Guideline 5.1.1
Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch
Our Take
The data types declared in your App Privacy (nutrition label) section in App Store Connect do not match what your app or its SDKs actually collect. Apple cross-references the privacy manifest (NSPrivacyCollectedDataTypes), your App Privacy declarations, and in some cases performs dynamic analysis. Mismatches — such as declaring 'Data Not Collected' while the app transmits analytics, device identifiers, or crash logs — result in rejection. This also covers cases where tracking is detected (ATT-gated data sharing with third parties for advertising) but the nutrition label does not disclose it.
Resolution Guide
**Audit every data type your app collects** — Go beyond your own code. Include all third-party SDKs:
- Crash reporting: Crashlytics, Sentry, Bugsnag → collect Crash Data, Performance Data, Device ID
- Advertising: AdMob, Facebook SDK, AppLovin → collect Device ID, Advertising Data, Usage Data
- Social login: Sign in with Apple, Google Sign-In, Facebook Login → collect Email, Name, User ID
**Cross-reference with your privacy manifest** — Open `PrivacyInfo.xcprivacy` and check that every data type in `NSPrivacyCollectedDataTypes` matches what you declare in App Store Connect.
**Update App Store Connect** — Go to App Store Connect → Your App → App Privacy. For each data type:
- Indicate whether it is linked to the user's identity
- Indicate whether it is used for tracking (as defined by Apple: sharing with third parties for advertising or sharing with data brokers)
- Select the purposes (Analytics, App Functionality, etc.)
**Check "Data Not Collected" carefully** — If you selected "Data Not Collected," verify that:
- No crash reporter transmits device info
- No network calls send device identifiers
- The app does not use ATT or IDFA
**Verify tracking disclosure** — If your app calls `ATTrackingManager.requestTrackingAuthorization()`, you must:
- Disclose all tracking domains in `NSPrivacyTrackingDomains`
- Mark the relevant data types as "Used for Tracking" in the nutrition label
**SDK documentation** — Most major SDKs publish which data types to declare. Check:
- Facebook: developers.facebook.com/docs/ios/app-store-compliance
- Sentry: docs.sentry.io/platforms/apple/data-management/apple-privacy-manifest/
**Resubmit** — After updating both the manifest and App Store Connect declarations, resubmit for review.
Example Rejection Email
Consider Appealing
If you believe Apple's detection is incorrect (e.g., an SDK is present but disabled via feature flags), provide evidence: network traffic logs showing no data is transmitted, or SDK configuration showing the data collection is disabled. Apple's review team can escalate to verify.
Before & After
App Privacy in App Store Connect: "Data Not Collected" — but the app includes Firebase Analytics (collects Device ID, Usage Data) and Crashlytics (collects Crash Data, Performance Data)
App Privacy updated to declare: Device ID (Analytics, App Functionality — linked to identity), Usage Data (Analytics — not linked), Crash Data (App Functionality — not linked), Performance Data (App Functionality — not linked). Tracking: No (no ATT usage, no ad SDKs)
What changed: Every SDK's data collection must be reflected in the App Privacy nutrition label, even if you do not directly access the data yourself
Community Solutions · 0
Sign in to share your solution.
More Guideline 5 (Legal) rejections
- Guideline 5 - Legal: Remove Watermark Feature
- Guideline 5.1.1 - Data Collection and Storage: Incomplete Privacy Manifest
- Guideline 5.1.1 - Data Collection and Storage: Missing Purpose Strings
- Guideline 5.1.1 - Data Collection and Storage: Privacy Manifest Missing
- Guideline 5.1.1 - Data Collection and Storage: Privacy Policy
- Guideline 5.1.1 - Privacy: ATT Framework Without Tracking Usage Description