Thursday, March 14, 2024

Digital Services Act Compliance: App Store


You’ll be asked to disclose whether or not you’re a trader under the European Union’s Digital Services Act (DSA) in order to stay compliant across regions when distributing on the App Store. If you’re distributing content as a trader, the DSA requires that you provide certain identification information, including address and contact details, to be displayed on your App Store product pages to consumers in the European Union (EU).

Steve Troughton-Smith:

TL;DR since this is confusing a bunch of folks: If you make money on the App Store, you are a Trader, and under the DSA are required to provide a postal address, email address, and phone number, that will all be displayed publicly on the App Store

Michael Love:

Successfully completed Apple’s DSA verification thing with a newly-created Google Voice number, FWIW - $10/month for up to 10 of them, though if I find a cheaper option I’ll cheerfully switch.

(physical address they got from DUNS, so I couldn’t do much about that, but it’s already in a bunch of other public databases anyway thanks to our government contracting business)

If you’re registered as an individual, Apple lets you specify the postal address directly. If you’re registered as an organization, I guess the only choice for privacy is to use a registered agent for your business. A post office box is not enough because businesses need to list a physical address. It’s unclear to me how much this really matters since in most cases the information is publicly available, anyway, if you know where to look.

See also: Jim Ye, JetBrains, Amy Worrall.


Update (2024-03-17): Matthias Gansrigler:

So, I got a new phone number, and a post office box, and now it turns out I cannot complete the “Compliance Requirements” because they fail to send me the SMS confirmation code, and calling doesn’t work either 🤦‍♂️

Matthias Gansrigler:

Days I could have spent working. But no, I have to deal with this bureaucratic EU nonsense (and Apple’s forms don’t work).

Jeff Johnson:

The irony is that even if I published my phone number and home address in the App Store for EU consumers, it’s impossible for me to offer them a refund, because Apple does not allow that. App Store developers don’t even have individual customer transaction information.

See also: Brent Simmons and John Gruber.

Update (2024-03-20): Aaron Pearce:

Well I can’t fill out the DSA form.

Apple is pre-filling it with an address I have never had linked to my DUNS number or my business entity. Seemingly they are incorrectly pulling an address from when I was an individual developer.

Helge Heß:

I don’t think it is about a basic principle, it IMO really is an oversight. Usually EU laws are scoped at company sizes and such for that specific reason. No idea why this doesn’t have that. E.g. Germany has such rules for people doing minor business (covering hobbyist devs well).

Ryan Jones:

What’s the best Registered Agent for just the very basic LLC stuff, USA?

Tom Royal:

Today in Apple developer land:

Developer demanding Digital Services Act verification, but then crashes at the end of the process[…]

Update (2024-03-22): Apple:

To align with the Digital Services Act (DSA) in the European Union (EU), Account Holders and Admins in the Apple Developer Program can now enter their trader status in App Store Connect.

Jacob Eiting:

The European Commision defines trader extremely broadly as any business or person “acting in his or her name or on his or her behalf, for purposes relating to his or her trade, business, craft or profession.” We are not lawyers at RevenueCat, but it seems pretty clear that if you are transacting with any European consumers, you fit this definition.

Update (2024-03-29): Jeff Johnson:

The crazy thing about my DSA compliance situation is that it was only after uploading my documentation to Apple (for a third time) while the senior advisor was still on the phone with me that I could get some semblance of a reason for why they rejected it. They otherwise refused to give me a reason, but they wanted me to try again to upload it, which would have caused repeated rejections, because it was the exact same documentation that they already found unacceptable.

11 Comments RSS · Twitter · Mastodon

Beatrix Willius

It doesn't matter anyways because my address must be on the website anyways. Not sure why I would hide my address for a business. I always check the country when I buy software.

>If you’re registered as an organization, I guess the only choice for privacy is to use a registered agent for your business.

I guess they're rolling this out EU-wide now. It's been the case in Germany for a long time. Any web site that remotely counts as commercial needs to have an "imprint". That can go all the way to judges ruling that a blog that runs ads counts as commercial, and therefore your personal address needs to be made public.

