Guideline 5.1.2
Guideline 5.1.2(i) - Privacy: Sharing Data with Third Parties Without Disclosure
Our Take
Apple is rejecting your app because it shares user data with third parties without properly disclosing this to users and obtaining consent. Guideline 5.1.2(i) requires that any sharing of collected user data with third parties must be clearly disclosed, and that users must consent to the sharing before it occurs. This rejection typically surfaces when the reviewer identifies third-party SDKs in your app that transmit user data to external servers (analytics providers, ad networks, attribution platforms, CRM tools) and either (1) your privacy policy does not disclose these third parties, (2) your App Privacy nutrition labels in App Store Connect do not accurately reflect the data sharing, or (3) users are not given the opportunity to consent before data is shared. The fix requires aligning three things: your actual data sharing practices (what your app and its SDKs send to third parties), your privacy policy (what you tell users), and your App Privacy labels (what you declare to Apple). All three must match. Additionally, users must consent to the sharing before it happens.
Resolution Guide
**Audit all third-party SDKs** — List every SDK in your app (check Podfile, Package.swift, build.gradle). For each, identify what data it collects and where it sends it. Check each SDK's privacy manifest if available.
**Update App Privacy labels** — In App Store Connect, go to App Privacy and ensure every data type collected or shared by your app or its SDKs is accurately declared. Include data categories for each third-party SDK.
**Update your privacy policy** — List each third party your app shares data with, what data is shared, and the purpose. Name the companies or categories (e.g., 'analytics providers such as Firebase').
**Add a consent mechanism** — Before data sharing begins, show users a clear disclosure of what data is shared and with whom. This can be part of your onboarding consent screen.
**Implement privacy manifests** — Starting with iOS 17, add PrivacyInfo.xcprivacy files that declare your API usage reasons and tracking domains. Ensure third-party SDKs include their own privacy manifests.
Prevention
Example Rejection Email
Consider Appealing
Appeal only if the reviewer misidentified the data sharing — e.g., if the SDK sends data to your own servers, not a third party. Otherwise, fix and resubmit.
Before & After
App includes Facebook SDK, Firebase Analytics, and Adjust SDK; App Privacy labels declare 'No data collected'; privacy policy does not mention any third-party data sharing
App Privacy labels accurately declare Device ID, Usage Data, and Diagnostics as shared with third parties for Analytics and Advertising; privacy policy lists Facebook, Google, and Adjust with specific data categories; consent dialog shown before SDK initialization
What changed: App Privacy labels, privacy policy, and actual SDK behavior must all align. Declaring 'No data collected' while running analytics SDKs is a direct contradiction.
Community Solutions · 0
Sign in to share your solution.
More Guideline 5 (Legal) rejections
- Guideline 5 - Legal: Remove Watermark Feature
- Guideline 5.1.1 - Data Collection and Storage: Incomplete Privacy Manifest
- Guideline 5.1.1 - Data Collection and Storage: Missing Purpose Strings
- Guideline 5.1.1 - Data Collection and Storage: Privacy Manifest Missing
- Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch
- Guideline 5.1.1 - Data Collection and Storage: Privacy Policy