Apple has begun rejecting app submissions that do not follow its updated privacy policies regarding device fingerprinting and user tracking, according to a report in Forbes. This move strongly suggests that the release of iOS 14.5—and possibly new hardware products—is imminent.
Here’s a snippet from the rejection letter some developers told Forbes they have received:
Guideline 5.1.2 – Legal – Privacy – Data Use and Sharing
We found in our review that your app collections user and device information to create a unique identifier for the user’s devices. Apps that fingerprint the user’s device in this way are in violation of the Apple Developer Program License Agreement and are not appropriate for the App Store.
Specifically, your app uses algorithmically converted device and usage data to create a unique identifier in order to track the user. The device information collected by your app may include some of the following: defaultManager, NSLocaleCollationIdentifier, NSLocaleCountryCode, NSLocaleQuotationEndDelimiterKey, and NSLocaleGroupingSeparator.
Per section 3.3.9 of the Apple Developer Program License Agreement, neither you nor your app can use any permanent, device-based identifier, or any data derived therefrom, for purposes of uniquely identifying a device.
This message to developers makes it clear that affected apps are in violation because they use a technique that seeks to track the user without consent (device fingerprinting). A few months ago, Apple announced plans to implement App Tracking Transparency, which would require apps to request user opt-in to track them using IDFAs, a common tracking tool that is vital for many targeted advertising techniques. This change drew the ire of Facebook and other companies who rely on that type of tracking to maximize advertising revenue. But it’s also clear that App Tracking Transparency means apps that seek to nonconsensually track users by any means, IDFA or otherwise, are going to face rejection. Device fingerprinting has often been used as an alternative to IDFA when users or platforms prevent the use of the latter.