In-App Account Deletion Required by App Store Starting June 30, 2022

If your app is listed on the App Store and allows account creation, you must also provide the necessary pathway for users to delete their account in the app by June 30, 2022 according to Apple’s recent announcement. This requirement was initially scheduled to be effective on January 31, 2022 but postponed to June 30, 2022 for developers to have sufficient time to prepare for it. The latest announcement also clears up a few things that caused confusion in the previous announcement.

In this post, we will be discussing the details of the latest account deletion requirement, the difference between the announcement in 2021 and 2022, and the potential impacts of it.

The first announcement was published on Oct 6, 2021 stating that “all apps that allow for account creation must also allow users to initiate deletion of their account from within the app.” In addition, it also reminds developers to review any regional or local data privacy laws to ensure legal compliance. 

This initially caused some confusion as the word “initiate” could be quite vague. Allowing users to initiate account deletion can be as simple as providing a link for users to fill out an online form to submit a request. The developer community then came up with a few alternatives such as providing a customer support hotline in the app, embedding a form in the app or linking to an external form, and actually developing an end-to-end flow of account deletion within the app. In addition, the community also wondered whether account deletion should also trigger deletion of personal data associated with that account. 

In the latest announcement, however, it has become much clearer. The update specifically states that it is not enough if the developers simply provide means for users to temporarily disable or deactivate the account. The users must be able to “delete the account along with their personal data.” In addition, the update also reminds developers that:

• The account deletion option should be easy to find in the app.
• In some highly-regulated industries, apps have to provide additional support flows to confirm and facilitate the account deletion process.
• Apps should always comply with local laws aside from the App Store Review Guidelines. 
  

Even though the deadline has been postponed to June 30, 2022, many apps still lack the required functionality. 

Aside from the new account deletion requirement, the App Store Review Guidelines section 5.1.1 also includes a few points regarding data collection and storage to which developers must pay attention. 

Privacy policies must be easy to find and explain the data collection and storage process

A privacy policy is a statement that lets the users or clients know how the company will gather, use, manage, and sometimes even share their data with third parties.

The App Store Review Guidelines does not simply ask developers to include a link to the privacy policies in the apps but more importantly the privacy policy must:

• Be easy to find
• Specify what data is collected, how it’s collected, and how it will be used
• Make sure that if any third party will be using the collected data, the third party must follow the guidelines and protect the user’s data 
• Explain how the data will be kept or deleted and how users can request deletion of their data
  

Apps must secure user consent before collecting the data

Collecting users’ data has helped various companies adjust their marketing strategies or provide personalized data to increase their profits; however, some of the data might not be collected with users’ consent. It is now mandated that developers must obtain users’ consent before they collect their data, even if the data might be anonymous. Furthermore, apps must also provide an easily accessible way for users to withdraw their consent for them to have more control over their data. 
More can be found in Apple’s App Store Review Guidelines.

With more social and economic activities happening online, users are now sharing more personal data with online service providers. In addition, they are also more aware of how their data is being used by different companies and wish to gain more control over their data. Governments in various jurisdictions have passed regulatory privacy frameworks, such as GDPR, National data protection laws, and California Consumer Privacy Act, to protect consumers’ fundamental human rights. According to the United Nations Conference on Trade and Development (UNCTAD), over 71% countries have data privacy legislation, 9% have drafted legislation, and only 15% of them have no legislation. Furthermore, major players, such as Google and Apple, in the field have also enforced stricter data privacy requirements to gain the users’ trust. 

It is therefore important for developers to strictly follow the rules imposed by the companies and any local or jurisdictional laws to not only avoid penalties but more importantly protect their users’ personal data and gain their trust.

Developing an in-app account deletion flow can be quite time-consuming and it takes some time and effort to assure that the processes are working properly. 

With Authgear, you can easily offer user-initiated account deletion with just a few clicks. Furthermore, your apps will be equipped with different authentication and security features for you to not only meet the complex authentication requirements but more importantly provide a secure user experience for your users. 
Contact us now to see how your apps can benefit from Authgear.