analytics software user content at iOS app store review (app is rejected)

Question

our iOS app was just rejected at iOS app store and here is what we get:

PLA 3.3.9

We found that your app uses analytics software to collect and send device data to a third party, which is not in compliance with the iOS Developer Program License Agreement.

3.3.9 You and Your Applications may not collect user or device data without prior user consent, and then only to provide a service or function that is directly relevant to the use of the Application, or to serve advertising. You may not use analytics software in Your Application to collect and send device data to a third party.

Specifically, we found your app uses the MAC address for the device for identification purposes

We are using the Mac address at the unique device identification, I think that it is not allowed any more (iOS 7 doesn't support query of Mac Address as well, see link). Although it doesn't clearly say that, however from the following lines at "iOS Developer Program License Agreement", we could clearly see that it is not allowed any more:

Further, neither You nor Your Application will use any permanent, device-based identifier, or any data derived therefrom, for purposes of uniquely identifying a device

So I already removed the Mac address query at our code and use some other approach for device identification, however I am a little concerned about lines:

You and Your Applications may not collect user or device data without prior user consent

You may not use analytics software in Your Application to collect and send device data to a third party

Our app is a mobile content management software. We are collecting information about the devices such as OS, model, location and user's document audit logs, etc. What type of consent we should present to user here?

Should we present a end user license agreement here to include all those? (I guess I need to ask the lawyer of our company to write it out if so).

Right now, our code does present an app usage policy downloaded from our management server as well. User needs to accept that policy before we are starting collecting user and device information. Or is it sufficient by having more related text at that usage policy?

Right now, app store review team doesn't complain that we would collect the location (I guess there is a location prompt from OS anyway which user would need to accept).

Your suggestions are really appreciated since we are very tight on time here and review cycle at app store is about a week. Not sure if there are any other issues we would face after next submission with the above fix. Or Maybe that app store review team would give out all the issues at one review and if we fix this, we should be good to go, if app store review is like this, please let me know as well from your experience. Thanks very much in advance for your time.

Answer 1

our app got approved by Apple. Here are what we did:

1. remove the call for Mac Address
2. modified the EULA for the app at the itunes connect to include agreements that our app would collect user and device information.
3. add a screen at our app to ask user to accept a EULA before our app starts to collect user and device information.

We did the maximum what we could do here since we have a very tight timeline and we could not afford another rejection. You may not need to do all above if you have time to test in case that you get the same type of rejection. Hope that it is helpful to you.