In clause 5.1.2 (iii) of the developer guidelines, Apple writes:
Data gathered from the HomeKit API or from depth and/or facial mapping tools (e.g. ARKit, Camera APIs, or Photo APIs) may not be used for advertising or other use-based data mining, including by third parties.
It also forbids developers from using the iPhone X’s depth sensing module to try to create user profiles for the purpose of identifying and tracking anonymous users of the phone — writing in 5.1.2 (i):
You may not attempt, facilitate, or encourage others to identify anonymous users or reconstruct user profiles based on data collected from depth and/or facial mapping tools (e.g. ARKit, Camera APIs, or Photo APIs), or data that you say has been collected in an “anonymized,” “aggregated,” or otherwise non-identifiable way.
While another clause (2.5.13) in the policy requires developers not to use the TrueDepth camera system’s facial mapping capabilities for account authentication purposes.
Rather developers are required to stick to using the dedicated API Apple provides for interfacing with Face ID (and/or other iOS authentication mechanisms). So basically, devs can’t use the iPhone X’s sensor hardware to try and build their own version of ‘Face ID’ and deploy it on the iPhone X (as you’d expect).
They’re also barred from letting kids younger than 13 authenticate using facial recognition.
Apps using facial recognition for account authentication must use LocalAuthentication (and not ARKit or other facial recognition technology), and must use an alternate authentication method for users under 13 years old.