Apple To Require Ability to Delete Accounts In-App

Wednesday, October 27, 2021

Apple has issued new guidelines for apps that let people create accounts. The guidelines will require these apps to give people a way to delete their accounts. This requirement is broader than CCPA and GDPR deletion rights, as it applies to all users (not just those from specific territories). The requirements go into effect January 1, 2022.

From a process standpoint, apps will need to let users “initiate deletion of their account from within the app.” This suggests that to comply apps could have a deletion button, link or other process accessible from within an app. That could then re-direct users to a browser to complete the deletion request. Provided that the UX for deleting an account is not filled with “dark patterns,” apps will likely be permitted to ask users to confirm a request to delete an account.

The guidelines do not make clear if the intent is for apps to also delete data associated with the account. Or, simply, to delete the account. Companies that currently have a CCPA or GDPR process that allows users to delete data may want to consider setting up a new process for this new Apple requirement. In other words, this could be a process that allows a user to delete an account, separate from any jurisdiction-specific process the company already has for users to request that the company delete data.

The new requirements under Apple’s guidelines will overlap with certain privacy laws. This is particularly true depending on whether a company takes a “data deletion” or “account deletion” approach. Companies will need to analyze their obligations under relevant privacy laws when requests come in as a result of the guidelines. This includes exceptions to deletion obligations under CCPA and GDPR.

Putting it into Practice. Companies that offer an ability to create an account in-app should begin working with stakeholders to develop an approach to meet the account deletion requirement. This includes determining how the back-end will differ (or not) from any other deletion requests the company may be processing.