App Store Compliance
What WWDC 26 could change for iOS app web requirements
Pattern-based predictions for what WWDC 26 (June 8, 2026) is likely to add to the App Store compliance list — privacy manifest, AASA, App Store Connect URLs — based on Apple's last four conferences.
The WWDC 26 keynote is Monday, June 8, 2026, at 10 a.m. PT, followed by the Platforms State of the Union at 1 p.m. PT — the session where the year’s compliance and platform-policy changes actually get spelled out. The fall release this announces will be iOS 27, iPadOS 27, macOS 27, watchOS 27, tvOS 27, and visionOS 27 (Apple unified to year-based version numbers at WWDC 25, jumping from iOS 18 to iOS 26).
This post doesn’t try to predict Apple’s keynote slides. It does something more useful: it looks at what Apple has done every WWDC since 2022 and identifies the categories of compliance change you can expect to land — and the categories you can prepare for today, two weeks before the keynote, without waiting for any specific announcement.
Apple’s four-year compliance-cadence
Every recent WWDC has added at least one item to the list of web pages, files, or App Store Connect fields developers must maintain.
| Year | What got added |
|---|---|
| WWDC 2022 | Account deletion requirement — Guideline 5.1.1(v); enforced June 30, 2022 |
| WWDC 2023 | Privacy manifest preview — PrivacyInfo.xcprivacy introduced; required-reason API list seeded |
| WWDC 2024 | Privacy manifest mandatory for new apps and updates with privacy-impacting SDKs (May 1, 2024); ITMS-91053 starts gating uploads |
| WWDC 2025 | App Store Tags (Apple-LLM-generated, human-reviewed metadata); year-based version naming; Liquid Glass design language |
Two consistent patterns:
- The compliance surface always grows. No year has removed a requirement. New URLs, new bundled files, new App Store Connect fields, new questionnaire categories — every year adds more, never less.
- Mandates land ~12 months after preview. Apple typically previews a requirement at WWDC, then enforces it the following spring. The privacy manifest followed this exactly (WWDC 2023 preview → May 2024 enforcement). If WWDC 26 previews something new, expect spring 2027 enforcement.
What’s likely to land at WWDC 26 (pattern-based, not insider)
These aren’t Apple-confirmed. They’re the categories most consistent with Apple’s recent direction and the pre-event reporting that points heavily at Apple Intelligence.
1. New Required Reason API categories
Apple has added 1-2 new NSPrivacyAccessedAPICategory entries every WWDC since 2024. The categories Apple gates are APIs that can be used for device fingerprinting (UserDefaults, FileTimestamp, SystemBootTime, DiskSpace, ActiveKeyboards). The pattern: as new on-device APIs ship (especially around Apple Intelligence), Apple adds the privacy-sensitive ones to the required-reason list. Expect at least one new category at WWDC 26, very likely tied to an Apple Intelligence API surface.
Action you can take today, before the keynote: audit your current manifest against the complete Required Reason API reference so you have a clean baseline before the new category drops.
2. New App Privacy “data type” categories
The App Privacy questionnaire (“nutrition labels”) in App Store Connect has grown a category per year since 2020. With Apple Intelligence using on-device and Private Cloud Compute inference, expect a new category covering AI/inference inputs or generative-content data. Your existing answers will need updating, and your privacy policy will need a matching disclosure.
3. AASA / Universal Links schema iteration
Apple updated the AASA file format to the components-based format in 2023; minor additions have landed each year since (App Clip default-link behavior, web-credentials extensions). A schema iteration at WWDC 26 is plausible but lower-probability than #1 or #2.
4. Apple Intelligence / Siri intent compliance
If Apple Intelligence opens further to third parties at WWDC 26, expect new declarations or entitlements around what your app can read from and write to the system intelligence layer. These usually arrive as App Store Connect questions plus Info.plist entries, not as web pages — but the privacy policy disclosure inevitably follows.
5. App Store Connect URL fields
Apple has added a URL field most years (Privacy Policy URL is the original; the marketing URL, support URL, and EULA URL came later). Adding another tied to Apple Intelligence disclosures, age ratings, or accessibility would be consistent with the pattern. The full current list of URL fields and what each requires is in every URL and file Apple requires for App Store submission.
What you can do today — without waiting for the keynote
You don’t need the announcements to start. Three high-leverage actions in the next two weeks:
-
Audit your current
PrivacyInfo.xcprivacyagainst the Required Reason API reference. If you’re already missing categories from the 2025 list, you’ll be doubly behind when WWDC 26 adds new ones. -
Verify every URL field in App Store Connect is live and returns 200. Privacy Policy URL, Support URL, Marketing URL — open each one. A broken URL holds up your next submission whether WWDC 26 adds new fields or not.
-
Lock down a process for shipping a new manifest category within a week of announcement. Whatever Apple adds, you’ll need to update your manifest, your privacy policy, and your App Store Connect answers in lockstep. If that takes you a month today, it’ll still take a month in June. Walk through the steps once now.
How OrbitKit handles WWDC 26 changes
If WWDC 26 adds a new manifest category, AASA field, or App Store Connect URL — OrbitKit subscribers don’t have to do anything. We update our generators, validators, and hosted pages on our end, and your apps stay compliant without a code change on your side. That’s the value of treating Apple’s web requirements as infrastructure: when the requirements change, the infrastructure absorbs the change.