111: Account Deletion in Apps: What You Need to Know About Apple’s Latest Requirement
Published April 5, 2022Run time: 00:24:12
If you have an app on the App Store that allows users to create an account, then by June 30, 2022, users must be able to easily delete their account within the app as well.
In this episode, Tim and Jenny break down everything you need to know about Apple’s account deletion requirement.
In this episode, you will learn:
- Why Apple is requiring apps to have an account deletion feature
- Why you might consider making the same change to your Android app
- What happens if your app doesn’t comply by Apple’s deadline of June 30, 2022
- What it means to delete user data
- How to find a tech team to help if you have an idle product
This episode is brought to you by The Jed Mahonis Group, where we make sense of mobile app development with our non-technical approach to building custom mobile software solutions. Learn more at https://jmg.mn.
Recorded March 30, 2022 | Edited by Jordan Daoust | Produced by Jenny Karkowski
Show Links
JMG Business Development Representative job posting | https://www.linkedin.com/jobs/view/2990387002/
Deadline for in-app purchase and account deletion requirements extended | https://developer.apple.com/news/?id=i71db0mv
Chat with Rob at The Jed Mahonis Group about making changes to your app | Schedule a 15-minute chat
Rate and review the show on Apple Podcasts | https://constantvariables.co/review
Follow The Jed Mahonis Group on LinkedIn | https://linkedin.com/company/the-jed-mahonis-group
Episode Transcript:
Tim Bornholdt 0:00
Welcome to Constant Variables, a podcast where we take a non-technical look at building and growing digital products. I'm Tim Bornholdt.
Jenny Karkowski 0:07
And I'm Jenny Karkowski.
Tim Bornholdt 0:08
Let's get nerdy.
Jenny Karkowski 0:23
This episode is sponsored by The Jed Mahonis Group, who is currently hiring for a Business Development Rep to help generate new partnerships with potential clients in the upper Midwest. Since our founding back in 2012, we've always taken a chance on the right people over the right skill set and it's continually paid off. So if you enjoy being involved in the community, and prefer the culture of a small team that works remotely, communicates daily, and supports each other, shoot us an email at careers@jmg.mn. And if you want to learn more about the Business Development Role, look in the show notes of this episode for a link to the job posting.
Tim Bornholdt 1:05
Jenny Karkowski, welcome to the show.
Jenny Karkowski 1:08
It's great to be back.
Tim Bornholdt 1:09
Great to have you. I mean, it seems like you're part of every episode now. So it's weird to say good to be back. But I mean, you're gonna be in the hot seat today. Right?
Jenny Karkowski 1:16
I'm actually here to put you in the hot seat again.
Tim Bornholdt 1:19
Oh, man. Okay.
Jenny Karkowski 1:22
You are our resident expert on why Apple does the things they do.
Tim Bornholdt 1:27
That's probably true. Yeah.
Jenny Karkowski 1:30
So I'm here today to prompt Tim with some questions around a new requirement that Apple has out. So if you have an app in the App Store, you're going to want to pay attention. This was originally supposed to be required to be done at the end of January. And they postponed it to, I think, June 30 of this year. If you have an app in the App Store, according to Apple's new guidelines, and if a user on your app can create an account, they must also now be able to delete their account and all of their subsequent data.
Tim Bornholdt 2:07
That's right, end of show.
Jenny Karkowski 2:12
So we're just going to kind of talk through what that means and what that looks like for anybody that has an app out on the App Store, because you've got about three months to get that done to meet this requirement, and what could potentially happen if you don't get it done in time. So first question, Tim, why is Apple requiring this?
Tim Bornholdt 2:33
Well, Apple, among all of the big Silicon Valley giants has taken the hardest stance around user privacy, which makes me really happy. And it should make everybody here really happy because most Silicon Valley companies make all of their money by taking your personal data and selling it.
