Introduction
At WWDC 2023 Apple announced a number of additions to its privacy program, including the introduction of Privacy Manifests.
Since then, we have been collecting your questions, as well as seeking clarity from Apple about how this impacts development with the Unity Engine. This thread will be updated to provide information on how Unity will be helping Apple app developers with these new requirements.
What is this about?
The Privacy Manifest is a text file that outlines privacy practices of first or third-party code.
A Privacy Manifest file can contain:
- Data usage: This explains the data collection purposes of your Application or SDK. Think about this as a representation of âprivacy nutrition labelsâ and app tracking.
- Access to Required Reasons APIs: These are APIs with the potential for misuse, so Apple needs to know why your code calls them. Failing to declare these APIs may in the future result in your app update being rejected from the App Store.
The current Apple guidelines (from December 2023) state that from Spring 2024 new apps and app updates must at least:
- Describe their use of Required Reason API, or they âwonât be accepted by AppStore Connectâ
- Include the Privacy Manifest for any Commonly-used SDK. Commonly used 3rd-party SDKs (as defined by Apple here) will require a Privacy Manifest and in some cases, a digital signature. UnityFramework is in this initial list, and we can confirm we will be providing Privacy Manifest details covering the Unity Engine core APIs in 2021+ LTS versions.
These apply to: iOS, iPadOS, tvOS, visionOS, and watchOS.
The changes noted here apply to the Unity Engine core only. That is the platform support without any built-in or third party packages or plugins. Package and plugin owners will be addressing any required changes for their product themselves.
Note: This post provides general information about the privacy manifests and Unityâs plan for supporting developers in its implementation. It is important that you review Appleâs documentation before you create a privacy manifest for your project.
Unity Engine support plan
From today and through Q1 2024 we will be publishing documentation and shipping Engine updates to help with Privacy Manifests. We will release more information as it becomes available.
Unity 2021 LTS will be the minimum version with officially supported Unity Engine Required Reasons API compatibility. We recommend that you upgrade your project to the latest patch version to receive upcoming additions.
Supported versions will cover:
- [Available today] Unity Engine core Required Reason Privacy Manifest entries & related Documentation. See them here. This covers Unity Engine coreâs internal usage of Required Reasons APIs.
- [Available today] Documentation for C# methods that map to Required Reason APIs. If you use one of these, you will need to declare a Reason. See them here.
- [Available today] Fixes to the Unity Engine core to comply with Required Reasons. We are updating the Engine to use fewer Required Reason APIs. This change is available in Unity 2021.3.34f1, 2022.3.16f1 and 2023.2.5f1 releases. This is an internal change, so it is not mentioned in the release notes. This change requires a Unity Editor update.
- [Available today] Solution to incorporate Privacy Manifests coming from Unity plugins, packages and your project. This change is available in Unity 2021.3.35f1, 2022.3.18f1 and 2023.2.7f1 releases. The release notes state âAdd Apple Privacy Manifest supportâ. This change requires a Unity editor update.
- [Available today] Addition of 35F9.1 reason for the Required Reason APIs used within Unity Engine core. This change is available in Unity 2021.3.36f1, 2022.3.21f1 and 2023.2.13f1 releases. The release notes state âAdded missing privacy manifest entry for System Boot time API usageâ. This change requires a Unity editor update.
[Work in progress] We will sign Unity Engine libraries within UnityFramework. We expect this change to be available in Unity 2021/2022/2023 forthcoming patch releases This change will require a Unity editor update.This is not required. See new posts for details.
Unity Engine & Privacy Manifests
An Apple Unity application can contain multiple frameworks (eg Ads or Social SDKs). Each framework can contain a single Privacy Manifest file. Out of the box, Unity applications have a single framework for the Unity project, called UnityFramework. Multiple Privacy Manifest files coming from different plugins, packages integrated into your Unity project, or first-party (your Unity project) will have to be combined into a single Privacy Manifest file inside of Unity Framework. Future Unity versions will do this automatically, but Unity developers with projects stuck on older Unity versions will have to do this manually.
Note: It is your responsibility to check the accuracy of the privacy manifest of the Unity Framework.
Continue reading to learn about our support plans and how to manually collect Privacy Manifest information from different sources.
You can do this now - Audit & Prepare
Below are initial guidelines on how you can audit your code in a Unity project or a plugin / package. We will continue to update this post as new information is made available.
