Navigate back to the homepage
Get a Demo

Responding to Apple’s requirement for in-app deletion of accounts

Privacy
Morgan Sullivan
November 29th, 2021 · 7 min read

If your company has a mobile app, chances are it’s in Apple’s App Store. A change announced at Apple’s 2021 Worldwide Developers Conference means these apps - if they allow for user account creation - must provide a pathway for account deletion within the app by January 31, 2022.

In this post, we’ll outline what the new Apple deletion mandate requires, how developers can respond, and the potential impact on organizations who aren’t yet ready to efficiently address the influx of new account and data deletion requests.

At a glance: Apple’s new in-app deletion requirement

Who’s impacted? Any company with apps in Apple’s App Store that allow for user account creation, but don’t offer an in-app avenue for user account deletion.

What’s the deadline? January 31, 2022

What’s the potential impact? Missing compliance could mean your iOS app updates may be blocked.

Who will be involved in implementing this change?

  • Privacy Engineering
  • App Engineering
  • Compliance or Legal
  • UX/App Design
  • Your data privacy infrastructure partner

The clock is ticking for iOS developers to offer in-app account deletion functionality

Last June, Apple issued updates to its App Store Review Guidelines, requiring that apps allowing for account creation must also allow users to delete their accounts from within the app.

Unlike most regulatory regimes that allow a company to use manual processes (like forcing consumers to send a deletion request via email), this new Apple requirement puts the onus on developers - calling for in-app account deletion functionality.

“If your app doesn’t include significant account-based features, let people use it without a login. If your app supports account creation, you must also offer account deletion within the app.” - Apple App Store Review Guidelines

This requirement goes into effect for all App Store submissions starting January 31, 2022. With only a few months left before the deadline, many popular iOS apps still don’t have the required functionality.

Apple’s memo on the policy change also reminds app owners to use this deadline to ensure that in-app privacy policies clearly explain “what data your app collects, how it collects that data, all uses of that data, your data retention/deletion policies, and more…”

The implications for dev and engineering

Apple’s updated App Store policy is in line with a number of its privacy-centric changes, ensuring that iPhone users have greater agency over the data they share (willingly or otherwise) with the apps they use.

While it remains to be seen precisely how Apple will respond to those not in compliance, it’s safe to say that for those who rely on in-app traffic and associated revenue - you won’t want to risk a roadblock when your app’s next update is up for review by Apple.

For your mobile development and engineering teams, what happens next largely depends on the workflows you already have in place to handle account deletion, as well as other consumer data rights as required by existing laws like Europe’s GDPR and California’s CCPA.

If these workflows already exist within your organization, you’re more than halfway there. If not, the problem is more urgent.

How to respond

First and foremost, if your app doesn’t require account creation, this update is no cause for concern.

For those that do currently offer account creation, the updated guidelines encourage developers to take a data minimization approach and evaluate if a login is even necessary for the functionality their apps provide.

If your app does require account creation, your first move is to ensure users can clearly request account deletion from within the app.

Note the nuance here from Apple’s memo published on October 6, 2021:

“…all apps that allow for account creation must also allow users to initiate deletion of their account from within the app.” (our emphasis added)

It’s unclear whether Apple will offer further clarification on this change as the January deadline approaches. At the very least, you’ll need to implement a programmatic way to kick off deletion workflows from within your app, if you don’t have it in place already.

If your privacy engineering teams have already built out an account deletion flow, or you’re using a privacy infrastructure platform like Transcend that already encodes and automates this process - you’re in a strong position already.

In that case, your teams can then concentrate on connecting this workflow to your in-app surface, in line with Apple’s guidance of a user being able to initiate deletion within the app.

Relying on manual account deletion will become more difficult

For those who don’t already have a programmatic approach to deletion in place, then complying with Apple’s new change becomes more urgent.

If this is your organization, you may be relying on a privacy@ email inbox or other webform to field data and account deletion requests. With either option, you likely still have humans in the loop to fulfill these requests from your users.

Want to understand the hidden costs of manually processing GDPR and CCPA-based consumer privacy requests? Our free Privacy Request Cost Calculator, which includes a free Google Sheet template for customization, can help.

While open to some interpretation, it’s reasonable to expect that complying with Apple’s new mandate will require more than a deep link that opens an email to request deletion.

There’s some conjecture as to whether Apple’s guidance could translate to merely automating account deletion to your main authentication/user database, or something closer to how GDPR and CCPA define deletion - in terms of the complete deletion of an account holder’s personal data.

Our recommendation is to choose the latter path for two reasons. For one, it ensures you’re building for the widest possible compliance scenario (beyond GDPR and CCPA, there are three new U.S. state bills coming into place on January 1, 2023). More importantly, it shows respect for your user’s data agency.

At the end of the day, it’s reasonable for your account holders to expect that when they hit delete, they mean delete — and a marketing email the next day could very well destroy any hope of a user returning in the future.