Again, this wouldn't be a Constant Variables episode if I didn't dog on Facebook. So let's say, you know, Facebook, Google, all of them, Amazon, everybody takes your data and sells it, but Apple does not because they make money by selling you their hardware and their services. So the big reason for this push is again, in a attempt to keep their privacy tint kind of going in the right direction there, a lot of times what will happen is, again, take Facebook. If you've ever gone and tried to delete your Facebook account, it is very, maybe not surprisingly, difficult, but it is difficult to actually straight up delete your account. Typically, you have to deactivate your account, or that's kind of what they push you to do is to just turn off Facebook, and maybe you can come back a little bit later. But no, if you actually want to delete your account and lose all of the data, you have to go through a lot of hoops. And then even after you go through those hoops, they require you to wait for 30 days to be like, Oh, are you really sure you want us to delete your data? So that kind of stuff is what Apple is trying to prevent here. Because most apps, when you create your account in an app, you create the account, and then the data just sits there on a server somewhere. And maybe it's continually being harvested. Maybe you created an account that you don't even remember that you linked up to your Twitter account, you know, six or seven years ago, and now that thing is still feeding in all of your tweets and selling it somehow and making money somehow. These are real things that happen.
So Apple has decided to use their power. There's a lot of things that are wrong with Apple's monopoly power, as we've also talked about on the show, but this is I feel like a good use of the power in that now if you allow a user to create an account, they're also forcing you to allow them to get rid of that account and basically force you to forget that they ever existed. So that's kind of the high overarching theme of why this rule is being put into place.
Jenny Karkowski 4:58
And it got me thinking about a lot of the apps that I use, and I can't pull up in my mind, you know, ever seeing a delete my account option on the app?
Tim Bornholdt 5:09
Yeah, usually there isn't one on the app. Usually, if there is even an option, you have to go into the website that they have of some sort, go into some settings menu, find it buried under three different levels. And then when you go to delete the account, there's all these prompts that try to trick you into keeping the account around. Like these are all very well, you know, researched psychological tricks to keep people in the app, you know, a lot of fear of, Ooh, you don't want to delete your account, because you might not hear from your aunt, or whatever kind of things they try to throw in there. So usually you don't see these just straight up in people's accounts. So I don't know. Yeah, it's not something you see every day. And I'm excited to now start seeing this going forward.
Jenny Karkowski 5:52
Right now, whenever I don't want an app anymore, I just delete it. But that's not, I just delete the app. But that's not deleting my data.
Tim Bornholdt 5:59
Not at all. No, you're data's still sitting out there.
Jenny Karkowski 6:02
It's still there.
Tim Bornholdt 6:03
Yeah.
Jenny Karkowski 6:03
Okay, so a lot of people that have an app on the App Store, also have an app on the Google Play Store. If they're going to be making these changes on their iOS app, should they make the same changes on their Android app?
Tim Bornholdt 6:16
Well, you know that's kind of a question that's on a case by case basis. Because you know, adding these features in isn't cheap or free. You have to pay some developers or somebody to go in and actually do this. So you have to kind of gauge for yourself whether you think Google is going to start to enforce some sort of policy that's similar on their store. So you don't have to. But if you feel morally inclined that you have to allow, you know, this sort of feature to go out for your Android users, or if it just makes good business sense, one way or the other to keep your, you know, footprint of people's data low, then yeah, you might as well. But there's no, to my knowledge at least I haven't seen Google come out with a requirement like this quite yet.
Jenny Karkowski 7:07
What about just wanting the consistency between your Android app and your iOS app, or any future consideration with, you know, the EU, and what's the other the big California regulation?
Tim Bornholdt 7:22
CCPA.
Jenny Karkowski 7:22
Yes, with data, and just kind of getting ahead of the curve by going ahead and putting that on, having that feature on your Android app to be able to delete your data.
Tim Bornholdt 7:33
I think that most people listening to this podcast, I would, maybe this is a gross generalization. And if you don't fall into this camp, I want to know, but I think most people that listen to this do want to try to do the right thing with their customers' data, and do see that as a big, you know, positive selling point. And they're not going after selling their customers' data. I mean, if you are then sweet, don't do this. But I think most people that are forward thinking and trying to do what's right with their customers' information would benefit from just doing this at the same time with Android and iOS, and probably having some feature on your website also, if you have one, to allow people to delete their apps. I think it just makes sense to kind of do it all in one fell swoop as opposed to just kind of rolling the dice and waiting for, you know, Brussels to make a decision that now you have to have that in for everyone in the EU. And then California says now you got to have it in for everyone in California. You know, you might as well just do it all at once, I guess.
