Starting June 30, 2022, all apps available in the Apple App Store that offer account creation must also allow users to initiate account deletion within the app.
This requirement does not come as a surprise: Apple first announced this policy in 2021, and initially planned to roll it out by January 31, 2022, before pushing back the implementation date to June. Still, this policy will have significant implications for app developers, who are also preparing to comply with a number of recently-passed US state law privacy laws that take effect in 2023, and now must also consider the implications of a potential US federal privacy law that was introduced in Congress last week.
Apple states that the upcoming requirement, codified at Section 5.1.1(v) of the App Store Review Guidelines, is intended to provide users with greater control over their personal data. To facilitate implementation of this requirement, Apple offers developers several tips, including that (i) developers should locate the option to delete an account in the app’s account settings or somewhere similarly easy to find in the app, (ii) developers should inform users if a deletion request will take additional time to complete, and (iii) apps may add steps to verify the identity of the requestor and confirm the request (such as by prompting a user to enter a code from an email or phone number already associated with the account).
Developers should note that the new policy requires not just deletion of a user’s account itself, but also of all the personal data associated with such account. Apple notes that people expect that any data associated with their account will be deleted when the account is deleted, including user-generated content that’s shared with others, such as photos, video, text posts, and reviews.
Further, Apple states that it is insufficient to only provide the ability to temporarily disable or deactivate an account. However, Apple advises developers to follow applicable legal requirements for storing and retaining user account information, in case the law mandates data retention, and notes that apps should let their users know if local laws or regulations require that an app maintain data.
Whether Apple intends to require the deletion of all personal data associated with an account has been the subject of some debate. Some commentators have noted that Apple’s deletion language does not go as far as some upcoming state privacy laws that more explicitly require deletion of all personal data provided by or obtained about a consumer. But Apple has since clarified the upcoming policy, aligning the requirement more closely with the deletion requirements under these state privacy laws. In some ways, Apple’s requirement goes beyond such laws because it will apply to all users, regardless of where they are located and whether the data is otherwise subject to GDPR, CCPA, or any upcoming state privacy laws.
Developers that are subject to this requirement should review their data inventories and technical procedures to ensure that all user data, whether it is stored in several different data systems or with third party vendors, can be deleted upon request. Given that Apple delisted nearly 420,000 apps, or nearly 21% from its app store, for not complying with a prior policy update in 2021, we advise app developers to anticipate strict enforcement and prepare their deletion processes now.