Apple Sets Enforcement Date for In-App Account Deletion Requirements and Reminds Developers to Comply with Privacy Laws and Privacy Notices

18 October 2021 Privacy, Cybersecurity & Technology Law Perspectives Blog
Authors: R. Evan Glass Steven M. Millendorf

On October 6, 2021, Apple announced that the requirement that applications that allow users to create an account must also enable users to initiate deletion of their accounts from within the application will go into effect on January 31, 2022. Apple originally posted these requirements in Section 5.1.1 of the App Store Review Guidelines, and comes as there is increased scrutiny on the privacy practices of many big technology companies by federal and other lawmakers and state governments in the US continue to pass new privacy laws (many of which include a right to delete one’s personal data). These recent changes may represent an attempt by the technology industry to forestall any federal laws through self-regulation as well as a recognition that strong privacy practices may be a competitive advantage over their competitors.

 

APPLE'S NEW DELETION REQUIREMENTS AT A GLANCE  

- Apple issued an update on October 6, 2021 that its App Store Review Guidelines, which require that any application which allows the creation of an account in the application to also permit account deletion, will go into effect January 31, 2022.

- The update also encourages application developers to review laws that may require the retention of certain types of data, and that the developers must provide a privacy notice that explains their privacy practices, including the retention/deletion of personal data. Developers are also encouraged to confirm that their current privacy notices are accurate.

- Many of the requirements of Apple’s App Store Review Guidelines overlap with the requirements of various privacy laws, such as GDPR and CCPA, however compliance with the App Store Review Guidelines is not sufficient for compliance with these laws, and deletion requirements remain subject to applicable limitations and exceptions under these laws.

- It is unclear whether a request for deletion of an account triggers a request for a consumer to exercise their right to have their personal information deleted or right to be forgotten or if an additional step may be permitted.

- Companies should review and update their privacy notices and practices and begin any necessary technology development to comply with Apple’s Guidelines.

 

Scope of the New Account Deletion Requirement

The account deletion new requirement was originally introduced in an update to Section 5.1.1 of the App Store Review Guidelines as part of a larger revision in June 2021, however the new guidance clarifies that Apple will begin enforcement of the account deletion requirement for all application submissions (whether as an update or a new application) for any of Apple’s platforms (including iOS, MacOS, and iPadOS) starting on January 31, 2022. Applications that are available on the Apple App Store prior to this date do not necessarily need to be updated solely to comply with this requirement. However, it may be prudent for application developers to begin planning for providing the required account deletion functionality in both the applications and the appropriate servers now before they update existing applications with other additional functionality or bug fixes.

The new requirement only applies to applications that support account creation. While the account deletion requirement is not explicitly limited to applications of a certain type, it does not appear to apply to applications that merely use an account created in a different context. Therefore, applications such as most banking and other applications that merely provide an interface through a mobile application for traditional brick and mortar businesses are likely exempt from the requirements so long as the required accounts for these applications are created wholly offline, such as through a website or paper application. However, applications involved in the gig economy, as well as some recent stock, cryptocurrency, instant payment, and other similar applications who operate solely through the mobile application will be subject to these requirements.

Privacy Nutrition Labels and Responsibility to Comply With Privacy Laws

Last year, Apple required application developers to provide details on their data collection and use practices for new or updated applications made available on its application stores and began to publish “privacy nutrition labels” for applications. Apple’s Guidelines state that application privacy policies are also subject to Apple’s review and approval.

The October 6th announcement and the App Store Review Guidelines remind application developers that it is their responsibility to comply with all applicable privacy laws as well as the privacy best practices posted by Apple (which include regulatory and industry guidance), the terms of the Apple Developer Program License Agreement, and customer expectations.

However, Section 5.1.1 of the App Store Review Guidelines further requires compliance with additional privacy requirements, including:

  • Privacy Notice Requirements: A requirement that privacy notices (1) confirm with any third party with whom the app shares user data that the third party will provide the same or equal protection to the user data; (2) identify the user data that the application collects, how it collects the data, and all uses of the data; and (3) explain its data retention and deletion policies. These privacy notices may need to be updated to further describe the new requirements to delete accounts through the application, and application developers should consult with qualified legal counsel to develop privacy notices and accompanying privacy policies and procedures that comply with the myriad of potentially applicable laws, as well as Apple’s requirements.
  • Consent: Requirements that apps that collect user or usage data secure consent for the collection, and that apps that that collect data based on legitimate interests under GDPR (or similar statute) comply with all terms of those laws.
  • Data Minimization: Applications should only collect and request access to data that is relevant to the core functionality of the application.
  • Purpose Limitation: Applications are required to comply with the user’s permission settings, and not attempt to manipulate, trick, or force people to consent to the unnecessary processing of personal data.

These privacy requirements are familiar foundational privacy principles, many of which have been incorporated into privacy laws such as GDPR, California’s CCPA and CPRA, Virginia’s CDPA, the Colorado CPA. However, companies should be reminded that compliance with Apple’s Guidelines is not sufficient for compliance with these laws, each of which have their own different requirements and exceptions. Companies should regularly consult with qualified legal counsel to navigate the myriad of privacy requirements contained in these and additional laws while remaining compliant with Apple’s App Store requirements.

Unclear Deletion Requirements

It is unclear under the new Guidelines if the requirement to delete a user’s account through an application should automatically be considered an exercise of the user’s right to deletion (or “right to be forgotten”) under applicable law or the privacy notice but subject to applicable exceptions, or if it is acceptable to require application users to make a separate request to delete their personal data. Since many regulations require that users confirm the deletion of their personal data, the new guidelines likely permit at least the use of a second factor confirmation and a developer review of the request. Thus, the new requirements likely do not require all applications to automatically perform the account deletion, particularly when the deletion of personal data may be subject to a statutory exception.

Conclusions

Apple, like many other big technology companies, continues to change their privacy requirements to comply with new and changing privacy laws and potentially gain a competitive advantage over the competition. The new guidelines may also be an attempt to show regulators that self-regulation does and can continue to adequately protect the personal data of US consumers such significant additional regulations is not necessary, including at the federal and/or state levels. As such, application developers should anticipate additional changes to Apple’s and other technology platforms’ requirements for privacy and security.

Given the current new guidelines, application developers on the Apple App Store should begin the following steps well ahead of the January 31, 2022 implementation deadline:

  • Review the account creation capabilities of any applications posted to the Apple App Store to determine whether the application permits the consumer to create an account, or account creation is all performed offline or through other interfaces (including web interfaces);
  • On a regular basis, review and update privacy notices and privacy practices (especially any notices and practices that apply to the collection and use of personal data from applications) with qualified legal counsel and make sure such practices comply with Apple’s requirements as well as any applicable laws;
  • Update data retention and deletion policies to comply with Apple’s new account deletion requirements and updates to the App Store Review Guidelines; and
  • Begin development of any application and service technological improvements necessary to comply with the requirement that users be offered the deletion of their account in the application when the user was able to create the account through the application.

For more information about a business’s compliance with privacy laws and/or Apple’s new requirements when creating or updating applications for the Apple App Store, please contact one of the authors listed below or any of the Partner or Senior Counsel core members of Foley’s Cybersecurity Practice.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services