Jenny Karkowski 8:29
So what happens if by June 30, you don't comply, your app doesn't comply with Apple's regulation to allow users to delete their information?
Tim Bornholdt 8:41
Well, we do have some, like, historical precedents with these types of things. Like, I can't remember this specific rule. There was one rule that they came up with earlier this year that everyone was kind of freaking out about.
Jenny Karkowski 8:55
It was for ads as to whether they could use your information.
Tim Bornholdt 8:58
Oh, yeah, that's right. Um, yeah, there was basically they had a rule where it was kind of like a nutrition label, but for advertising. And that was like another thing where it was like, if you didn't fill out the form, like they said you had to have it live by a certain date. And then they had some sort of grace period. But at that point, it was like you couldn't issue an update to your app until you had gone through and done that. And I'm sure that's what we're going to start seeing is with this kind of a rule, like I'm sure, you know, when that deadline does come that that one day is not going to be like the day because everyone's, this is a pretty big deal. So they've done this before where even with this rule they said it was going to be live January, or March or something, and then now they've pushed it off to June. Because they're like, No, we're serious, like this is a thing. But then they get a lot of pushback, because people are like, Oh, you're serious. Maybe Apple will change their mind. But no this one to me what I think is likely to happen is you'll probably get a grace period of, you know, two weeks to four weeks, something like that. But then start, you know, a month after the deadline, I'm sure that when you push an app to the App Store for review, Apple's just going to reject it until you have that feature in there. And as time goes on, I'm sure that they'll start auditing apps as well that are in the App Store that are, you know, haven't been updated in a while, and they're not in compliance with this rule, then they'll just take your app off the store until you issue an update that has this feature built in.
Jenny Karkowski 10:29
So what does it really mean for a tech team to make these changes? Like how much work are we talking? What steps are actually involved?
Tim Bornholdt 10:38
So this rule will hit harder for a organization that is, you know, again, careless with user data, and has it kind of spread all over the place. But really, what it entails is, usually, if you store all your data on a server, which is you know, in the cloud, most people are doing that these days, you would have your server developers write a call that would say, Okay, go and grab all of our data for a user and delete it, hard delete it, like it's gone. It's out of our system. You can take it a step further, and, you know, check your logs, because every server has logs that they keep. Like, whenever you hit a server, like, you know, type in facebook.com. It'll log that your IP address hit that server. And you know, usually it logs a couple other things like what browser you use, time of day, that kind of thing. So some of these are actually going through logs and deleting them. But it really depends on again, the type of app you have.
But essentially, the core of it is, there's a button on the front end. So you have to have like your iOS developer and your Android developer, if you have one, go in and add these calls that then go to the server and say, Let's institute, you know, or initiate some sort of account deletion process.
The account deletion process is really interesting too, because I could see, like, a lot of times, if you put a big red button in the app, that doesn't necessarily mean people aren't going to push it. Somebody might accidentally push it and like, what you don't want is for someone to like push that button, and instantly everything is deleted and gone. Like typically deleting an account is like a pretty big deal. So different companies do this process in different ways.
I'm actually doing this with the beer app right now. And the process that I have for it is in the app, you push the, you go into settings, and it's at the bottom of the screen where the logout button is as well. You hit the button and it says, delete your account. And when you tap it, it says deleting your account means we will get rid of all your information. Are you sure you want to consent, continue with this process? If you say yes, then what we do is send an email to the email address that's associated with the account. Then you go into your email, you see an email there and you click the link. That link brings you to a website, that then it says, Okay, one more time for real, like when you click this button, there is no going back. Once you click this button, we are deleting your account. If they click the Delete button, then I go in, I delete all of the information that I have on you for all your, the only information I track is your check ins. So it's basically, it deletes your account and all your check ins, and then it brings you back to the main page and says, See you down the road. And that's how our process works.
