Privacy UX Patterns

Comprehensive guide to privacy-first app design. Apple Design Award Social Impact winners handle data ethically, and privacy-first design is a key differentiator.

Overview

Privacy manifests (

PrivacyInfo.xcprivacy

) are Apple's framework for transparency about data collection and tracking. Combined with App Tracking Transparency and just-in-time permission requests, they help users make informed choices about their data.

This skill covers creating privacy manifests, requesting system permissions with excellent UX, implementing App Tracking Transparency, managing tracking domains, using Required Reason APIs, and preparing accurate Privacy Nutrition Labels.

When to Use This Skill

Creating privacy manifests (PrivacyInfo.xcprivacy)
Requesting system permissions (Camera, Location, etc.)
Implementing App Tracking Transparency (ATT)
Preparing Privacy Nutrition Labels for App Store Connect
Managing tracking domains to avoid accidental tracking
Using Required Reason APIs (NSFileSystemFreeSize, UserDefaults, etc.)
Explaining data usage to users transparently
Debugging privacy-related App Store rejections

System Requirements

iOS 14.5+ for App Tracking Transparency
iOS 17+ for automatic tracking domain blocking
Xcode 15+ for privacy reports and manifest editing
Spring 2024+ for App Review enforcement

Part 1: Privacy Manifests (WWDC 2023/10060)

Creating a Privacy Manifest

Xcode Navigator:

File → New → File
Choose "App Privacy File"
Name:
```
PrivacyInfo.xcprivacy
```
Add to app target (or SDK framework)

File structure (Property List):

xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>NSPrivacyTracking</key>
    <false/>
    <key>NSPrivacyCollectedDataTypes</key>
    <array>
        <!-- Data types collected -->
    </array>
    <key>NSPrivacyAccessedAPITypes</key>
    <array>
        <!-- Required Reason APIs used -->
    </array>
</dict>
</plist>

NSPrivacyTracking Declaration

Does your app track users?

Tracking = combining user/device data from your app with data from other apps/websites to create a profile for targeted advertising or data broker purposes.

xml

<key>NSPrivacyTracking</key>
<true/>  <!-- or false -->

If
true
, you must also declare tracking domains:

xml

<key>NSPrivacyTrackingDomains</key>
<array>
    <string>tracking.example.com</string>
    <string>analytics.example.com</string>
</array>

iOS 17 behavior: Network requests to tracking domains automatically blocked if user hasn't granted ATT permission.

NSPrivacyCollectedDataTypes

Declare all data your app collects:

xml

<key>NSPrivacyCollectedDataTypes</key>
<array>
    <dict>
        <key>NSPrivacyCollectedDataType</key>
        <string>NSPrivacyCollectedDataTypeName</string>

        <key>NSPrivacyCollectedDataTypeLinked</key>
        <true/>  <!-- Linked to user identity? -->

        <key>NSPrivacyCollectedDataTypeTracking</key>
        <false/>  <!-- Used for tracking? -->

        <key>NSPrivacyCollectedDataTypePurposes</key>
        <array>
            <string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
            <string>NSPrivacyCollectedDataTypePurposeAnalytics</string>
        </array>
    </dict>
</array>

Common data types:

```
NSPrivacyCollectedDataTypeName
```
- User's name
```
NSPrivacyCollectedDataTypeEmailAddress
```
```
NSPrivacyCollectedDataTypePhoneNumber
```

NSPrivacyCollectedDataTypePhysicalAddress

NSPrivacyCollectedDataTypePreciseLocation

NSPrivacyCollectedDataTypeCoarseLocation

NSPrivacyCollectedDataTypePhotosorVideos

```
NSPrivacyCollectedDataTypeContacts
```
```
NSPrivacyCollectedDataTypeUserID
```

Common purposes:

