Apple rejects roughly 40% of first-time app submissions. A significant share of those rejections stem from legal and privacy shortcomings rather than bugs or broken features. The App Store Review Guidelines - particularly Section 5 on privacy - set a high bar, and it keeps rising. The December 2025 revision introduced new requirements around AI data consent, age assurance APIs, and stricter metadata disclosures.
This guide covers every legal obligation that applies when publishing an iOS, iPadOS, or macOS app to the App Store in 2026.
Apple Developer Programme Enrolment
Before any legal requirements come into play, the app must be submitted through a paid Apple Developer Programme account. Individual enrolment costs $99 per year and requires a two-factor-authenticated Apple ID. The applicant must be at least 18 years old. Organisations face extra requirements: an official business email address, legal entity status, a D-U-N-S Number, and a live website.
Acceptance of the Apple Developer Programme Licence Agreement is mandatory. The agreement was updated in December 2025 to cover new APIs including the Declared Age Range API and terms for iOS app distribution in Japan under the Mobile Software Competition Act.
Privacy Policy: The Non-Negotiable Baseline
Every app on the App Store must have a privacy policy. No exceptions - not even if the app collects zero user data. Apple's Guideline 5.1.1(i) requires a privacy policy link in two places: the App Store Connect metadata field and within the app itself, in an easily accessible location such as a Settings or About screen.
The policy must clearly and explicitly cover the following points:
| Requirement | What to disclose |
|---|---|
| Data collected | Every type of data the app gathers, however minimal |
| Collection methods | How data is collected (forms, SDKs, device sensors, APIs) |
| Purpose of use | All purposes - analytics, personalisation, advertising |
| Third-party sharing | Every third party receiving user data, with confirmation they provide equal data protection |
| Consent revocation | How users can withdraw consent for data collection |
| Data deletion | How users can request deletion of their personal data |
Apple will reject the submission if the privacy policy URL is missing, broken, or leads to a placeholder page. The URL must be live and functional at review time.
App Privacy Labels
Since December 2020, Apple has required developers to complete App Privacy Details in App Store Connect. These generate the privacy "nutrition label" on the app's product page, giving users a snapshot of data practices before downloading.
The label requires disclosure across several dimensions: what data types are collected, whether each type is linked to the user's identity, whether it is used for tracking, and the purpose of collection. Third-party SDKs complicate things. If the app integrates an analytics SDK that collects device identifiers, that collection must appear on the label even if the developer never directly accesses the data.
Data processed only on-device does not need to be declared - but if any derived data leaves the device, it must be disclosed separately.
AppTrackingTransparency
Apps that track users across other companies' apps or websites must present the ATT prompt before any tracking begins. The user's response is final. Apple's Guideline 5.1.1(iv) prohibits manipulating, tricking, or forcing users into granting access. Apple also bans device fingerprinting: deriving data from a device for the purpose of uniquely identifying it violates the Developer Programme Licence Agreement.
Account Deletion Requirement
Any app that supports account creation must also support account deletion from within the app. This has been mandatory since June 2022 and remains one of the most common reasons for rejection among apps relying on user accounts.
This aligns with broader regulatory trends. The GDPR's right to erasure (Article 17) and the CCPA's deletion rights both impose similar obligations on businesses handling personal data of EU and California residents respectively.
End-User Licence Agreement (EULA)
Apple provides a Standard EULA that applies automatically unless the developer uploads a custom version. Whether custom or standard, the EULA must include Apple's Minimum Terms: acknowledgement that the agreement is between the developer and end user (not Apple), that the developer bears sole responsibility for the app and its content, and that the developer handles product liability, regulatory compliance, and intellectual property claims. The developer's name, address, and contact details must appear in the EULA.
In-App Purchases and Subscriptions
All digital goods sold within the app must use Apple's In-App Purchase system, with Apple retaining a commission (30% standard, 15% under the Small Business Programme). Specific exceptions exist for "reader" apps, and apps on the US storefront may now include external payment links following a court ruling.
Subscriptions carry strict disclosure requirements. The app must show full pricing, renewal terms, and cancellation instructions before the user commits to payment. Auto-renewable subscriptions must clearly state the price, duration, and automatic renewal. Failure to present this prominently is a common cause of rejection.
Age Ratings and the New US State Laws
Every app must be assigned an age rating based on content. Apple's questionnaire covers violence, mature themes, profanity, gambling, and similar categories. AI-powered features add a new layer - Apple now requires developers to consider how AI assistants or content generation features impact the frequency of sensitive content within the app.