Others might have different, varying types of deletion processes. Like some people say like you have to type in the word delete, or you have to, you know, type in a different thing just to make sure that you are aware of what you're doing. But, you know, the long and short of it, I feel like I'm rambling on this one. But I think it really just depends on what type of app you have and what kind of data you need to assume and collect together to ultimately delete.
Jenny Karkowski 13:43
No, I think you bring up a good point. Because while Apple is trying to avoid what Facebook is doing where it makes you keep your account for 30 days and really tries to make you continue to have an account with Facebook, what you just described about the account deletion process is also just a good security layer. You know, if someone hacks into your account, they potentially have the means to completely erase all your data within that account. So having that extra measure of it sending an email to, you know, the personal email that you have on file, saying, Are you sure that you want to delete your information? It just at least adds another layer of security to this.
Tim Bornholdt 14:26
Exactly. And I think, you know, there's other, you could make this as simple as a button that you hit delete my account, and then it sends an email off to your support team or whatever that then you can follow up with that person to actually delete the account. And there's all kinds of ways that this could work in theory. I mean, the long and short of it though, is like you have to give the user a way to actually begin the account deletion process from within the app and not kind of force them to go through a labyrinth of settings menus on your website in order to get your account deleted.
Jenny Karkowski 15:02
Okay, so a company has an app on the App Store. And let's say maybe they are inbetween developers, or their app has been sitting idle for a while, but they want to comply with this. We've done a lot of episodes on here and blog posts on JMG's website about how to find a technical team. But let's say, you know, with this deadline around the corner, someone's wanting to make these changes, find a team and make these changes quickly, or find a developer who can make these changes within the timeframe needed. What is some advice you might have for looking for someone that would have the skills to add in an account deletion button that actually, you know, takes them through the right processes? I know, again, this is going to be on a case by case basis. But just what kind of questions should they be asking of any teams or employees that they might be interviewing, or maybe contractors even, to come in and take care of this for them?
Tim Bornholdt 16:04
Well, if only there was a premier mobile app development shop in the Twin Cities that specialized in this kind of thing.
Jenny Karkowski 16:10
If only.
Tim Bornholdt 16:11
I can't think of any right now. It'll come to me. If I was in those people's shoes, though, of like, you know, wanting to have this feature put into your app and your app's been kind of dormant for a while, the first thing that you really want to do is take an inventory of what data are you collecting on users. Because again, if all it is is you have like, you know, in my case with the beer app, if all it is is you have a database with users and you know, visited breweries, this process is pretty straightforward. Like I wrote the entire deletion thing for my app in an hour. And I did both the front and the back end of it. Now, again, I'm a nerd. And I knew exactly how this was going to get organized and how it would work. But if you have minimal amounts of data, then this is like not a problem for you.
Now, when it is a problem is let's say that you use Salesforce. Let's say that you also use your own rolled out CRM. Let's say that you have some WordPress thing laying around. Like depending on how long your app has been around and how many different pieces of technology are, you know, kind of bundled together to be the app, it might become really complicated. So my advice is find a reputable shop, you know, like, again, like tongue in cheek aside, JMG is really good at this exact kind of thing. Like, you know, Tom is really good on the back end of being able to go in and suss all this out. Rob is really good on the front end of just quick throwing this thing into the front end, calling good. But really, I think the biggest piece that you're going to need for this is a good back end developer. So understanding what your technology stack is, whether again, it's a Ruby on Rails app, or if it's some, you know, homespun PHP thing that you had your, you know, college intern billed 15 years ago, and that's what's propping up your whole business. I've seen it. You really just have to get a handle on what it is you're trying to build. And then once you have that, you know, finding the right person to come in that can speak that language and just quick spin up that feature, add it into your API, and away you go.
Jenny Karkowski 18:23
I think that covers any questions that people should have around this. Feel free, though, to reach out to us if you have any more questions. We'd be happy to answer them. For our final thoughts, I was just going to list off some of the requirements that Apple wants you to keep in mind when updating your app to meet this new requirement. Like we kind of alluded to, the account deletion option should be easy to find in your app. But like Tim also mentioned, you don't want it to be this big red button that people just inherently push on accident.