NSPrivacyCollectedDataTypePurposeAppFunctionality

NSPrivacyCollectedDataTypePurposeAnalytics

NSPrivacyCollectedDataTypePurposeProductPersonalization

NSPrivacyCollectedDataTypePurposeDeveloperAdvertising

NSPrivacyCollectedDataTypePurposeThirdPartyAdvertising

NSPrivacyAccessedAPITypes

Declare Required Reason APIs (see Part 5):

xml

<key>NSPrivacyAccessedAPITypes</key>
<array>
    <dict>
        <key>NSPrivacyAccessedAPIType</key>
        <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>

        <key>NSPrivacyAccessedAPITypeReasons</key>
        <array>
            <string>C617.1</string>  <!-- Approved reason code -->
        </array>
    </dict>
</array>

Part 2: Permission Request UX

Just-in-Time vs Up-Front

❌ Don't: Request all permissions at launch

swift

// BAD - overwhelming and confusing
func application(_ application: UIApplication,
                didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
    requestCameraPermission()
    requestLocationPermission()
    requestNotificationPermission()
    requestPhotoLibraryPermission()
    return true
}

✅ Do: Request just-in-time when user triggers feature

swift

// GOOD - clear causality
@objc func takePhotoButtonTapped() {
    // Show pre-permission education first
    showCameraEducation {
        // Then request permission
        AVCaptureDevice.requestAccess(for: .video) { granted in
            if granted {
                self.openCamera()
            } else {
                self.showPermissionDeniedAlert()
            }
        }
    }
}

Pre-Permission Education Screens

Explain why you need permission before showing system dialog:

swift

func showCameraEducation(completion: @escaping () -> Void) {
    let alert = UIAlertController(
        title: "Take Photos",
        message: "FoodSnap needs camera access to let you photograph your meals and get nutrition information.",
        preferredStyle: .alert
    )

    alert.addAction(UIAlertAction(title: "Continue", style: .default) { _ in
        completion()  // Now request actual permission
    })

    alert.addAction(UIAlertAction(title: "Not Now", style: .cancel))

    present(alert, animated: true)
}

Why this works:

User understands value proposition
System dialog rejection rate drops 60-80%
Better App Store ratings (fewer "why does it need that?" reviews)

Permission Denied Handling

Never dead-end the user:

swift

func handleCameraPermission() {
    switch AVCaptureDevice.authorizationStatus(for: .video) {
    case .authorized:
        openCamera()

    case .notDetermined:
        showCameraEducation {
            AVCaptureDevice.requestAccess(for: .video) { granted in
                if granted {
                    self.openCamera()
                } else {
                    self.showSettingsPrompt()
                }
            }
        }

    case .denied, .restricted:
        showSettingsPrompt()  // Offer to open Settings

    @unknown default:
        break
    }
}

func showSettingsPrompt() {
    let alert = UIAlertController(
        title: "Camera Access Required",
        message: "Please enable camera access in Settings to use this feature.",
        preferredStyle: .alert
    )

    alert.addAction(UIAlertAction(title: "Open Settings", style: .default) { _ in
        if let url = URL(string: UIApplication.openSettingsURLString) {
            UIApplication.shared.open(url)
        }
    })

    alert.addAction(UIAlertAction(title: "Cancel", style: .cancel))

    present(alert, animated: true)
}

Settings Deep Links

Open specific settings screens:

swift

// General app settings
UIApplication.shared.open(URL(string: UIApplication.openSettingsURLString)!)

// Notification settings (iOS 15.4+)
UIApplication.shared.open(URL(string: UIApplication.openNotificationSettingsURLString)!)

Part 3: App Tracking Transparency

When ATT Is Required

You must request ATT permission if you:

Track users across apps/websites owned by other companies
Share user data with data brokers
Use third-party SDKs that track (Facebook SDK, Google Analytics, etc.)

