Guideline 5.1.1

Guideline 5.1.1(ii) - Privacy: Collecting Data Without User Consent

Medium RiskMedium DifficultyTypical Fix: 2-8 hours0 Reports
Also known as:App collects user data without prior user consentApp transmits personal data upon launch without permissionPersonal data is sent to third-party SDK before user consentApp silently accesses user data without clear visual indicationUser data is collected during onboarding before privacy consent is obtained

Our Take

Apple is rejecting your app because it collects, transmits, or uses personal data without obtaining user consent first. Under guideline 5.1.1(ii), apps must get explicit permission before collecting any personal information — names, email addresses, device identifiers, location, contacts, photos, or any other data that can identify a user. This rejection typically appears when the reviewer observes data being collected during app launch, account creation, or normal usage without a clear consent mechanism. Common triggers include: silently syncing the user's contacts or photos, collecting analytics data or device fingerprints before the user agrees to a privacy policy, or sending personal data to third-party SDKs on first launch without any consent dialog. The fix requires implementing a clear opt-in mechanism before any data collection begins. This is distinct from the App Tracking Transparency (ATT) framework — ATT is specifically about cross-app tracking. This guideline covers all personal data collection, even first-party. The consent mechanism can be a terms/privacy acceptance screen during onboarding, but it must happen before the data is transmitted.

Resolution Guide

01

**Audit all network calls at launch** — Use Charles Proxy or Instruments to capture every network request your app makes before the user interacts. Identify any calls that transmit personal data or device identifiers.


02

**Defer SDK initialization** — Move third-party SDK initialization (analytics, crash reporting, attribution) to after the user has provided consent. Most SDKs support deferred initialization.


03

**Add a consent screen** — Implement a clear consent dialog or onboarding screen that (a) explains what data will be collected, (b) links to your privacy policy, and (c) requires affirmative action (tap 'I Agree' or 'Continue') before proceeding.


04

**Gate data collection on consent** — Store the consent state locally. Only begin data collection after consent is recorded. For returning users, you can persist the consent state so they don't see the dialog every launch.


05

**Handle consent withdrawal** — Provide a way for users to withdraw consent (e.g., in Settings) and actually stop collecting data when they do.

Prevention

  • Implement a consent-first architecture from the start
  • Use a consent management platform (CMP) if you have multiple SDKs
  • Audit new SDK integrations for automatic data collection on init
  • Example Rejection Email

    From:Apple App Review Team
    Subject:Guideline 5.1.1 - Guideline 5.1.1(ii) - Privacy: Collectin
    Guideline 5.1.1 - Legal - Privacy - Data Collection and Storage Your app collects user or device data without prior user consent. Specifically, your app transmits personal data to your server upon launch without first obtaining the user's permission to collect this information. Apps must obtain explicit user consent and provide a clear visual indication when collecting user or device data. Next Steps: Please update your app to obtain user consent before collecting, transmitting, or using personal data. The consent mechanism must be clear, prominent, and occur before any data collection begins.

    Consider Appealing

    Appeal only if no personal data is actually collected (e.g., the reviewer misidentified anonymous telemetry as personal data). Provide a detailed technical explanation of what data is sent, when, and that none of it constitutes personal data. Otherwise, fix and resubmit.

    Generate Appeal

    Before & After

    Before — Rejected

    App initializes Firebase Analytics, Adjust SDK, and Facebook SDK in application(_:didFinishLaunchingWithOptions:) before any user interaction

    After — Approved

    App shows a consent screen on first launch; SDKs are only initialized after user taps 'I Agree'; consent state is persisted in UserDefaults

    What changed: Third-party SDKs often begin collecting data immediately on initialization. Deferring init until after consent satisfies Apple's requirement.

    Community Solutions · 0

    Sign in to share your solution.

    More Guideline 5 (Legal) rejections

    View all Guideline 5 rejections