The Required Reasons APIs in Unity application can be called in two ways
- Natively
- Through a C# method:
Make sure to check both use cases when auditing your code.
If you are a Unity Game/App Developer
-
Consider updating your project to the latest patch version of your supported LTS. This way you will be ready to receive relevant updates.
-
Identify any third party SDKs that you use. Please see the documentation or contact the owners of these SDKs to check if they need to have a Privacy Manifest. If they use a Required Reason API, they must have a Privacy Manifest. You will have to update these SDKs to newer versions that provide Privacy Manifest.
-
Audit Required Reasons API usage - Any inclusion of a Required Reason API call in your app, even if dormant, will require a reason declaration in the manifest.
-
Examine any of your first-party native code or libraries for any calls for Required Reason APIs.
-
Examine your C# code - are you using any calls from this list.
-
You will need to add your reasons for calling any Required Reason API either within the native or the C# space.
-
(if applicable) Audit your own privacy practices [Apple Docs] for data use and add this information to the privacy manifest file.
-
Create a Privacy Manifest in Xcode and include the above information in the privacy manifest file.
-
Save this file into your Unity project under the Plugins folder. In latest versions of Unity Editor 2021, 2022 and 2023 this file is merged into the Unity Framework Privacy Manifest during project build.
Our documentation page includes these instructions as well.
Special case - Unity as a Library
If you have additional first-party data collection/Required Reasons practices that happen outside the Unity project you will need to create a top-level main app privacy manifest and add those there.
If you are a Plugin/Package/SDK owner
You may be providing a service or package to be included inside a Unity project. Examples: an ad network, social network, or Asset Store package that contains code. Below are our suggestions based on your product delivery type. Our documentation page includes these instructions as well.
My product is delivered as a .framework
Steps:
-
Audit Required Reasons API usage
-
Examine any native code, or native library of yours for usage.
-
(if applicable) Audit your SDKs privacy practices [Apple Docs] for data use and collect this information.
-
Include the above information in your frameworkâs privacy manifest file as directed by Apple.
-
Release a new version of your SDK Framework.
My product is NOT delivered as a .framework
Consider delivering your product as a .framework.
If this is not possible:
-
Audit Required Reasons API usage.
-
Examine any native code, or native library of yours for usage.
-
Examine your C# code - are you using any calls from this list.
-
You will need to add your reasons for calling any API either within the native or the C# space.
-
(if applicable) Audit your privacy practices [Apple Docs] for data use.
-
Create a Privacy Manifest in Xcode and include the above information in the privacy manifest file.
-
Save it inside your plugin folder eg Plugins/.xcprivacy file. In latest versions of Unity Editor 2021, 2022 and 2023 this file is merged into the Unity Framework Privacy Manifest during export.
-
Release a new version of your Plugin/Package.
Here is a visual representation of our suggestions
Troubleshooting
-
Will XYZ sdk/plugin/package I use in my Unity project provide a Privacy Manifest?
-
Each sdk/plugin/package owner is responsible for providing this information for their code. Check the latest documentation of sdk/plugin/package or contact their owner.
-
UnityFramework has been identified as a âcommonly used SDKâ in need of Privacy Manifest.
-
We are aware of this and we will be providing documentation and Unity editor updates containing the Engineâs Privacy Manifest information for supported Unity Engine versions.
-
UnityFramework has been identified as a âcommonly used SDKâ in need of a signature.
-
Aside from Unity libraries, UnityFramework also contains your code and any 3rd party plugins that you include in your Unity project. This framework is automatically signed when you build your project on your machine.
To fulfil Appleâs requirements, Unity will sign only Unity libraries within UnityFramework. We will implement this in future patch releases for supported Unity Engine versions.Apple has confirmed we donât need to sign Unity libraries for now. -
Iâm using an older Unity version than Unity 2021 LTS and I canât upgrade.
-
We will be providing extensive documentation only for officially supported Unity versions. You can attempt to use it with older Unity versions, but we are unable to guarantee it would work or be accurate.
-
(Third party) Apple/Cocoapods Frameworksâ PrivacyInfo.xcprivacy is not included in the build if it is linked statically to another framework. This issue is not specific to Unity projects.
-
You should place your framework in XCFramework if you plan to statically link it. This way Xcode will include the privacy manifest from your statically linked framework. However, this still does not work for Cocoapods.