In what cases do the upcoming third-party SDK requirements apply exactly?

Please help me understand the phrasing from Apple's articles about this topic. Of course, I am referring to the SDKs from the official list, as only those are affected by the new regulations.

1, https://developer.apple.com/support/third-party-SDK-requirements/

Starting in spring 2024, you must include the privacy manifest for any SDK listed below when you submit new apps in App Store Connect that include those SDKs, or when you submit an app update that adds one of the listed SDKs as part of the update.

That states 2 cases in which fresh SDK versions are needed, containing privacy information:

  1. If you submit a completely new app
  2. If your app update contains a framework which was not present in the previous version of the app

So, according to my understanding, if I create an app update, which does not contain any new SDKs, only the ones that I have been using for a while now, I can keep using these older SKD versions. And it is not mandatory to update them to newer versions.

Does Apple state anywhere that we have to update every SDK from the list this spring in every case? Because that would contradict what I quoted from the article.

2, https://developer.apple.com/news/?id=3d8a9yyh

And if you add a new third-party SDK that’s on the list of commonly used third-party SDKs, these API, privacy manifest, and signature requirements will apply to that SDK.

Again, this states that you have to use a fresh version of an SDK in case you add it newly to your app. This seems to reinforce my point that if a 3rd party SDK was already used in previous app versions, the new requirements do not apply to that SDK and I can keep using its older release which does not have its own privacy manifest file.

My main concern here is that there are many 3rd party SDKs from the list that we already use in our projects, and it would be a huge effort if my team had to update all those SDKs in every project by May. But if I'm right, it is not mandatory for us. (Of course, it would be wise to update the SDKs every now and then, but that's not the point here.)

Can anybody confirm whether my understanding is correct? Maybe link some proof if I'm not right? It would be nice to have a reply from someone working at Apple, to have a reliable answer.

I have another question as somebody who develop SDKs on top of above questions and that is -

What if my SDK doesn't listing there in the Apple's 3rd party SDK list? Do I also have to provide/ship my SDK with all these changes?

Hey, according to this documentation it sounds like there is no option besides upgrading all SDKs that use those protected APIs.

https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

For each executable or dynamic library in an app that uses a required reason API, the bundle that includes the executable or dynamic library needs to include a privacy manifest file that reports the API.

Have you gotten any communication from Apple on this? Desperately hoping I'm misinterpreting this documentation because I'm in the same boat you are.

In what cases do the upcoming third-party SDK requirements apply exactly?
 
 
Q