Over the last decade, data privacy—once something of an afterthought for marketers—has become an essential part of modern customer engagement. From the introduction of data privacy laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to growing consumer expectations around how their data is collected and used, brands now operate in an increasingly privacy-conscious world.

That dynamic has been bolstered by a series of major announcements from tech giants, including Apple’s Hide My Email feature and Google’s deprecation of third-party cookies. This year, that trend continues, with Apple’s announcement that it plans to enforce a change to its iOS mobile operating system that will leverage a new feature called Privacy Manifests to help prevent apps from sharing third-party data without user consent.

So, let’s take a look at how we got here and what Privacy Manifests mean for your customer engagement efforts.

Understanding the Data-Sharing Status Quo Before Privacy Manifests

Today, if an iOS mobile app wants to share data they’ve collected on their users with a third-party (often an AdTech vendor), they are supposed to ask and receive consent to pass along that information from the end user. This opt-in approach is known as the “Ad Tracking Transparency” prompt and it’s relatively new, having been introduced with the launch of iOS 14.5 in April 2021; the prompt asks users if the app can "share data across apps and websites” and allows users to decline permission to do so.

To date, this User Tracking policy has generally relied on the honor system. With the exception of IDFA collection, there wasn’t anything concrete in place to prevent a company from ignoring customer opt-outs and passing along their data to third-parties anyway (aside, perhaps, from the fear that their app might be rejected from the Apple App Store in the future).

Privacy Manifests: What They Are And Why They Matter

Privacy Manifests are intended to help address this situation by enforcing permission collection and respect for user opt-outs by forcing SDK developers to declare and publish their data collection practices.

What is a Privacy Manifest, exactly? According to Apple, a Privacy Manifest is a file that "outline[s] the privacy practices of the third-party code in an app, in a single standard format." While currently optional (with some exceptions noted below), app developers and SDK providers will be required to publish Privacy Manifests that will cover the following information:

1. What data points are collected, any why (i.e. user ID, first name, email, etc.)

2. What data points are considered "tracking" (i.e. shared with other companies like advertisers)

3. What API endpoint will this tracking data be shared to (i.e. "advertising.company.com")

4. What restricted iOS APIs are being used (i.e. APIs which can be mis-used for fingerprinting)

Once this information is published to the App Store, Xcode will aggregate all of the various Privacy Manifests into a single, unified list of expected data collection associated with the app. That, in turn, will help to power the "Privacy Nutrition Label" that Apple released in 2020.

Another key change? In an upcoming iOS version expected sometime during spring 2024, iOS will begin to automatically block requests made to the tracking-related API endpoints these apps have declared in their Privacy Manifests until a given user has accepted the Ad Tracking Transparency prompt. As a result, Apple’s privacy policy now has teeth: If your SDK providers declare any tracking data, it will be blocked at the operating system level if you don’t successfully gain user consent.

Of course, apps that are tracking user data across apps and websites should already have been getting customer consent to do so, per Apple’s policy. But this new change, which embraces an “opted-out by default,” policy, is a major advancement in privacy enforcement, with the potential for significant impacts on non-compliant brands.

How Braze Responded to Apple’s New SDK Requirements

In late 2023, Apple announced a list of third-party Privacy Impacting SDKs that “have particularly high impact on user privacy." Braze isn’t included on this list; however, we have published our own Privacy Manifest along with flexible APIs in order to help our customers continue to build the best user experiences without compromising on privacy.

In Braze Swift SDK v7.5.0, we released a Privacy Manifest outlining the default data that we collect for non-sharing purposes (i.e. for use by brands to support their first-party customer engagement efforts.) Then, in Braze Swift SDK v7.6.0, we released new SDK methods for brands to customize and declare which individual data points fall under the “tracking” category. This means that if a brand chooses to collect specific custom attributes which they intend to share with third parties, the brand can tell Braze to capture those attributes in connection with our new tracking URL, ensuring that they remain blocked from sharing for users who haven’t consented.

We believe that declaring all data to be non-tracking (a common practice among customer engagement platforms, marketing automation solutions, and other SDK providers) may not align with the spirit of Apple’s policies. User privacy is important, and taking thoughtful steps to respect consumer consent is something that all apps should prioritize.

Unlike many other SDKs in the customer engagement space, the Braze SDK allows brands to exercise fine-grained control over what specific data is considered tracking—down to the individual attribute or event level—in order to adhere to Apple’s policies. And while most brands using Braze don’t share data collected with our platform with third parties (and therefore shouldn’t see impacts or restrictions in connection with their first-party communications), this update means that companies who do share data outside of Braze can appropriately tag that information to respect user consent and privacy.

Privacy Manifest-Related Recommendations

Change can be scary—but sometimes change is really for the best. By building out a nuanced enforcement mechanism for its existing privacy rules, Apple is forcing brands to live up to commitments they’ve made to respect user privacy, creating a foundation for stronger trust. We don’t expect this update to be the end of the road when it comes to this feature, but we look forward to seeing how Apple evolves it in the future.

If you’re a current Braze customer, we encourage you to read more about how to use our new Swift SDK methods to declare relevant data points as “tracking.” If you don’t share any collected data with third parties, then you likely won’t need to take any action; however, understanding the nuances of this process is important for any brands doing that sort of sharing. In either case, we recommend consulting your Legal team before making any determinations.

If you’re not a Braze customer, we recommend that you double-check with your current provider to ensure that you’re following Apple’s privacy rules. If you do collect any data in your app and then share or export it to any third-party companies, you may be in violation; similarly, if your Privacy Manifest or SDK doesn’t allow you to declare specific data to be “tracking,” that may be a sign that their policy is too lax, and may prevent you from complying with Apple's policies.

Interested in learning more about the Braze platform’s Swift SDKs? Check out our overview here.