Good news for those who already have automated account deletion

If you have programmatic deletion workflows already in place, that don’t involve humans completing manual steps, you’re more than halfway there in terms of complying with Apple’s requirement. Your attention then turns to integrating that flow into your in-app surface.

You’ll want to expose an interface that allows your account holders to prove their identity and tap a button or link to initiate their account deletion within your application. Your UX/UI teammates will be able to assist in terms of placement within existing navigation, but the path of least resistance would be to embed the interface you’ve already built in your web application for this same purpose.

When redirecting the user from within your mobile app to such a web view, you will likely want to maintain the session between the mobile app and the web browser. One way to do this would be to use a JWT (JSON Web Token) magic link.

Once the user is logged in on your mobile app, your backend can sign a short-lived JWT that attests to the user’s authenticated session and serve up that JWT to the iOS client.

Going a level deeper, your deletion button or link that initiates account deletion could be implemented as a simple redirect to your web client (for example, to redirect to https://my.company.website.com/account-deletion#JWT). Your browser could then parse out the JWT from the hash URL parameter, verify that it was signed by your backend, and if so, automatically log that user into the web client where they can initiate the account deletion.

Once the deletion is triggered, your chosen workflows can then go to work actioning the deletion across your internal databases and other connected data systems, with a confirmation of deletion sent to the user most likely via email once the job is automatically completed.

Watch out! With a likely increase in deletion request traffic, if you haven’t already enabled in-app deletion, use this moment to make sure your current workflow is checking these two boxes:

  1. You’re deleting personal data across all systems in use, so don’t forget SaaS vendors (like the ones you use to send marketing emails)

  2. You have appropriate deletion dependencies in place so no data is accidentally being recreated in one of your systems as part of the deletion process

How Transcend can help

If you don’t have a large or established privacy engineering team or are looking for a more efficient approach to privacy code development, then it makes sense to find an engineered data privacy infrastructure partner like Transcend.

We can handle your privacy request fulfillment needs, from iOS in-app account deletion to GDPR compliance, and get you technically ready for any new laws on the horizon — all built on a robust security architecture.

In the case of this specific requirement, a new customer could get set up using our prebuilt workflows and connections and be in a place to hand a link off to your mobile developers in just a couple of hours: ensuring that when a user submits a deletion request, you’ll be fulfilling their request across your core user database.

Once connected to your app, your users can then securely authenticate as described above, and Transcend can delete data across your data systems via webhook or other integration methods.

It’s very likely that Apple’s requirements will continue to strengthen - evolving from initiating deletion to requiring personal data visibility within an app where an account is created.

With Transcend, you’ll be well equipped to handle any permutations or evolution of the app guidelines here. And it goes beyond app-based deletion.

Partnering with a data privacy infrastructure partner like Transcend means when it comes time to comply with the trio of new U.S. privacy laws in California and Virginia on January 1, 2023, and Colorado on July 1, 2023, you’ll already have a platform in place to seamlessly comply.

In summary

Come January 31, 2022, apps in Apple’s App Store that offer account creation will require a method for users to initiate account deletion from within the app in question. The technical implications of this change vary depending on existing technical data deletion workflows you have in place.

Apple’s update is part of a broader change driven by modern privacy laws, and implementing infrastructure to automate data orchestration and deletion will put organizations in a strong position for future data rights compliance.


About Transcend

Transcend is the privacy platform that makes it easy to encode privacy across your tech stack.

Our technology moves companies into the future of data privacy with freed-up resources, enhanced regulatory stances for the laws of today and tomorrow, and stronger relationships with their customers through respectful and compliant data transparency, consent, and control.

Transcend Privacy Requests orchestrates all user information from a company’s databases, SaaS tools, and applications in one powerful system. Plus, their users are confident their preferences are seen, understood, and valued.

Transcend Consent peels away technical complexity and makes user consent all about open and honest communication — the foundation of every healthy relationship. This lightweight bundle goes beyond cookies to ensure nothing is tracked without user consent, plus saves time and resources on configuration, all without sacrificing site performance or UX.

Reach out to learn more.


Sources

App Store Review Guidelines

Account Deletion within Apps Required Starting January 31

Apple Is Making It Easier to Delete Accounts Attached to Third-Party Apps

More articles from Transcend

Live from San Diego: Our 5 key takeaways from IAPP’s Privacy, Security & Risk conference

Bridging privacy across your company, legislative predictions and more takeaways from our time at IAPP's PSR21 Conference.

October 29th, 2021 · 3 min read

A path to standardizing data rights with a common protocol

Transcend has joined a consortium led by the Consumer Reports Digital Lab to develop a common protocol for consumers to exercise their data rights

October 21st, 2021 · 3 min read

Privacy XFN

Sign up for Transcend's weekly privacy newsletter.

San Francisco, California Copyright © 2022 Transcend, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Link to $https://twitter.com/transcend_ioLink to $https://www.linkedin.com/company/transcend-io/Link to $https://github.com/transcend-io