You don't need ATT if you only:

Use first-party analytics (no sharing with other companies)
Personalize ads based only on data from your own app
Use fraud detection/security measures

ATTrackingManager.requestTrackingAuthorization

swift

import AppTrackingTransparency
import AdSupport

func requestTrackingPermission() {
    // Check availability (iOS 14.5+)
    guard #available(iOS 14.5, *) else { return }

    // Wait until app is active
    // Showing alert too early causes auto-denial
    DispatchQueue.main.asyncAfter(deadline: .now() + 1.0) {
        ATTrackingManager.requestTrackingAuthorization { status in
            switch status {
            case .authorized:
                // User granted permission
                // You can now access IDFA and track
                let idfa = ASIdentifierManager.shared().advertisingIdentifier
                self.initializeTrackingSDKs(idfa: idfa)

            case .denied:
                // User denied permission
                // Do NOT track
                self.initializeNonTrackingSDKs()

            case .notDetermined:
                // User closed dialog without choosing
                // Treat as denied
                self.initializeNonTrackingSDKs()

            case .restricted:
                // Device doesn't allow tracking (parental controls)
                self.initializeNonTrackingSDKs()

            @unknown default:
                self.initializeNonTrackingSDKs()
            }
        }
    }
}

Custom ATT Prompt Message

Info.plist:

xml

<key>NSUserTrackingUsageDescription</key>
<string>This allows us to show you personalized ads and improve your experience</string>

Best practices:

Be honest and specific
Explain user benefit (not company benefit)
Keep it concise (1-2 sentences)

❌ Bad examples:

"We value your privacy" (vague)
"This is required for the app to work" (dishonest)
"To monetize our app" (user doesn't care)

✅ Good examples:

"This helps us show you relevant ads for products you might like"
"Personalized ads help keep this app free"

Pre-Tracking Prompt Design

Show your own dialog before ATT system prompt:

swift

func showPreTrackingPrompt() {
    let alert = UIAlertController(
        title: "Support Free Features",
        message: "We use tracking to show you personalized ads, which helps keep advanced features free. You can always change this in Settings.",
        preferredStyle: .alert
    )

    alert.addAction(UIAlertAction(title: "Continue", style: .default) { _ in
        self.requestTrackingPermission()
    })

    alert.addAction(UIAlertAction(title: "Not Now", style: .cancel))

    present(alert, animated: true)
}

Why this works: Education increases opt-in rates by 20-40%.

Graceful Degradation

Always provide value without tracking:

swift

func initializeAnalytics() {
    let status = ATTrackingManager.trackingAuthorizationStatus

    if status == .authorized {
        // Full featured analytics
        Analytics.setUserProperty(userID, forName: "user_id")
        Analytics.enableCrossAppTracking()
    } else {
        // Limited, privacy-preserving analytics
        Analytics.setUserProperty("anonymous", forName: "user_id")
        Analytics.disableCrossAppTracking()
        Analytics.enableOnDeviceConversionTracking()
    }
}

Part 4: Tracking Domain Management

Declaring Tracking Domains

PrivacyInfo.xcprivacy

xml

<key>NSPrivacyTracking</key>
<true/>

<key>NSPrivacyTrackingDomains</key>
<array>
    <string>tracking.example.com</string>
    <string>ads.example.com</string>
</array>

iOS 17 behavior: If user denies ATT, network requests to these domains are automatically blocked.

Domain Separation Strategy

Problem: Single domain used for both tracking and non-tracking

Solution: Separate functionality into different hosts

Before:
- api.example.com (mixed tracking + app functionality)

After:
- api.example.com (app functionality only)
- tracking.example.com (tracking only)

Update manifest:

xml

<key>NSPrivacyTrackingDomains</key>
<array>
    <string>tracking.example.com</string>  <!-- Declared, will be blocked -->
</array>

Result: App functionality continues working; tracking blocked if denied.

Points of Interest Instrument (Xcode 15+)

Detecting unexpected tracking connections:

Xcode → Product → Profile
Choose "Points of Interest" instrument
Run app
Look for "Privacy" track showing network connections
Review flagged domains

What it shows: Connections to domains that may be tracking users across apps/websites.