Beyond Apple's own ratings, a wave of US state legislation now imposes age verification obligations on developers:
| State | Law | Effective date | Status (March 2026) |
|---|---|---|---|
| Texas | SB2420 | 1 January 2026 | Blocked by federal court injunction |
| Utah | App Store Accountability Act | 6 May 2026 | Developer obligations pending |
| Louisiana | App Store Accountability Act | 1 July 2026 | Pending |
| California | Digital Age Assurance Act | 1 January 2027 | Enacted, not yet in effect |
These laws apply to all apps - not just those targeting minors. App stores must verify users into age categories (under 13, 13-15, 16-17, 18+), and developers must use that signal to enforce age-related restrictions and obtain parental consent for minors. A federal judge blocked the Texas law in December 2025 on First Amendment grounds, but Utah's obligations still take effect in May 2026. Building age signal handling into the app now avoids a rushed retrofit later.
Regional Data Protection Compliance
Apple's Guideline 5.1 places full responsibility for legal compliance on the developer. Distributing an app globally means potentially triggering obligations under dozens of data protection frameworks simultaneously.
| Regulation | Jurisdiction | Key obligation for apps |
|---|---|---|
| GDPR | EU/EEA | Lawful basis for processing, explicit consent for tracking, data subject rights |
| UK GDPR | United Kingdom | Mirrors EU GDPR with ICO as supervisory authority |
| CCPA/CPRA | California | Right to opt out of sale/sharing, privacy notice requirements |
| LGPD | Brazil | 10 legal bases for processing, data subject rights, ANPD oversight |
| PIPEDA | Canada | Consent-based framework, 10 fair information principles |
| POPIA | South Africa | Processing conditions, prior authorisation for special personal information |
An app distributed in the EU that uses analytics, advertising identifiers, or any form of tracking will need to comply with the ePrivacy Directive alongside the GDPR. On mobile, this often manifests through the ATT prompt combined with a consent management platform for web views or hybrid components.
Technical Build Requirements
From April 2026, all apps uploaded to App Store Connect must be built with the iOS/iPadOS 26 SDK. The app must be fully functional at submission - no placeholder content, broken links, or incomplete features. If the app requires login, provide a demo account to the review team. Apple claims to review 90% of submissions within 24 hours, but rejections for privacy issues can delay launch by days or weeks through Resolution Centre exchanges.
Frequently Asked Questions
Does an iOS app need a privacy policy even if it collects no user data?
Yes. Apple requires every app on the App Store to include a privacy policy, regardless of whether it collects data. If the app truly gathers nothing, the policy should state that explicitly.
What happens if the privacy policy URL is broken when Apple reviews the app?
The submission will be rejected. Apple checks that all URLs - including the privacy policy and support page - are live and functional at review time. Fix the link and resubmit.
Do the new US age verification laws apply to apps not aimed at children?
Yes. The App Store Accountability Acts in Texas, Utah, Louisiana, and California apply to all apps made available in those states, not just apps directed at minors. Every developer must prepare to handle age signals from Apple's APIs.
Can developers use their own payment system instead of Apple's In-App Purchase?
For digital goods and services, Apple's In-App Purchase is generally required. However, reader apps (magazines, books, audio, video) have exceptions, and apps on the US storefront may now include links to alternative payment methods following a court ruling.
When is a custom EULA needed instead of Apple's Standard EULA?
Apple's Standard EULA covers the basics and applies automatically. A custom EULA is only needed if the app has specific terms around subscriptions, content licensing, user-generated content, or service levels that go beyond the standard agreement.
How does GDPR compliance work for an iOS app distributed in the EU?
The app must have a lawful basis for every type of data processing, obtain explicit consent before tracking (via ATT or an in-app mechanism), honour data subject rights (access, deletion, portability), and comply with the ePrivacy Directive for any cookie or local storage usage in web views.
What are Apple's disclosure rules for apps that use AI features?
Apps using AI must clearly explain how automated features work, disclose which AI services are used and what data is shared with them, obtain user consent before sending personal data to third-party AI providers, and ensure the age rating accounts for any sensitive content the AI might produce.
Start With a Clean Privacy Audit
Getting the legal side right begins with understanding exactly what data the app collects - and what third-party code collects on its behalf. A cookie and tracking scanner can identify hidden data collection in web views and hybrid components. Kukie.io provides geo-aware consent management that adapts to each user's jurisdiction, handling GDPR opt-in, CCPA opt-out, and the rules in between.
