Do you have an app published in the Google Playstore or Apple App store? If you’re not complying with their requirements for “in-app account deletion,” you’re at major risk of your app getting kicked out of these platforms. Do you have a strong understanding of what’s required of your business?
As consumers become increasingly aware of their personal data footprint and the desire to protect their own privacy, big tech companies are following suit. These Apple App Store and Google Playstore in-app account deletion requirements are an example of them wielding their extensive power and reach to mandate business compliance. Keep reading to understand:
- What is in-app account deletion
- Specific Apple App Store and Google Playstore app requirements
- Potential for drastic increase in deletion request volumes to app owners
- Business workflow issues you’ll need to solve to achieve compliance
What is in-app account deletion?
In-app account deletion refers to the process through which consumers can permanently remove their accounts and associated data from a particular application or platform. This feature empowers individuals by giving them greater control over their personal information. In-app account deletion goes beyond simply deactivating an account temporarily; it allows users to completely erase their presence and data from a platform. The deletion request must be easily accessible and each of the stores have requirements on where they must be prominently displayed for your users.
When a user chooses to delete their account, it should trigger a series of actions (automated or manual–more on that later) within the application's backend systems. These actions ensure that all traces of the user's account, including personal information, preferences, and any associated data, are permanently removed from the platform's databases.
Enabling in-app account deletion can be beneficial for multiple reasons:
- For users, in-app account deletion provides a real sense of control. It allows individuals to decide when and how their personal information is stored and used by an application. This control is especially crucial in an era where data breaches and unauthorized access to personal information are becoming increasingly common.
- For brands and application developers, in-app account deletion promotes transparency and accountability. By offering this feature, companies demonstrate their commitment to respecting user privacy and data protection. It also aligns with various data protection regulations, such as the General Data Protection Regulation (GDPR), which require organizations to provide individuals with the right to delete their personal data.
For many businesses, in-app account deletion may not be a straightforward process. Depending on the complexity of the application and the amount of data associated with a user's account, the deletion process may take some time to complete. Additionally, some brands may have specific requirements or limitations when it comes to account deletion, such as the need to resolve outstanding payments or fulfill contractual obligations.
Let’s get into Google Playstore and Apple App Store’s specific requirements for brands, businesses, and app developers.
Google and Apple in-app account deletion requirements
Google and Apple have recently taken significant steps towards enhancing in-app account deletion requirements, setting specific deadlines for application compliance.
Apple App Store in-app deletion requirements
Apple has been at the forefront of user privacy and security. With features like App Tracking Transparency and Privacy Nutrition Labels, Apple is empowering users to make informed decisions about their data. By putting privacy first, Apple aims to create a safe and secure environment for its users to explore and enjoy the digital world.
Beginning June 30th 2022, applications in the Apple App Store that support account creation must also support user-initiated account deletion. Apple’s guidelines state that this account deletion process follow these guidelines:
- Must be easy for the user to find in your app
- Must offer to delete their entire account, and personal data associated (not just a temporary deactivation or disablement)
- Must inform the user on the process, for example how long the deletion will take to complete
To continue reading, check out the Apple help article and FAQs here.
December 2023 Note: While Apple has required in-app deletion for 18 months, Ketch is hearing from customers that Apple enforcement is ramping up, with actual threats to pull apps from the App Store for non-compliance.
Google Playstore in-app deletion requirements
Google's commitment to user privacy has been a key focus in recent years. With the introduction of features like Privacy Dashboard and enhanced app permissions, Google is empowering users to have more control over their data. The company has developed a vast ecosystem of apps and services that seamlessly integrate with their Android operating system, available for consumption in Google Play, their equivalent to the Apple App Store.
Google has introduced a comprehensive framework to improve in-app account deletion. This framework involves stricter compliance guidelines for app developers and focuses on providing users with accessible options for deleting their accounts. Their timeline and milestones for businesses with apps in Google Play is as follows:
- April 2023: Google announced the new account deletion requirements and added new data deletion questions within the app data safety form, announcing that brands should fill out and submit the form to Google to receive any feedback on problematic answers. (See the form in the App content page of Google Console.)
- December 7, 2023: Deadline for app owners to complete the data deletion questions. No new apps can be published (or existing app updates) if these questions are incomplete. Businesses can request an extension to May 31, 2024.
- Early 2024: Users will start to see the new data deletion badge and data deletion area on your app’s store listing in Google Play (if and when your data safety form is approved by Google).
- After May 31, 2024: Non-compliant apps may face additional enforcement actions, such as removal of your app from Google Play.
Google hasn’t provided app users with a requirement for how long the data deletion process should take. They simply state that you must keep the user informed, letting them know what to expect and completing their request “within a reasonably quick period of time.” (See Google FAQs here.)