Action: Declare these domains in

NSPrivacyTrackingDomains

or stop connecting to them.

Part 5: Required Reason APIs

What Are Required Reason APIs?

APIs that could be misused for fingerprinting (identifying devices without permission).

Fingerprinting is never allowed, even with ATT permission.

Required Reason APIs have approved use cases. You must declare which approved reason applies to your usage.

Common Required Reason APIs

API Category	Examples	Approved Reason Codes
File timestamp	`creationDate` , `modificationDate`	`C617.1` - `DDA9.1`
System boot time	`systemUptime` , `processInfo.systemUptime`	`35F9.1` , `8FFB.1`
Disk space	`NSFileSystemFreeSize` , `volumeAvailableCapacity`	`E174.1` , `7D9E.1`
Active keyboards	`activeInputModes`	`54BD.1` , `3EC4.1`
User defaults	`UserDefaults`	`CA92.1` , `1C8F.1` , `C56D.1`

Example: Disk Space API

API:

NSFileSystemFreeSize

URLResourceKey.volumeAvailableCapacityKey

Approved reasons:

E174.1: Check if there's enough space before writing files
7D9E.1: Display storage information to user
B728.1: Include disk space in optional analytics (only if user opted in)

Declaration in manifest:

xml

<key>NSPrivacyAccessedAPITypes</key>
<array>
    <dict>
        <key>NSPrivacyAccessedAPIType</key>
        <string>NSPrivacyAccessedAPICategoryDiskSpace</string>

        <key>NSPrivacyAccessedAPITypeReasons</key>
        <array>
            <string>E174.1</string>  <!-- Check space before writing -->
        </array>
    </dict>
</array>

Code:

swift

func checkDiskSpace() -> Bool {
    do {
        let values = try FileManager.default.attributesOfFileSystem(forPath: NSHomeDirectory())

        if let freeSpace = values[.systemFreeSize] as? NSNumber {
            let requiredSpace: Int64 = 100 * 1024 * 1024  // 100 MB
            return freeSpace.int64Value > requiredSpace
        }
    } catch {
        print("Error checking disk space: \(error)")
    }

    return false
}

// Usage
if checkDiskSpace() {
    saveFile()  // Approved reason E174.1: Check before writing
} else {
    showInsufficientSpaceAlert()
}

Example: UserDefaults API

Approved reasons:

CA92.1: Access info stored by app (settings, preferences)
1C8F.1: Access info stored by App Group
C56D.1: Access info stored by App Clips
AC6B.1: Third-party SDK accessing its own defaults

Declaration:

xml

<dict>
    <key>NSPrivacyAccessedAPIType</key>
    <string>NSPrivacyAccessedAPICategoryUserDefaults</string>

    <key>NSPrivacyAccessedAPITypeReasons</key>
    <array>
        <string>CA92.1</string>
    </array>
</dict>

Feedback for Missing Reasons

If your use case isn't covered, use Apple's feedback form: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

Part 6: Privacy Nutrition Labels

Data Types and Categories

Identifiers:

User ID
Device ID

Contact Info:

Name
Email address
Phone number
Physical address

Location:

Precise location
Coarse location

User Content:

Photos or videos
Audio data
Gameplay content
Customer support messages

Browsing History Search History Financial Info Health & Fitness Contacts Sensitive Info (racial/ethnic data, political opinions, religious beliefs)

Data Use Purposes

App functionality - Necessary for core features
Analytics - Understanding app usage
Product personalization - Customizing experience
Developer advertising - Ads for your own products
Third-party advertising - Ads from other companies

Linked vs Not Linked

Linked to user:

Data connected to user identity (name, email, user ID)
Example: User profile information

Not linked to user:

Data not connected to identity (anonymous analytics)
Example: Aggregate crash reports

Tracking Disclosure

Data is used for tracking if:

Combined with data from other apps/websites
Shared with data brokers
Used for targeted advertising based on cross-app behavior

