Guideline 5.1.1

Guideline 5.1.1 - Data Collection and Storage: Privacy Manifest Missing

High RiskMedium DifficultyTypical Fix: 1-3 hours0 Reports
Also known as:ITMS-91053: Missing API declarationMissing privacy manifest for third-party SDKPrivacyInfo.xcprivacy not found in app bundlePrivacy manifest required for embedded frameworkSDK does not include required privacy manifest

Our Take

Starting Spring 2024, Apple requires a PrivacyInfo.xcprivacy file in every app and third-party SDK that accesses user data or device APIs covered by the Required Reason API list. If your app binary — or any embedded framework/SDK — lacks this manifest, Apple will reject the submission. The manifest must declare NSPrivacyTracking, NSPrivacyTrackingDomains, NSPrivacyCollectedDataTypes, and NSPrivacyAccessedAPITypes with the specific API categories and approved reason codes your app uses.

Resolution Guide

01

**Create the manifest file** — In Xcode, select your app target → File → New → File → App Privacy. This generates a `PrivacyInfo.xcprivacy` file at the root of your target.


02

**Declare accessed API types** — Open the manifest and add every Required Reason API your app uses under `NSPrivacyAccessedAPITypes`. Each entry needs:

  • `NSPrivacyAccessedAPIType`: the API category (e.g. `NSPrivacyAccessedAPICategoryFileTimestamp`)
  • - `NSPrivacyAccessedAPITypeReasons`: an array of approved reason codes (e.g. `["C617.1"]`)

    03

    **Declare tracking** — Set `NSPrivacyTracking` to `true` or `false`. If `true`, list all tracking domains in `NSPrivacyTrackingDomains`.


    04

    **Declare collected data types** — Add each data type to `NSPrivacyCollectedDataTypes` with its purpose, linked status, and tracking flag.


    05

    **Handle third-party SDKs** — Each SDK must ship its own `PrivacyInfo.xcprivacy`. Check your SDK vendors for updated versions. For SDKs without a manifest, create one in the framework bundle or wrap the SDK in an XCFramework that includes it.


    06

    **Verify with Xcode** — In Xcode 15+, go to Product → Archive → Generate Privacy Report. This scans all targets and embedded frameworks, listing any missing declarations.


    07

    **Common Required Reason APIs to check**:

  • `NSPrivacyAccessedAPICategoryFileTimestamp` (file stat calls)
  • - `NSPrivacyAccessedAPICategoryUserDefaults` (UserDefaults)

    - `NSPrivacyAccessedAPICategorySystemBootTime` (system uptime)

    - `NSPrivacyAccessedAPICategoryDiskSpace` (disk space queries)

    08

    **Test locally** — Build and archive. Confirm the privacy report shows all declarations with no warnings before submitting.


    Example Rejection Email

    From:Apple App Review Team
    Subject:Guideline 5.1.1 - Data Collection and Storage: Privacy Man
    ITMS-91053: Missing API declaration - Your app's code in the "YourApp" target references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryFileTimestamp, NSPrivacyAccessedAPICategoryUserDefaults. While no action is currently required, starting May 1, 2024, when you upload a new app or app update, you must include a privacy manifest file in your app or SDK that provides approved reasons for the APIs used by your app's code.

    Consider Appealing

    Appeals are unlikely to succeed — Apple enforces this requirement programmatically. If the rejection cites a third-party SDK you cannot control, explain that you have filed an issue with the SDK vendor and include their timeline for an update. Apple may grant a temporary exception.

    Generate Appeal

    Before & After

    Before — Rejected

    App uses UserDefaults and file timestamps but has no PrivacyInfo.xcprivacy file anywhere in the project

    After — Approved

    PrivacyInfo.xcprivacy added to app target:

    <key>NSPrivacyAccessedAPITypes</key>

    <array>

    <dict>

    <key>NSPrivacyAccessedAPIType</key>

    <string>NSPrivacyAccessedAPICategoryUserDefaults</string>

    <key>NSPrivacyAccessedAPITypeReasons</key>

    <array><string>CA92.1</string></array>

    </dict>

    <dict>

    <key>NSPrivacyAccessedAPIType</key>

    <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>

    <key>NSPrivacyAccessedAPITypeReasons</key>

    <array><string>C617.1</string></array>

    </dict>

    </array>

    What changed: Every Required Reason API must be declared with an approved reason code in the privacy manifest

    Community Solutions · 0

    Sign in to share your solution.

    More Guideline 5 (Legal) rejections

    View all Guideline 5 rejections