# Guideline 5.1.1(ii) - Privacy: Collecting Data Without User Consent

**Guideline:** 5.1.1 · **Store:** Apple App Store · **Risk:** medium · **Difficulty:** medium · **Typical turnaround:** 2-8 hours

Canonical URL: https://appstorereject.com/rejections/apple/5/guideline-511ii-privacy-collecting-data-without-user-consent

## Description

Apple is rejecting your app because it collects, transmits, or uses personal data without obtaining user consent first. Under guideline 5.1.1(ii), apps must get explicit permission before collecting any personal information — names, email addresses, device identifiers, location, contacts, photos, or any other data that can identify a user. This rejection typically appears when the reviewer observes data being collected during app launch, account creation, or normal usage without a clear consent mechanism. Common triggers include: silently syncing the user's contacts or photos, collecting analytics data or device fingerprints before the user agrees to a privacy policy, or sending personal data to third-party SDKs on first launch without any consent dialog. The fix requires implementing a clear opt-in mechanism before any data collection begins. This is distinct from the App Tracking Transparency (ATT) framework — ATT is specifically about cross-app tracking. This guideline covers all personal data collection, even first-party. The consent mechanism can be a terms/privacy acceptance screen during onboarding, but it must happen before the data is transmitted.

## Common variations

- App collects user data without prior user consent
- App transmits personal data upon launch without permission
- Personal data is sent to third-party SDK before user consent
- App silently accesses user data without clear visual indication
- User data is collected during onboarding before privacy consent is obtained

## Example rejection email

```
Guideline 5.1.1 - Legal - Privacy - Data Collection and Storage

Your app collects user or device data without prior user consent. Specifically, your app transmits personal data to your server upon launch without first obtaining the user's permission to collect this information.

Apps must obtain explicit user consent and provide a clear visual indication when collecting user or device data.

Next Steps:
Please update your app to obtain user consent before collecting, transmitting, or using personal data. The consent mechanism must be clear, prominent, and occur before any data collection begins.
```

## Resolution steps

## Quick Assessment
- **Risk level:** Medium
- **Resolution path:** Fix & Resubmit
- **Typical turnaround:** 2-8 hours

## The Fix

01. **Audit all network calls at launch** — Use Charles Proxy or Instruments to capture every network request your app makes before the user interacts. Identify any calls that transmit personal data or device identifiers.

02. **Defer SDK initialization** — Move third-party SDK initialization (analytics, crash reporting, attribution) to after the user has provided consent. Most SDKs support deferred initialization.

03. **Add a consent screen** — Implement a clear consent dialog or onboarding screen that (a) explains what data will be collected, (b) links to your privacy policy, and (c) requires affirmative action (tap 'I Agree' or 'Continue') before proceeding.

04. **Gate data collection on consent** — Store the consent state locally. Only begin data collection after consent is recorded. For returning users, you can persist the consent state so they don't see the dialog every launch.

05. **Handle consent withdrawal** — Provide a way for users to withdraw consent (e.g., in Settings) and actually stop collecting data when they do.

## Prevention
- Implement a consent-first architecture from the start
- Use a consent management platform (CMP) if you have multiple SDKs
- Audit new SDK integrations for automatic data collection on init

## Appeal guidance

Appeal only if no personal data is actually collected (e.g., the reviewer misidentified anonymous telemetry as personal data). Provide a detailed technical explanation of what data is sent, when, and that none of it constitutes personal data. Otherwise, fix and resubmit.

## Before / after examples

**Before:** App initializes Firebase Analytics, Adjust SDK, and Facebook SDK in application(_:didFinishLaunchingWithOptions:) before any user interaction
**After:** App shows a consent screen on first launch; SDKs are only initialized after user taps 'I Agree'; consent state is persisted in UserDefaults
**Why it works:** Third-party SDKs often begin collecting data immediately on initialization. Deferring init until after consent satisfies Apple's requirement.

## Common questions

**Can you appeal a 5.1.1 rejection?**

Appeal only if no personal data is actually collected (e.g., the reviewer misidentified anonymous telemetry as personal data). Provide a detailed technical explanation of what data is sent, when, and that none of it constitutes personal data. Otherwise, fix and resubmit.

**How long does this typically take to fix?**

Typical turnaround is 2-8 hours (difficulty: medium). After resubmission, most re-reviews complete within 24-48 hours.

---
*Machine-readable source: https://api.appstorereject.com/api/rejections/detail?slug=guideline-511ii-privacy-collecting-data-without-user-consent*