Guideline 5.1.1

Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch

Medium RiskMedium DifficultyTypical Fix: 2-4 hours0 Reports
Also known as:App Privacy responses do not match actual data collectionAnalytics SDK collects data not disclosed in nutrition labelTracking declared as false but ATT-gated data sharing detectedCrash reporting data not disclosed in App PrivacyThird-party SDK data collection not reflected in nutrition labelData linked to identity not declared as suchCoarse location declared but precise location collected

Our Take

The data types declared in your App Privacy (nutrition label) section in App Store Connect do not match what your app or its SDKs actually collect. Apple cross-references the privacy manifest (NSPrivacyCollectedDataTypes), your App Privacy declarations, and in some cases performs dynamic analysis. Mismatches — such as declaring 'Data Not Collected' while the app transmits analytics, device identifiers, or crash logs — result in rejection. This also covers cases where tracking is detected (ATT-gated data sharing with third parties for advertising) but the nutrition label does not disclose it.

Resolution Guide

01

**Audit every data type your app collects** — Go beyond your own code. Include all third-party SDKs:

  • Analytics: Firebase Analytics, Mixpanel, Amplitude, PostHog → typically collect Device ID, Usage Data, Diagnostics
  • - Crash reporting: Crashlytics, Sentry, Bugsnag → collect Crash Data, Performance Data, Device ID

    - Advertising: AdMob, Facebook SDK, AppLovin → collect Device ID, Advertising Data, Usage Data

    - Social login: Sign in with Apple, Google Sign-In, Facebook Login → collect Email, Name, User ID

    02

    **Cross-reference with your privacy manifest** — Open `PrivacyInfo.xcprivacy` and check that every data type in `NSPrivacyCollectedDataTypes` matches what you declare in App Store Connect.


    03

    **Update App Store Connect** — Go to App Store Connect → Your App → App Privacy. For each data type:

  • Select the correct data type (e.g., Device ID, Usage Data, Crash Data)
  • - Indicate whether it is linked to the user's identity

    - Indicate whether it is used for tracking (as defined by Apple: sharing with third parties for advertising or sharing with data brokers)

    - Select the purposes (Analytics, App Functionality, etc.)

    04

    **Check "Data Not Collected" carefully** — If you selected "Data Not Collected," verify that:

  • No analytics SDK sends any events
  • - No crash reporter transmits device info

    - No network calls send device identifiers

    - The app does not use ATT or IDFA

    05

    **Verify tracking disclosure** — If your app calls `ATTrackingManager.requestTrackingAuthorization()`, you must:

  • Set `NSPrivacyTracking` to `true` in your manifest
  • - Disclose all tracking domains in `NSPrivacyTrackingDomains`

    - Mark the relevant data types as "Used for Tracking" in the nutrition label

    06

    **SDK documentation** — Most major SDKs publish which data types to declare. Check:

  • Firebase: firebase.google.com/docs/ios/app-store-data-collection
  • - Facebook: developers.facebook.com/docs/ios/app-store-compliance

    - Sentry: docs.sentry.io/platforms/apple/data-management/apple-privacy-manifest/

    07

    **Resubmit** — After updating both the manifest and App Store Connect declarations, resubmit for review.


    Example Rejection Email

    From:Apple App Review Team
    Subject:Guideline 5.1.1 - Data Collection and Storage: Privacy Nut
    We noticed that your app collects data that is not reflected in your app's App Privacy responses in App Store Connect. Specifically, your app collects Device ID and Usage Data through analytics SDKs, but your App Privacy declarations indicate that no data is collected. Please update your App Privacy responses to accurately reflect all data your app collects, including data collected by third-party SDKs.

    Consider Appealing

    If you believe Apple's detection is incorrect (e.g., an SDK is present but disabled via feature flags), provide evidence: network traffic logs showing no data is transmitted, or SDK configuration showing the data collection is disabled. Apple's review team can escalate to verify.

    Generate Appeal

    Before & After

    Before — Rejected

    App Privacy in App Store Connect: "Data Not Collected" — but the app includes Firebase Analytics (collects Device ID, Usage Data) and Crashlytics (collects Crash Data, Performance Data)

    After — Approved

    App Privacy updated to declare: Device ID (Analytics, App Functionality — linked to identity), Usage Data (Analytics — not linked), Crash Data (App Functionality — not linked), Performance Data (App Functionality — not linked). Tracking: No (no ATT usage, no ad SDKs)

    What changed: Every SDK's data collection must be reflected in the App Privacy nutrition label, even if you do not directly access the data yourself

    Community Solutions · 0

    Sign in to share your solution.

    More Guideline 5 (Legal) rejections

    View all Guideline 5 rejections