Anyway, yeah, the intent is that if you make money selling software, consumers need a way to contact you directly. Which is a bit funny since Apple has that weird position where they don't view App Store users as the _developer's_ customer but rather as _Apple's_ customer. I guess the EU begs to differ.

I think this is mostly for the good of the consumer, but I do understand why this irks indies.

Unfortunately, I've had a less than stellar time filling out this form. Even leaving aside that it's a wizard, with no Back button (only Cancel and Next), no indication of how many steps remain, and no ability to resume later, I ran into multiple issues. They had me provide an e-mail address and phone number, each with a six-digit code. The former went swimmingly. The latter did not work at all on first attempt (I think they try to send a text message). You're then given an option to receive a call instead. This, too, did not always work. Then they ask for a legal document for your company status; then another legal document for your company address. Finally, they list it all, and… oops, the phone number looks formatted incorrectly!

Alright, time to Cancel (remember, that's all you can do other than Finish) and start anew, and type the phone number _incorrectly_ in hopes Apple formats it better this time. Oops, this time, not only does the text message never arrive; the call doesn't either. (My guess? This time, they would _format_ the number correctly but not be able to _call_ it.) Um, try again? No luck. Try a third time? This time, presumably for security reasons, Apple flat-out refuses to even _try_ to validate the phone number. (Keep in mind they _had_ validated it just an hour ago.) Instead, they want me to provide a _third_ document, this time one to certify the phone number is ours. Couldn't produce one in time. Hit Cancel again! Fed up. Call it a night.

Next day, try again. Enter the phone number again the first way. E-mail validation works. Text message validation does not. Phone call validation _does_ this time. Two documents, not three. Last page: phone number formatted incorrectly.

"Does this look correct?" No, it doesn't, but whatever, sure. Affirmative.

Oh, they also listed the DUNS number as empty, which is weird, because I know for a fact they have a DUNS number for us on file: when I needed one for Microsoft, I could, oddly enough, ask Apple for ours and they happily provided it.

Bureaucracies! :-)

“Organizations: The address associated with your D-U-N-S Number will automatically display. You’ll need to enter the following for display on your App Store product pages:
Phone number
Email address”

I have a corporation. It’s a small business. I live in the US. I do email support but i do not do phone support and do not plan to anytime soon. I’m a solo dev and cannot realistically provide
phone support. EU can fuck off with that publishing my phone number shit on the App Store.

Yes, the phone number didn't handle the usual formatting. Then the two documents which proved that you are real were unexpected. And I agree, as an individual, I cannot support via phone. It's not feasible. The only good (at the moment) is that a Google Voice number is ok. Set do not disturb on!

Apple always said that they can not compromise with user's privacy, But now what about developer's privacy...?????

@Bhavesh This requirement is coming from the EU, not Apple.

What if I am not making money on the app store (just distributing a completely free app)? Or if I am not distributing apps in the EU? Do I still need to complete DSA verification?

I have the same issue that I cannot confirm DSA compliance because Apple never pulled the correct address from the DUNS system. It still shows my old private address that I had used when setting up the developer account before converting it to a business account for my US-based company. What a mess.

I think a lot of small developers should not have to provide this information. Looking at Recommendation 2003/361/EC, Article 2 says:

3. Within the SME category, a microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million.

Now going to Regulation 2022/2065 (the DSA), Article 29 says:

Exclusion for micro and small enterprises
1.   This Section shall not apply to providers of online platforms allowing consumers to conclude distance contracts with traders that qualify as micro or small enterprises as defined in Recommendation 2003/361/EC.

So, I am a solo developer with a lot less than EUR 2M in revenue and assets, so I think I am immune.

Any thoughts anyone?

@Ralph: Article 29 sounds like the exclusion would apply to the whole platform (in this case the App Store), not to the traders. So I think that once Apple is subject to the rules, that article doesn’t help us.

As an aside, the wording also makes it ambiguous whether it’s the traders or the platform that have to be micro/small, but that should be moot anyway because neither apply in Apple’s case.

Leave a Comment