Guideline 5.1.1
Guideline 5.1.1 - Data Collection and Storage: Privacy Manifest Missing
Our Take
Starting Spring 2024, Apple requires a PrivacyInfo.xcprivacy file in every app and third-party SDK that accesses user data or device APIs covered by the Required Reason API list. If your app binary — or any embedded framework/SDK — lacks this manifest, Apple will reject the submission. The manifest must declare NSPrivacyTracking, NSPrivacyTrackingDomains, NSPrivacyCollectedDataTypes, and NSPrivacyAccessedAPITypes with the specific API categories and approved reason codes your app uses.
Resolution Guide
**Create the manifest file** — In Xcode, select your app target → File → New → File → App Privacy. This generates a `PrivacyInfo.xcprivacy` file at the root of your target.
**Declare accessed API types** — Open the manifest and add every Required Reason API your app uses under `NSPrivacyAccessedAPITypes`. Each entry needs:
- `NSPrivacyAccessedAPITypeReasons`: an array of approved reason codes (e.g. `["C617.1"]`)
**Declare tracking** — Set `NSPrivacyTracking` to `true` or `false`. If `true`, list all tracking domains in `NSPrivacyTrackingDomains`.
**Declare collected data types** — Add each data type to `NSPrivacyCollectedDataTypes` with its purpose, linked status, and tracking flag.
**Handle third-party SDKs** — Each SDK must ship its own `PrivacyInfo.xcprivacy`. Check your SDK vendors for updated versions. For SDKs without a manifest, create one in the framework bundle or wrap the SDK in an XCFramework that includes it.
**Verify with Xcode** — In Xcode 15+, go to Product → Archive → Generate Privacy Report. This scans all targets and embedded frameworks, listing any missing declarations.
**Common Required Reason APIs to check**:
- `NSPrivacyAccessedAPICategoryUserDefaults` (UserDefaults)
- `NSPrivacyAccessedAPICategorySystemBootTime` (system uptime)
- `NSPrivacyAccessedAPICategoryDiskSpace` (disk space queries)
**Test locally** — Build and archive. Confirm the privacy report shows all declarations with no warnings before submitting.
Example Rejection Email
Consider Appealing
Appeals are unlikely to succeed — Apple enforces this requirement programmatically. If the rejection cites a third-party SDK you cannot control, explain that you have filed an issue with the SDK vendor and include their timeline for an update. Apple may grant a temporary exception.
Before & After
App uses UserDefaults and file timestamps but has no PrivacyInfo.xcprivacy file anywhere in the project
PrivacyInfo.xcprivacy added to app target:
<key>NSPrivacyAccessedAPITypes</key>
<array>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array><string>CA92.1</string></array>
</dict>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array><string>C617.1</string></array>
</dict>
</array>
What changed: Every Required Reason API must be declared with an approved reason code in the privacy manifest
Community Solutions · 0
Sign in to share your solution.
More Guideline 5 (Legal) rejections
- Guideline 5 - Legal: Remove Watermark Feature
- Guideline 5.1.1 - Data Collection and Storage: Incomplete Privacy Manifest
- Guideline 5.1.1 - Data Collection and Storage: Missing Purpose Strings
- Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch
- Guideline 5.1.1 - Data Collection and Storage: Privacy Policy
- Guideline 5.1.1 - Privacy: ATT Framework Without Tracking Usage Description