# Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch

**Guideline:** 5.1.1 · **Store:** Apple App Store · **Risk:** medium · **Difficulty:** medium · **Typical turnaround:** 2-4 hours

Canonical URL: https://appstorereject.com/rejections/apple/5/guideline-511-data-collection-and-storage-privacy-nutrition-label-mismatch

## Description

The data types declared in your App Privacy (nutrition label) section in App Store Connect do not match what your app or its SDKs actually collect. Apple cross-references the privacy manifest (NSPrivacyCollectedDataTypes), your App Privacy declarations, and in some cases performs dynamic analysis. Mismatches — such as declaring 'Data Not Collected' while the app transmits analytics, device identifiers, or crash logs — result in rejection. This also covers cases where tracking is detected (ATT-gated data sharing with third parties for advertising) but the nutrition label does not disclose it.

## Common variations

- App Privacy responses do not match actual data collection
- Analytics SDK collects data not disclosed in nutrition label
- Tracking declared as false but ATT-gated data sharing detected
- Crash reporting data not disclosed in App Privacy
- Third-party SDK data collection not reflected in nutrition label
- Data linked to identity not declared as such
- Coarse location declared but precise location collected

## Example rejection email

```
We noticed that your app collects data that is not reflected in your app's App Privacy responses in App Store Connect. Specifically, your app collects Device ID and Usage Data through analytics SDKs, but your App Privacy declarations indicate that no data is collected. Please update your App Privacy responses to accurately reflect all data your app collects, including data collected by third-party SDKs.
```

## Resolution steps

## How to Fix: Privacy Nutrition Label Mismatch

1. **Audit every data type your app collects** — Go beyond your own code. Include all third-party SDKs:
   - **Analytics**: Firebase Analytics, Mixpanel, Amplitude, PostHog → typically collect Device ID, Usage Data, Diagnostics
   - **Crash reporting**: Crashlytics, Sentry, Bugsnag → collect Crash Data, Performance Data, Device ID
   - **Advertising**: AdMob, Facebook SDK, AppLovin → collect Device ID, Advertising Data, Usage Data
   - **Social login**: Sign in with Apple, Google Sign-In, Facebook Login → collect Email, Name, User ID

2. **Cross-reference with your privacy manifest** — Open `PrivacyInfo.xcprivacy` and check that every data type in `NSPrivacyCollectedDataTypes` matches what you declare in App Store Connect.

3. **Update App Store Connect** — Go to App Store Connect → Your App → App Privacy. For each data type:
   - Select the correct **data type** (e.g., Device ID, Usage Data, Crash Data)
   - Indicate whether it is **linked to the user's identity**
   - Indicate whether it is used for **tracking** (as defined by Apple: sharing with third parties for advertising or sharing with data brokers)
   - Select the **purposes** (Analytics, App Functionality, etc.)

4. **Check "Data Not Collected" carefully** — If you selected "Data Not Collected," verify that:
   - No analytics SDK sends any events
   - No crash reporter transmits device info
   - No network calls send device identifiers
   - The app does not use ATT or IDFA

5. **Verify tracking disclosure** — If your app calls `ATTrackingManager.requestTrackingAuthorization()`, you must:
   - Set `NSPrivacyTracking` to `true` in your manifest
   - Disclose all tracking domains in `NSPrivacyTrackingDomains`
   - Mark the relevant data types as "Used for Tracking" in the nutrition label

6. **SDK documentation** — Most major SDKs publish which data types to declare. Check:
   - Firebase: firebase.google.com/docs/ios/app-store-data-collection
   - Facebook: developers.facebook.com/docs/ios/app-store-compliance
   - Sentry: docs.sentry.io/platforms/apple/data-management/apple-privacy-manifest/

7. **Resubmit** — After updating both the manifest and App Store Connect declarations, resubmit for review.

## Appeal guidance

If you believe Apple's detection is incorrect (e.g., an SDK is present but disabled via feature flags), provide evidence: network traffic logs showing no data is transmitted, or SDK configuration showing the data collection is disabled. Apple's review team can escalate to verify.

## Before / after examples

**Before:** App Privacy in App Store Connect: "Data Not Collected" — but the app includes Firebase Analytics (collects Device ID, Usage Data) and Crashlytics (collects Crash Data, Performance Data)
**After:** App Privacy updated to declare: Device ID (Analytics, App Functionality — linked to identity), Usage Data (Analytics — not linked), Crash Data (App Functionality — not linked), Performance Data (App Functionality — not linked). Tracking: No (no ATT usage, no ad SDKs)
**Why it works:** Every SDK's data collection must be reflected in the App Privacy nutrition label, even if you do not directly access the data yourself

## Common questions

**Can you appeal a 5.1.1 rejection?**

If you believe Apple's detection is incorrect (e.g., an SDK is present but disabled via feature flags), provide evidence: network traffic logs showing no data is transmitted, or SDK configuration showing the data collection is disabled. Apple's review team can escalate to verify.

**How long does this typically take to fix?**

Typical turnaround is 2-4 hours (difficulty: medium). After resubmission, most re-reviews complete within 24-48 hours.

---
*Machine-readable source: https://api.appstorereject.com/api/rejections/detail?slug=guideline-511-data-collection-and-storage-privacy-nutrition-label-mismatch*