Challenges of strengthened in-app account deletion requirements
While the benefits of strengthened in-app account deletion requirements are clear for consumers–increased control, transparency, and personal data security–this requirement poses a few potential challenges for businesses.
1. App developer time and expertise
For app developers, ensuring compliance with the new requirements can be complex and time-consuming. Adapting existing applications to meet the revised guidelines may involve significant development investment. Striking a balance between compliance and maintaining a seamless user experience presents an ongoing challenge.
2. Cost of compliance
The implementation of enhanced in-app account deletion requirements may also result in increased costs for developers. This includes costs associated with maintaining and updating apps to align with the new guidelines, as well as potential penalties for non-compliance.
3. Unknown request volumes
On top of difficulty and complexity, the unknowns around request volume present challenges in how much time businesses should spend creating a process to fulfill these deletion requests. 10-20 requests per month is one thing, but if you maintain a popular app, you could experience an influx of hundreds or even thousands of requests in a very short period.
Considering these challenges across development, cost, and the unknown volumes is daunting for many businesses with limited resources. This is where purpose-built DSR automation technology can help.
Preparing for an increase in consumer deletion requests
In "privacy speak," an in-app account deletion request is considered a type of DSR: data subject request. A DSR is a formal inquiry made by a customer, to a business, requesting some action on their personal data. Actions include requesting their data be deleted, requesting access to a copy of their data, and so on.
For some Ketch customers, we have seen an upwards of 100x increase in the number of delete requests after the adoption of the in-app deletion request from the Apple App Store alone. This completely eclipses previously volumes, having simply implemented compliant deletion request processes for GDPR and CPRA.
To help you understand the complexity and detailed requirements for processing a data subject delete request, we've outlined three key steps.
1. Map user identities to ensure a complete response to each delete request
Deleting a customer's data requires not only deleting data in your databases, but also from the various 3rd party applications, CRMs, CDPs, and all the SaaS tools that might have interacted. Think Salesforce, Hubspot, Marketo, Amplitude, Segment, Snowflake, and the likes.
This process can be complex and time-consuming. To create a unified view of what data belongs to a user, you will need to build an identity graph that links a users various identities in all your different data tools with their primary identity so that the scope of future incoming requests are clear.
Ketch has a proprietary, automated identity graph solution that crawls and assembles unique identities for users, saving you and your team time and effort.
2. Create an automated deletion flow across all data storage and third party applications
Once you have the collection of unique identifiers based off of an incoming deletion request, you will need to actually do the deletion in those corresponding systems. This means executing the delete queries in your databases, as well as calling the relevant APIs for the 3rd party applications such as CRMs, CDPs, and other tools to remove user data from those tools as well.
If your business is like most, you are constantly adopting new tools and creating new datasets. Without automatic scanning and detection, it can be difficult to ensure the deletion requests are comprehensive enough to cover new systems.
There’s a way to avoid this in-house effort. Ketch DSR automation includes hundreds of integrations to different systems and apps, and we keep them up-to-date. Ketch also automatically scans and detects new systems and data assets that might contain personal information.
3. Design the functionality to register and log delete requests
In the face of regulatory scrutiny, you need systems in place to stay organized when delete volume is high. Logging delete requests is more than just a requirement for compliance; it’s a good business practice. The log should keep a record of:
- The details of each request
- The action you took
- How long it took you to respond
This prepares you for audits and keeps you accountable to your customers. Once you register the requests, you'll need to log them in some kind of tamper-proof system of record.
Ketch logs requests out of the box, so instead of building your own logging system for delete requests, you will get that automatically with our suite of privacy automation software.
Automation with Ketch can help
The Apple and Google in-app account deletion requirements are prime examples of why modern privacy expectations require infrastructure investment. By implementing these requirements, Google and Apple are sending a clear message to developers and app creators that user privacy is a top priority. This move not only benefits the users but also encourages developers to adopt privacy-friendly practices and build trust with their audience.
Creating a scalable process for receiving and processing consumer account deletion requests is not something that lawyers can help duct tape at the end if a company does not have a data management strategy with visibility into the data. Privacy management technology like Ketch can help you outsource the challenging, complex work of fulfilling these delete requests at scale.
A few reasons our customers use Ketch for DSR automation, specifically deletion request automation:
- Proprietary, automated identity graph: Ketch automatically crawls and assembles the unique identities for a particular user.
- Enforcing deletion requests across your systems: Ketch has hundreds of integrations with apps and systems out of the box, freeing your team from non-stop upkeep to build and monitor changing APIs and integration standards; automation without maintenance.
- Register and log all requests: The Ketch platform automatically registers and logs all requests. If any regulators come knocking on your door, you will have perfect record-keeping ready to go.
Ketch helps automate delete requests from intake to fulfillment, with tools that scale for businesses with a few delete requests, or millions. Get in touch with our team to learn more.