Guideline 5.1.2

Guideline 5.1.2(i) - Privacy: Sharing Data with Third Parties Without Disclosure

Medium RiskMedium DifficultyTypical Fix: 2-8 hours0 Reports
Also known as:App shares user data with third parties without consentThird-party SDK data sharing not disclosed to usersApp Privacy nutrition labels do not reflect third-party data collectionUser data transmitted to third-party services without adequate disclosureData sharing practices not reflected in privacy policy or App Privacy labels

Our Take

Apple is rejecting your app because it shares user data with third parties without properly disclosing this to users and obtaining consent. Guideline 5.1.2(i) requires that any sharing of collected user data with third parties must be clearly disclosed, and that users must consent to the sharing before it occurs. This rejection typically surfaces when the reviewer identifies third-party SDKs in your app that transmit user data to external servers (analytics providers, ad networks, attribution platforms, CRM tools) and either (1) your privacy policy does not disclose these third parties, (2) your App Privacy nutrition labels in App Store Connect do not accurately reflect the data sharing, or (3) users are not given the opportunity to consent before data is shared. The fix requires aligning three things: your actual data sharing practices (what your app and its SDKs send to third parties), your privacy policy (what you tell users), and your App Privacy labels (what you declare to Apple). All three must match. Additionally, users must consent to the sharing before it happens.

Resolution Guide

01

**Audit all third-party SDKs** — List every SDK in your app (check Podfile, Package.swift, build.gradle). For each, identify what data it collects and where it sends it. Check each SDK's privacy manifest if available.


02

**Update App Privacy labels** — In App Store Connect, go to App Privacy and ensure every data type collected or shared by your app or its SDKs is accurately declared. Include data categories for each third-party SDK.


03

**Update your privacy policy** — List each third party your app shares data with, what data is shared, and the purpose. Name the companies or categories (e.g., 'analytics providers such as Firebase').


04

**Add a consent mechanism** — Before data sharing begins, show users a clear disclosure of what data is shared and with whom. This can be part of your onboarding consent screen.


05

**Implement privacy manifests** — Starting with iOS 17, add PrivacyInfo.xcprivacy files that declare your API usage reasons and tracking domains. Ensure third-party SDKs include their own privacy manifests.

Prevention

  • Audit SDK data practices whenever adding a new dependency
  • Update App Privacy labels whenever SDK versions change
  • Keep privacy policy, App Privacy labels, and actual practices in sync
  • Use Apple's privacy manifest system to document all data flows
  • Example Rejection Email

    From:Apple App Review Team
    Subject:Guideline 5.1.2 - Guideline 5.1.2(i) - Privacy: Sharing Da
    Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing Your app shares user data with third parties without adequate user consent or disclosure. Specifically, your app transmits user data to third-party services, but the app does not adequately disclose this data sharing to users or provide a mechanism for users to consent to the sharing of their data. Additionally, the app's privacy nutrition labels in App Store Connect may not accurately reflect the data collected and shared by third-party SDKs integrated in the app. Next Steps: Please update your app to: 1. Clearly disclose all third-party data sharing to users. 2. Obtain user consent before sharing data with third parties. 3. Ensure your App Privacy responses in App Store Connect accurately reflect all data collection and sharing practices, including by third-party SDKs.

    Consider Appealing

    Appeal only if the reviewer misidentified the data sharing — e.g., if the SDK sends data to your own servers, not a third party. Otherwise, fix and resubmit.

    Generate Appeal

    Before & After

    Before — Rejected

    App includes Facebook SDK, Firebase Analytics, and Adjust SDK; App Privacy labels declare 'No data collected'; privacy policy does not mention any third-party data sharing

    After — Approved

    App Privacy labels accurately declare Device ID, Usage Data, and Diagnostics as shared with third parties for Analytics and Advertising; privacy policy lists Facebook, Google, and Adjust with specific data categories; consent dialog shown before SDK initialization

    What changed: App Privacy labels, privacy policy, and actual SDK behavior must all align. Declaring 'No data collected' while running analytics SDKs is a direct contradiction.

    Community Solutions · 0

    Sign in to share your solution.

    More Guideline 5 (Legal) rejections

    View all Guideline 5 rejections