Example declaration:

Data Type: Email Address
Purpose: App Functionality
Linked to User: Yes
Used for Tracking: No

Part 7: Xcode Privacy Report

Generating Report

Archive app: Product → Archive
Xcode Organizer → Select archive
Right-click → "Generate Privacy Report"
PDF created showing aggregated privacy data

What's included:

All privacy manifests (app + third-party SDKs)
Collected data types
Tracking declaration
Required Reason APIs

Reviewing Report

Check for:

Unexpected data collection (SDK collecting data you didn't know about)
Missing Required Reason declarations
Tracking domain discrepancies
Third-party SDKs without privacy manifests

Use for: Completing Privacy Nutrition Labels in App Store Connect

Part 8: Permission Types

Camera

swift

import AVFoundation

AVCaptureDevice.requestAccess(for: .video) { granted in
    // Handle response
}

// Info.plist
<key>NSCameraUsageDescription</key>
<string>Take photos of your meals to track nutrition</string>

Microphone

swift

AVAudioSession.sharedInstance().requestRecordPermission { granted in
    // Handle response
}

<key>NSMicrophoneUsageDescription</key>
<string>Record voice memos</string>

Location

swift

import CoreLocation

class LocationManager: NSObject, CLLocationManagerDelegate {
    let manager = CLLocationManager()

    func requestPermission() {
        manager.delegate = self

        // Choose one:
        manager.requestWhenInUseAuthorization()  // Only when app is open
        // OR
        manager.requestAlwaysAuthorization()     // Background location
    }
}

// Info.plist (iOS 14+)
<key>NSLocationWhenInUseUsageDescription</key>
<string>Show nearby restaurants</string>

<key>NSLocationAlwaysAndWhenInUseUsageDescription</key>
<string>Track your runs even when the app is in the background</string>

Photos

swift

import Photos

PHPhotoLibrary.requestAuthorization(for: .readWrite) { status in
    switch status {
    case .authorized, .limited:  // .limited = selected photos only
        // Access granted
    case .denied, .restricted:
        // Access denied
    @unknown default:
        break
    }
}

<key>NSPhotoLibraryUsageDescription</key>
<string>Save and share your workout photos</string>

Contacts

swift

import Contacts

CNContactStore().requestAccess(for: .contacts) { granted, error in
    // Handle response
}

<key>NSContactsUsageDescription</key>
<string>Invite friends to join you</string>

Notifications

swift

import UserNotifications

UNUserNotificationCenter.current().requestAuthorization(options: [.alert, .sound, .badge]) { granted, error in
    // Handle response
}

// No Info.plist entry required

Part 9: Privacy-First Design Patterns

Data Minimization

Principle: Only collect data you actually need

swift

// ❌ Bad - collecting unnecessary data
struct UserProfile {
    let name: String
    let email: String
    let phone: String           // Do you really need this?
    let dateOfBirth: Date       // Or this?
    let socialSecurityNumber: String  // Definitely not
}

// ✅ Good - minimal data collection
struct UserProfile {
    let name: String
    let email: String
    // That's it
}

On-Device Processing

Principle: Process data locally when possible

swift

// ✅ Good - on-device ML
import Vision

func analyzePhoto(_ image: UIImage) {
    let request = VNClassifyImageRequest { request, error in
        // Results stay on device
        let classifications = request.results as? [VNClassificationObservation]
        self.displayResults(classifications)
    }

    let handler = VNImageRequestHandler(cgImage: image.cgImage!)
    try? handler.perform([request])
    // No network request, no data leaving device
}

Explaining Value Exchange

Principle: Be transparent about why you need data

swift

// ✅ Good - clear value proposition
"We use your location to show nearby restaurants and save your favorite places. Your location is never shared with third parties."

