down on instances where the data is used for purposes unrelated to improving the user experience.

GDPR

[khchung]

Wow, a law that seemed to be actually accomplishing what it intended to do! Who would have thought?

Re:GDPR

[Wrath0fb0b]

Wow, a law that seemed to be actually accomplishing what it intended to do! Who would have thought?

In the context of data collected by a third party app, it seems certain that the OS and/or hardware manufacturer is not a data processor or data controller within the meaning of the GDPR.

So this has nothing at all to do with the GDPR. Sure the actual processors/controllers of the data -- here the app developer and whatever third-party services to which they are sending the data -- might be out of compliance, but that can't be Apple's problem.

[ Think of it this way, if the GDPR considered the platform owner to be a processor or controller of data collected by a third-party application and liable for that data, then it would be crazy to even allow an application to bring up a WebView, since that would mean that a remote service could request arbitrary information (e.g. name/DOB) in a way the platform would have no visibility into and no way to later revoke/delete.

Ultimately, the application that actually collects the data needs to be the one that's compliant. The OS/hardware/app-store/platform can provide tools to help, but they cannot enforce the GDPR. ]

[[ Also, it occurs to me that maybe the law is accomplishing this by raising awareness of location privacy and thus spurring Apple to take an action that, while not required by the law, is in the spirit of the law. In that case, sure, but at least that requires acknowledging that the law didn't coerce them into doing so. ]]

Re:Well good for Apple

[Dog-Cow]

Policies change. Apps change. And finding out that company behind the app is selling user data is not something that can be done when reviewing the app.

Re:Wow

[Riceballsan]

It sounds more like apple is requiring their developers to be more up front and clear to the customer about what location information they are collecting who they are sending it to and why, as well as make them explain to apple why the user experience depends on being able to collect location information. Sounds to me like tinder, uber, pokemon go etc... all at most will need to add a bit more information in a pop-up to let the users know if the companies are doing anything with the information other than the obvious, but will have zero issue justifying why that information is needed

Re:Do as I say, not as I do

[Riceballsan]

You are the first person I've heard make any note of the suspicions. If no significant quantity or sources with a huge following are accusing them of something, making a statement to bring it up creates suspicion where there is none. Say for instance if you were looking up a local Chinese food restaurant, and they added to a front page of their site. "We just want to make clear, we do not use cat meat in our food. Here's a record of our actual meat order supplies to prove it". If you've never heard any accusations on their company, you'd be MORE likely to second guess eating there, because the rumors that you previously hadn't heard were just pointed out to you, and the fact that they were worth responding to, makes them more credible than if some random guy on the street told you it.