Second Bite at the Apple: Apple’s Account Deletion Requirement Finally Goes into Effect. Is Your Mobile App Compliant?

On June 30, after a 5-month delay from the originally-scheduled effective date (to give app developers more time to comply), Apple’s new account deletion requirement went into effect. As a result, companies with mobile apps should consider whether the account deletion requirement applies to those apps. If it does, the requirement may have major implications for your company’s data retention and deletion practices.

The Requirement in a Nutshell

The Apple account deletion requirement states that apps that support account creation must now also offer account deletion functionality within the app. That account deletion functionality must include not only deletion of the account itself (e.g., username and other login credentials), but also the option to delete “any data associated with the account that the developer isn’t legally required to maintain.”

This post summarizes Apple’s account deletion requirement, describes what kinds of mobile apps the requirement applies to, and provides some key considerations for developers of mobile apps who are subject to the new rule.

Account Deletion Requirement Triggers

Not all mobile apps will have to comply with Apple’s account deletion requirement. The requirement is only triggered if all of the criteria below apply.

  • You care about your app being listed in the Apple App Store. Because the account deletion requirement is an Apple-created and -enforced rule, you need only comply with it if you want your app to be listed in the Apple App Store. To date, Google has not promulgated an equivalent account deletion requirement for the Google Play Store (though Google has historically followed Apple’s lead when it comes to implementing rules to enhance users’ privacy protections).
  • You submit a new app or an update to an existing app. Apple is reviewing apps for compliance with the account deletion requirement as they are updated or newly submitted. Theoretically, you could fly under the radar by continuing to operate a legacy version of your app that has already been approved by Apple. But that approach would not be practicable for most businesses as it would likely prevent you from submitting updates to Apple for even minor bug fixes.
  • Your app “supports account creation.” The account deletion requirement only applies to apps that “support account creation.” Commentators have wrestled with what it means to “support account creation,” but a reasonable interpretation of that term would exclude scenarios in which the account creation process takes place outside of, and independent of, the app (e.g., through a website or paper application). Apple has clarified in a recent FAQ, however, that developers can’t avoid the account deletion requirement by simply bouncing users from within the app to a default web browser to create an account.

Key Considerations for Mobile App Developers

If you determine that the Apple account deletion requirement applies to your app, here are a few key points to consider when implementing that requirement:

  • Prepare to implement end-to-end deletion of users’ data. Apple’s recent guidance on the account deletion requirement is clear: If a user chooses to delete their account, you must at least offer to delete “the entire account record, along with associated personal data.” Providing a glorified log out, or simply deactivating a user’s account will not suffice. Thus, companies should be prepared to implement end-to-end deletion of the personal data associated with each user’s account. If your company collects personal data about individuals through other sources outside of the app, you will need to identify and isolate data was collected through the app to carry out deletion of that data.
  • Evaluate whether a legal obligation may require you to retain certain data. The account deletion requirement does not require app developers to delete personal data that they are “legally obligated” to maintain. The exact contours of that exception, however, are unclear. For example, it seems clear that companies may retain users’ data despite an account deletion request if the company is required by a statute, regulation, or court order to maintain that data. What’s less clear is whether other obligations—such as a service provider’s contractual obligation to a customer to retain users’ personal data—might qualify.
  • When designing your account deletion user experience, consider whether your app falls into a “highly regulated industry.” While Apple requires account deletion to occur “within the app,” apps in highly regulated industries (examples of which, according to Apple, include “banking and financial services, healthcare, gambling, legal cannabis use, and air travel”) may use “additional customer service flows to confirm and facilitate the account deletion requirement.” In other words, apps in those highly regulated industries can direct users to off-app resources (e.g., third-party DSR platforms) to verify the user’s identity and carry out account deletion. Otherwise, the entire account deletion process must take place within the app itself. Even if your app is in a highly regulated industry, though, the account deletion user experience may not be “unnecessarily difficult.”
  • Assess whether your app’s Privacy Policy adequately informs users of their right to account deletion, and any exceptions to the same. Apple’s guidance on the account deletion requirement repeatedly underscores the need to keep users informed about their account deletion rights and any exceptions to their ability to delete all of their personal data. In particular, the guidance suggests that if you are relying on an exception to the deletion requirement to retain a user’s data despite an account deletion request, you should describe the basis for the exception in your Privacy Policy when explaining your data retention practices. Including such language in your Privacy Policy will also be important if questions ever arise (from Apple, or a user, for example) about why you are retaining certain data despite an account deletion request.

Enforcement Outlook

Although Apple has not expressly stated how it intends to enforce the account deletion requirement, the most obvious enforcement tools are its ability to delist apps from the App Store and to reject new requests to list apps on the App Store if they don’t comply with the account deletion requirement. That type of enforcement action may seem light in comparison to other scarier enforcement mechanisms available to regulators and individuals (e.g., civil penalties and private rights of action). But for companies whose app is a key part of their business, removal of that app from the App Store could be devastating.

If you need assistance evaluating the applicability of the Apple account deletion requirement, or implementing a data deletion process designed to comply with the requirement, please reach out to any member of our team.