App Store Review Guideline 5.1.1(v): What is understood as OFFERING the account deletion WITHIN the app

Along with these questions: When does apple expect to begin enforcing this?

From users point of view I hope they mean really if you can create an account within an app, you should also be able to fully delete it with in an app. Off course you can offer deactivation so the user can return at a later point, but I as an user want to have full-delete-all-my-data kind of deletion.

Also what does "account deletion" mean for apple? Is all the information related to the user have to be deleted? like orders in retail? And "within the app" has any limitations? Like in the same menu as created or can the button be placed anywhere in the app?

Yesterday there was finally some information! The account deletion requirement starts in January 2022: https://developer.apple.com/news/?id=mdkbobfo

They still haven't given us a lot of detail around this. The user should be able to "initiate deletion of their account" but does that mean it happens all in the app or can it be done in a web browser/web view? Also, does the developer also have to delete all of the user's data like the GDPR "Right to be forgotten" rules?

Any news about that? I agree with @azinicus1, actually we dont have enough information to start working on it.

Do we have any updates/information on what is bare the minimum requirement by Apple...

We re in contact with Apple Eng/AppReview team and these are their answer (TBC in the next days):

Our question was about to fill a mail automatically for the user (via CTA) and wait CC response. Below the Apple feedback:

In order to save you time, and based on my experience through helping other developers, I think App Review will most likely say this isn’t enough and that you will need to implement some kind of deletion flow (web view is OK, linking out to Safari is not).

Based on my other threads on this topic with App Review, sending in email or filling a form is most likely not OK, because the flow needs to be in app.

Hey @arcangel06,

did you find out more from Apple Eng/AppReview team?

One more question: account deletion does not necessarily imply GDPR deletion, does it? as this process takes longer time, and that's ok from the GDPR law perspective.

Thanks for your help!

Met with App Review today, the spirit of the rule is that if you have an account creation feature, you need to have a matching deletion feature. Account deletion does not necessarily need to be instant, but the timeline and what happens with the customer's data must be clear. In any case, the deletion needs to begin in the app (IMO this prevents linking to Safari or Mail since that does not actually start the process, just navigates to where you can start).

Hi @lablanca @MaheshBabu

On our side Apple said what i've explained before, so:

a) if you allows account creation then you should provide account deletion

b) the deletion request should start from the app. WebView and Safari link are not allowed.

c) the deletion request does not necessary need to be instant (but you should provide the average time to complete that - in our case 30 days)

d) The process must follow the tap on button to delete user data wihtout any other user interaction (like mail, forms, webiew and so on)

e) the flow (speaking about UX/UI) should be clear for the user and not hidden inside the application.

I can report our example: we're gonna add a new button on user account to delete the user. Once tapped the user lands in a specific controller where our policy reports all the deletion info and once confirmed the user will be informed that our customer care will be in touch with him for confirm details and further checks if needed (pending payments, orders ...). In maximum 30days the user data will be deleted and the user will be signed out from our application. - Apple confirms this flow is acceptable -

Can anyone share a direct contact for someone who works at apple to answer questions regarding 5.1.1? I have several questions from a healthcare app perspective on the requirements.

It’s insufficient to only provide the ability to temporarily disable or deactivate an account. People should be able to delete the account along with their personal data.

Any idea how Apple will validate the above during review?

"a) if you allows account creation then you should provide account deletion"

If account creation is out of app; for example, open an account creation URL by Safari or creating by business service provider; does it need to provide account deletion?