Guideline 5.1.1
Guideline 5.1.1(ii) - Privacy: Collecting Data Without User Consent
Our Take
Apple is rejecting your app because it collects, transmits, or uses personal data without obtaining user consent first. Under guideline 5.1.1(ii), apps must get explicit permission before collecting any personal information — names, email addresses, device identifiers, location, contacts, photos, or any other data that can identify a user. This rejection typically appears when the reviewer observes data being collected during app launch, account creation, or normal usage without a clear consent mechanism. Common triggers include: silently syncing the user's contacts or photos, collecting analytics data or device fingerprints before the user agrees to a privacy policy, or sending personal data to third-party SDKs on first launch without any consent dialog. The fix requires implementing a clear opt-in mechanism before any data collection begins. This is distinct from the App Tracking Transparency (ATT) framework — ATT is specifically about cross-app tracking. This guideline covers all personal data collection, even first-party. The consent mechanism can be a terms/privacy acceptance screen during onboarding, but it must happen before the data is transmitted.
Resolution Guide
**Audit all network calls at launch** — Use Charles Proxy or Instruments to capture every network request your app makes before the user interacts. Identify any calls that transmit personal data or device identifiers.
**Defer SDK initialization** — Move third-party SDK initialization (analytics, crash reporting, attribution) to after the user has provided consent. Most SDKs support deferred initialization.
**Add a consent screen** — Implement a clear consent dialog or onboarding screen that (a) explains what data will be collected, (b) links to your privacy policy, and (c) requires affirmative action (tap 'I Agree' or 'Continue') before proceeding.
**Gate data collection on consent** — Store the consent state locally. Only begin data collection after consent is recorded. For returning users, you can persist the consent state so they don't see the dialog every launch.
**Handle consent withdrawal** — Provide a way for users to withdraw consent (e.g., in Settings) and actually stop collecting data when they do.
Prevention
Example Rejection Email
Consider Appealing
Appeal only if no personal data is actually collected (e.g., the reviewer misidentified anonymous telemetry as personal data). Provide a detailed technical explanation of what data is sent, when, and that none of it constitutes personal data. Otherwise, fix and resubmit.
Before & After
App initializes Firebase Analytics, Adjust SDK, and Facebook SDK in application(_:didFinishLaunchingWithOptions:) before any user interaction
App shows a consent screen on first launch; SDKs are only initialized after user taps 'I Agree'; consent state is persisted in UserDefaults
What changed: Third-party SDKs often begin collecting data immediately on initialization. Deferring init until after consent satisfies Apple's requirement.
Community Solutions · 0
Sign in to share your solution.
More Guideline 5 (Legal) rejections
- Guideline 5 - Legal: Remove Watermark Feature
- Guideline 5.1.1 - Data Collection and Storage: Incomplete Privacy Manifest
- Guideline 5.1.1 - Data Collection and Storage: Missing Purpose Strings
- Guideline 5.1.1 - Data Collection and Storage: Privacy Manifest Missing
- Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch
- Guideline 5.1.1 - Data Collection and Storage: Privacy Policy