Transparent Data Practices

Principle: Make privacy information easily accessible

swift

// Add Privacy Policy link in Settings screen
struct SettingsView: View {
    var body: some View {
        List {
            Section("About") {
                Link("Privacy Policy", destination: URL(string: "https://example.com/privacy")!)
                Link("Data We Collect", destination: URL(string: "https://example.com/data")!)
            }
        }
    }
}

Common Mistakes

Requesting permissions at launch

swift

// ❌ Wrong
func application(_ application: UIApplication,
                didFinishLaunchingWithOptions...) -> Bool {
    requestAllPermissions()  // User has no context
    return true
}

// ✅ Correct
@objc func cameraButtonTapped() {
    requestCameraPermission()  // Just-in-time
}

No explanation before permission dialog

swift

// ❌ Wrong
AVCaptureDevice.requestAccess(for: .video) { granted in }

// ✅ Correct
showCameraEducation {
    AVCaptureDevice.requestAccess(for: .video) { granted in }
}

Not handling denial gracefully

swift

// ❌ Wrong - dead end
if !granted {
    return  // User stuck
}

// ✅ Correct - offer alternative
if !granted {
    showSettingsPrompt()  // Path forward
}

Missing tracking domains

swift

// ❌ Wrong - privacy manifest declares tracking but no domains
<key>NSPrivacyTracking</key>
<true/>
<!-- Missing NSPrivacyTrackingDomains -->

// ✅ Correct
<key>NSPrivacyTrackingDomains</key>
<array>
    <string>tracking.example.com</string>
</array>

Incomplete Required Reason declarations

swift

// ❌ Wrong - using UserDefaults without declaring it
UserDefaults.standard.set(value, forKey: "setting")
// Privacy manifest has no NSPrivacyAccessedAPITypes entry

// ✅ Correct - declared in manifest with approved reason

Timeline

Date	Milestone
WWDC 2023	Privacy manifests announced
Fall 2023	Informational emails begin
Spring 2024	App Review enforcement begins
May 1, 2024	Privacy manifests required for apps with privacy-impacting SDKs

Resources

WWDC: 2023-10060, 2023-10053

Docs: /bundleresources/privacy_manifest_files, /bundleresources/describing-use-of-required-reason-api, /app-store/app-privacy-details, /app-store/user-privacy-and-data-use

Skills: axiom-app-intents-ref, axiom-cloudkit-ref, axiom-storage

axiom-privacy-ux

NPX Install

Tags

SKILL.md Content

Privacy UX Patterns

Overview

When to Use This Skill

System Requirements

Part 1: Privacy Manifests (WWDC 2023/10060)

Creating a Privacy Manifest

NSPrivacyTracking Declaration

NSPrivacyCollectedDataTypes

NSPrivacyAccessedAPITypes

Part 2: Permission Request UX

Just-in-Time vs Up-Front

Pre-Permission Education Screens

Permission Denied Handling

Settings Deep Links

Part 3: App Tracking Transparency

When ATT Is Required

ATTrackingManager.requestTrackingAuthorization

Custom ATT Prompt Message

Pre-Tracking Prompt Design

Graceful Degradation

Part 4: Tracking Domain Management

Declaring Tracking Domains

Domain Separation Strategy

Points of Interest Instrument (Xcode 15+)

Part 5: Required Reason APIs

What Are Required Reason APIs?

Common Required Reason APIs

Example: Disk Space API

Example: UserDefaults API

Feedback for Missing Reasons

Part 6: Privacy Nutrition Labels

Data Types and Categories

Data Use Purposes

Linked vs Not Linked

Tracking Disclosure

Part 7: Xcode Privacy Report

Generating Report

Reviewing Report

Part 8: Permission Types

Camera

Microphone

Location

Photos

Contacts

Notifications

Part 9: Privacy-First Design Patterns

Data Minimization

On-Device Processing

Explaining Value Exchange

Transparent Data Practices

Common Mistakes

Requesting permissions at launch

No explanation before permission dialog

Not handling denial gracefully

Missing tracking domains

Incomplete Required Reason declarations

Timeline

Resources