Like we also talked about with the Facebook example, it is insufficient to only provide the ability to temporarily disable or deactivate an account. People should be able to delete the account along with all of their personal data. So I imagine we will see some changes to Facebook's deletion process, hopefully.
Tim Bornholdt 19:26
Yeah, right.
Jenny Karkowski 19:28
Facebook and Apple get along just so great. I mean, I'm sure it's gonna happen.
Tim Bornholdt 19:32
Oh, yeah. It was like, wasn't there, no it was Google, like when they did have that like app like privacy stuff. Google, like famously didn't update their apps for like six or seven months. It was impressive how long Google held out from issuing app updates because they didn't want to comply with showing like exactly how much data they were actually taking from people. So you know it is going to be really interesting to see what happens to the Facebook app specifically because, you know, I really doubt that they're going to comply right out of the gate. Just like how, have you seen like Apple, again, I'm kind of sidelining our final thoughts but Apple, it's the Netherlands, the Netherlands passed a law that was requiring Apple to allow app developers that were building dating apps to allow payment processing from outside the app. And the way Apple complied was to make an API where they still would take 30%, ultimately, of the cut. They just would allow you to use Stripe to do the like, you know, 3% credit card processing, but then Apple still took a 27% cut. Like it's just like audacious what these companies are doing with these regulations. I'm sorry, I'll back off. I got to hear the rest of the final thoughts.
Jenny Karkowski 20:49
No, that is, I mean, they all still find a way to get what they want, right?
Tim Bornholdt 20:53
Yeah, we don't have that power with the Minnesota Craft Beer app. But you know, not many of us do.
Jenny Karkowski 21:02
Okay, two more. Apps in highly regulated industries may need to provide additional support flows to confirm and facilitate the account deletion process. Tim kind of touched on that, depending on how much user data that you are collecting. And always follow applicable legal requirements for storing and retaining user account information. This includes complying with local laws in different countries or regions. And as always, check with your legal counsel.
Tim Bornholdt 21:30
Yeah, I mean, if you have an app, like, for example, that manages accounting, and bookkeeping and things like that, you have legal requirements that say you need to retain records for seven years. So when you're building out your deletion mechanism, that's something that you could factor in is like, Okay, we're gonna delete data, you know, up to whatever the seven year point is. And then have like a, you know, every year you audit and delete, you know, another year's worth of data. There's other things like the cannabis industry, there's specific guidelines for keeping records and all of that. So there are like, depending on your app, there are very specific regulations, and you need to make sure that you're following all of those so that you don't get in trouble with with other regulations down the road.
Jenny Karkowski 22:15
Yeah, it makes me think of, especially the healthcare industry, and all the telehealth apps that are coming out. And, you know, deleting your account and your data, you don't necessarily want to completely delete all of your health records.
Tim Bornholdt 22:30
Yeah, exactly. And I think like that, it leads into another thing we didn't really touch on, but like account deletion is one component to consider. But maybe having like a data export feature is also something that, you know, I know, Facebook, and Twitter and all the social networks have those types of things baked in, where you can go in and actually export all the data that they have on you. But I think it's something to consider too. If you have one of those highly regulated industry apps, like maybe you want to have as part of your account deletion process, a way to send someone a zip file of all of the records that you have on them. So then it's like, Alright, here's your data goodbye.
Jenny Karkowski 23:09
Show notes for this episode can be found at constantvariables.co. You can get in touch with the show by emailing Hello@constantvariables.co. Or you can find us on Twitter @CV_podcast. Today's episode was produced by Jenny Karkowski and edited by the optimistic Jordan Daoust.
If you can take two minutes to leave us a rating and review on Apple podcasts, we'll give you a mention in a future episode as a thank you. Visit constantvariables.co/review and we'll link you right there. What did you say?
Tim Bornholdt 23:40
I said do it.
Jenny Karkowski 23:41
We haven't had a review in a while. We were getting some like weekly for a little bit and Tim was getting to shout out those mentions at the top of the show. So we would love to do another one. Give us a review on Apple podcasts. Leave your name or business name in the review and we will thank you in one of our future episodes.
This episode was brought to you by The Jed Mahonis Group. Check us out at JMG.mn and sign up for our monthly newsletter at JMG.mn/news.