Last updated on 30 December 2021 by William Blesch (Legal and data protection research writer at TermsFeed)
Starting on January 31st, 2022, all apps on Apple's App Store that allow users to create accounts will need to have a mechanism in place to allow users to delete those accounts from within the apps themselves.
Apple announced the new requirement at its 2021 Worldwide Developers Conference. Interestingly, Apple's demands on app developers are more extensive than what's required by strict privacy laws like the California Consumer Privacy Act (CCPA) or the EU's General Data Protection Regulation (GDPR).
Those watching the global push for comprehensive privacy legislation know that Apple's moves are apparently designed to forestall any criticism of its privacy practices as lawmakers increasingly put tech companies under the magnifying glass.
Most privacy laws in America stipulate that individuals can delete any personal data which a given company has acquired. Apple's decision is likely to be one that other tech companies such as Microsoft and Google will emulate.
Some also see Apple's actions as an attempt to sidestep legislation by the federal government intended to regulate Big Tech by notifying the public that the company is quite able to regulate itself without outside intervention.
In other words, it's a marketing move by Apple designed to position the brand as more trustworthy than its competitors since it is voluntarily imposing even stricter privacy rules on the apps it allows in its stores than privacy laws demand. In practice, this could give Apple an edge over its competition. That is, at least until all competitors make copycat moves.
In the following article, we'll go over Apple's new deletion requirements, what developers must do to comply, what consequences companies are likely to face if they can't meet Apple's deadline, and how to make things easier if flooded with requests for data and account deletion.
In June 2021, an update to Section 5.1.1 was made to the App Store Review guidelines. The new guidance notes that Apple will enforce the account deletion requirement on all applications submitted (either as an update or as a new app) to any Apple platform (iOS, MacOS and iPadOS) beginning January 31st, 2022.
This requirement does not apply to applications that were available in the Apple App Store before this date.
Developers of applications should plan to provide the account deletion functionality in the apps and their servers before updating existing applications with additional functionality or bug fixes.
The full text of Apple's announcement can be seen below:
It's interesting to note that Apple's new requirement is only applicable to apps that support account creation. That's good news for those worried that the provision could extend to applications that involve accounts created in other ways and different contexts.
For example, an application that provides an interface for traditional "brick and mortar" companies, such as a banking app, will most likely be free of Apple's new demand provided users create their accounts through a paper application or company website.
Unfortunately, Apple doesn't make clear whether it is intended for app developers to create an account deletion process for users or if they should also provide a way to delete all account data, too.
Suppose your company already has a GDPR or CCPA process that allows users to delete their personal data. In that case, you may need to simply update and adapt that process by incorporating Apple's requirements.
Many apps require users to create accounts. These can include social media apps as well as instant payment, ecommerce, cryptocurrency apps, and more. Below are a few that can currently be found in the Apple App Store.
CoinZoom makes it easy to buy, sell, or spend cryptocurrencies such as Bitcoin Cash, Litecoin and Ethereum. Beginners in the world of crypto will find the app easy to use, but it's also powerful enough to provide advanced tools for those who are more experienced.
Here's the app's account creation screen:
It is simple to use the Flipkart ecommerce app. Once downloaded, it allows users to shop anywhere and any time they like. Unlike CoinZoom, Flipkart automatically creates a user account once the app is installed and the user provides the company with their phone number as seen below:
QwickPAY is a complete POS solution for payment systems. It allows your iOS device (iPhone/iPad) to transform into a secure POS system that accepts magnetic stripe, EMV contact and contactless payments cards. The app has an account creation setup much like that of CoinZoom:
As you can see, it's pretty transparent which apps allow (or require) account creation in order to use them. This new requirement will apply to such apps.
As previously suggested, Apple's in-app account deletion requirement is clearly part of its push to position itself as the privacy champion within the tech world.
Clear examples of this effort are demands Apple began making last year. Just some of these include requirements wherein app developers had to provide Apple with information on how they collect and use data, the publication of privacy nutrition labels for apps, and Apple requiring that all app Privacy Policies be subject to review.
Of course, Apple's requirements up until now have all been within the framework of international privacy laws. In fact, the company's announcement concerning the in-app account deletion requirement also points out that app developers have a responsibility to bring themselves into compliance with those privacy laws and to follow Apple's own best privacy practices. (The company posts these in the form of industry and regulatory guidance.)
Essentially, you shouldn't be concerned if your app doesn't require account creation. In this case, Apple's in-app deletion requirement doesn't apply to you.
However, if your app requires account creation, the first step is to ensure users have a straightforward way to request account deletion, and that must be found within your app.
Remember that it should go without saying that you should get legal counsel before deciding upon an account deletion process. After all, it is entirely reasonable to assume that Apple will need more than just a deep link buried somewhere in your app that allows users to open an email and request deletion.
With that said, you should take the following steps before January 31st, 2022:
Apps that fail to provide a means for users to delete their accounts will likely be kept from placing their apps in Apple's App Store until the in-app deletion requirement is met.
As noted previously, this would not apply to apps that are already in the store before January 31st, 2022.
Apple has long been a pioneer in digital technology and one of the world's top providers of consumer-facing products. In recent years, as more regulations have come into effect to protect consumer privacy, the tech giant has worked hard to position itself as a company that respects and protects its users' rights.
The company's latest policy changes may be an attempt to show state and federal legislators that it can satisfactorily protect the personal data of U.S. consumers without additional regulations.
As such, application developers that require users to create accounts must now include a way to delete those same accounts from within the app. The deadline for these updates is January 31st, 2022.
Additionally, developers should expect additional changes and be ready to adjust their ongoing compliance efforts accordingly.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
30 December 2021