IDFA usage explanation on the website

Hello,

We have a problem related to Expo builds and iOS appstore.

Apple rejected us with the following reason:

We noticed that your Kids Category app includes analytics, advertising and collects, transmits, or has the ability to share personal information or device information with third parties. …
Third-party analytics or third-party advertising with the ability to collect, transmit or share identifiable information, including, for example, IDFA.

We’ve been deploying this app for months now with no problems… We’re aware about Expo’s IDFA and this issue on Github (https://github.com/expo/expo/issues/1320) where you explain your IDFA usage.

But the new twist now is that, since the app is targeted to kids – recently Apple became stricter and now they require us to remove IDFA. Which we can’t (unless we eject).

We understand that IDFA isn’t accessible to us and it’s used for low-level Expo SDK usage. And it doesn’t send any identifiable information about our users. That’s why we think the app should still fall under this exception (from Apple’s guidelines):

In limited cases, third-party analytics may be permitted provided that the services do not collect or transmit the IDFA or any identifiable information about children (such as name, date of birth, email address), their location, or their devices.

Now, it would be nice if your usage of Segment and Amplitude could be more prominent on the (expo .io) website. At the moment, I have to send a link to a 2 year old (closed) github issue where the third comment explains your IDFA/Segment usage. It would be a lot simpler if that were a page with its own URL or part of the the page explaining app stores.

If we can’t explain clearly how IDFA/Segment/Amplitude is being used in our app – there is a danger that all kid-targeted Expo application will start being rejected .

Hey! Thanks for writing in about this and starting a thread here

I’ve updated our documentation to reflect this a little bit better from our deploying to app stores documentation.

But the new twist now is that, since the app is targeted to kids – recently Apple became stricter and now they require us to remove IDFA. Which we can’t (unless we eject).

After letting Apple know the special circumstances, they responded saying your app does not fall under that exception and you must remove those third party libraries?

I should also note that very shortly, moving to the bare workflow will be much easier and it will have all the same APIs that the managed workflow does, allowing you to build apps with OTA updates, notifications, and all that good Expo stuff :smile: Plus, we plan on just making it better and better

I added this github issue recently and charliecruzan pointed me here to an ongoing discussion here.

What I did, when apple rejected the kids app for the first time, was quoting and pointing to expo documentation, making it as clear, as a message might be, that there is no tracking implemented in the game, absolutely no ads, no data is collected, sent, whatsoever and never intended to do any of that in the future for our game.

Still from the review process we’ve only got as a second reply:
“We noticed that your Kids Category app includes analytics, advertising and collects, transmits, or has the ability to share personal information or device information with third parties.”
They clearly became stricter, since February, it seems, and they clearly say: “or has the ability” for Kids category.

I didn’t want to eject, actually, it is not encouraged by the expo documentation, for various reasons, that I agree on. I struggled to find a solution to this but the only thing we can do to comply is to eject and remove Segment and Amplitude.

Charliecruzan, your note on bare workflow is encouraging, thanks for that.

Yes, we have the same a similar situation. We don’t send anything to third-party services. They rejected us for the same reason as Dogotaru pointed out.

Now, I’m not sure about you, Dogotaru, but I hoped to make a case that this specific case falls under this exception from their guidelines:

In limited cases, third-party analytics may be permitted provided that the services do not collect or transmit the IDFA or any identifiable information about children (such as name, date of birth, email address), their location, or their devices.

Because AFAIK, there is no way I can retrieve the IDFA and/or segment code used by Expo and embedded in the binary.

We need a way to explain that we (as developers) can’t actually use Expo’s Segment/Amplitude/IDFA and that this code doesn’t send our user’s data. And to do that, I think we need a better place than a two-years old github issue.

That’s why I think there should be one place on expo.io where this is clearly stated (quoting that 2yo github issue):

  • We collect anonymous usage statistics through Amplitude which aren’t specific to your app and help us figure out how people are using Expo, as covered here.
  • By default there is no data being sent to Segment at all, unless you use the Segment API in your app for your own purposes.

Even though no Segment calls are made by default, since the code is statically present in your binary that could run Segment, you still need to check the IDFA boxes listed in our https://docs.expo.io/versions/latest/guides/app-stores.html#ios-specific-guidelines.

PS. I understand and appreciate the coming changes in the bare workflow. It’s just that we didn’t plan to eject now :frowning:

I wrote a long response, but the akismet spam-filtering thought it’s spam (which, I can guarantee it wasn’t). So, here’s a shorter version:

We had the same experience as Dogotaru.

Maybe, just maybe a better explanation in the official Expo documentation would make Apple change their mind.

If not. Either Expo drops IDFA/Segment/… from the builds (any remote chance for this to happen?) or you just clearly specify in the docs that kid-targeted apps will be rejected for managed apps.