Apple recently announced new privacy and data retention guidelines that will affect all iOS app developers. One of these guidelines requires that iOS apps which allow the user to create an account must also allow the user to delete that account. The announcement itself isn’t surprising considering recent pushes for privacy and user control of data; however, the timing is abrupt—it must be implemented by Jan. 31, 2022. Let’s look at what this might mean for your company’s mobile app strategy going forward.
What Does This iOS Requirement Mean?
One of the first questions app developers will ask is, “What exactly does this mean for my app?” There are many iOS apps that allow users to create an account and the specific guidelines are somewhat vague regarding the deletion process. Since Apple will begin rejecting apps that do not comply, it’s important to understand what exactly is required. A few questions we asked were:
Do you have to simply revoke access to the account?
Do you have to delete all user data associated with the account?
What about accounts that are under a business contract and cannot legally be deleted?
What does the “initiation of deletion” cover?
After speaking with Apple, we were unfortunately no closer to a concrete answer. Our conclusion is that the guidelines are left up to interpretation and are not a one-size-fits-all set of requirements. It also depends on the type of industry your app represents and the kind of data it collects.
Therefore, some apps will need to take more measures to delete and/or manage account data, while others might only need to supply a way to begin the deletion process. There is no sure-fire way to protect your app from being rejected due to this new policy; however, there are some proactive things you can do to protect against that possibility.
Possible Solutions for Apple Account Deletion Compliance
The first thing to consider is if your app allows the end user to create an account. If your app simply allows logging in to an existing account (without the ability to create an account), you may not need to worry about this guideline.
Yet if you are one of the many apps that provide an end user the ability to create an account, you will most likely fall under this new requirement. This means you will need to decide the best short-term strategy to comply or risk being rejected from future App Store releases after the deadline.
There is also the chance that Apple will delay the enforcement of this policy to give app developers more time to comply. While this would be ideal for most, it’s always good to play it safe and have a solution before their stated deadline. So here are a few options that might be considered:
1. Allow the user to submit a request from the app which sends the user information (login ID, account number, etc.) to a customer service representative. This could be done by a simple form post or email submission. This would satisfy the requirement of allowing users to “initiate deletion” of the account.
2. Create a mechanism that allows a user to “delete my account” via some settings or account screen within the app (after login). This could be as simple as clicking a button or link that sets a flag in your database to disallow login for that specific account. Just be sure to prompt the user with a message of “Are you sure? Yes/No.” Since this is a very destructive action, you'll want to make sure the user hasn't accidentally requested the deletion of their account.
The advantage of this option is the user could also be given the opportunity to re-enable that account later by changing the flag back to enable login. No user data is actually deleted, as you are simply disabling or re-enabling the access to the account. Just keep in mind that you will most likely need to plan for a longer-term strategy to allow users to manage their own data.
3. Delete all user account data. While this is a very heavy-handed approach, and most apps would not be able to support such a solution, there will be some apps that do not require the retention of any user data for legal or other reasons. If you happen to fall into this category, you are ahead of the curve and will have a much easier time complying with future data retention policies from Apple. However, since there are currently no requirements to delete user data outside of Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), this approach seems excessive. Instead, we recommend one of the first two options, while you create a more robust strategy for managing user data.
Looking Forward to User Data Management Strategies
The important thing to consider is the spirit of this new announcement. With much of the focus lately shifting toward user data privacy, Apple is showing its hand in efforts to shift to a GDPR/CCPA-based approach to data collection. While the implementation of these two sets of rules is much bigger in scope, the shift has been in motion for a while now and Apple seems to be heading in that direction for all apps; not just the ones that operate in the EU and/or California.
Therefore, our recommendation is to come up with a solution that satisfies the immediate Apple requirements. Once you have reached compliance, we recommend looking at a longer-term solution that will allow each user to manage their own data. There will most likely be several of your company systems impacted by this, so we recommend your organization begin those discussions now.
If you would like to learn more about how Credera is helping its partners navigate these new iOS requirements and how to implement compliant solutions, please reach out to us at firstname.lastname@example.org.