In the wake of the Path privacy issues, Apple confirmed today what was already clear based on their privacy policies:
Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.
If your app accesses contact or other personal information from the device, you should already have been asking for permission to do so. If you haven’t been, be sure you are now. And it goes without saying that your privacy policy should be very clear about listing exactly what you pull in, whether you anonymize it (see below) and how long you keep it.
Here are two questions Apple hasn’t yet answered:
- What transmission and server side privacy protections should be followed once the user has provided consent? At a minimum, these would include the use of SSL for the actual transmission of contact information to the server, and the hashing of the information. When done right, this doesn’t have to impair functionality like finding common connections with other users of your app. This fine article about hashing explains it very well (and is also linked in our resource center.)
- If you already have collected data without consent, do you need to delete it? As of this post, Apple hasn’t provided guidance on this question. It would be most conservative to delete the information and request new consent from the user to upload it again; in this process you could ensure that you conform with SSL and hashing practices. I can hear a practical argument that there’s no privacy disadvantage to instead immediately hashing all contact information on hand, and then provide the choice to the user and immediately delete the hashed version if they so choose.