Mandatory Account Deletion: Apple and Google Requirements

The Requirement

Both Apple and Google now require that any app offering account creation must also provide a way for users to delete their account and associated data from within the app. This is not optional. If your app lets users sign up, it must let them delete everything.

Apple enforced this starting June 2022. Google followed with its own requirement in 2024. Both platforms will reject app updates that do not comply.

What "Account Deletion" Means

Account deletion is more than just deactivating a profile. Both platforms require:

• Account deletion - The account itself must be removable, not just deactivated or hidden
• Data deletion - All personally identifiable data associated with the account must be deleted
• Clear process - Users must be able to find and use the deletion mechanism easily
• Reasonable timeline - If deletion is not instant, you must communicate the timeline clearly

Apple's Specific Requirements

Guideline 5.1.1(v)

• If your app supports account creation, it must support account deletion
• The deletion option must be easy to find (not buried 10 levels deep in settings)
• If you use Sign in with Apple, you must use the revoke tokens API to properly revoke credentials
• You can offer a retention period (e.g., "Your account will be deleted in 30 days") but must follow through
• The app must handle the deletion workflow in-app, not just redirect to a website

Sign in with Apple Revocation

If you implement Sign in with Apple, you must call Apple's token revocation endpoint when a user deletes their account. Failing to do this means Apple still considers the user linked to your app, even after account deletion.

Google's Specific Requirements

Data Deletion Policy

• Apps must provide an in-app path to request account and data deletion
• You must also provide a web-based deletion option (accessible without the app installed)
• The web resource URL must be declared in your Data Safety form
• If certain data must be retained (legal requirements), you must disclose what is kept and why

Data Safety Form Integration

In the Google Play Console Data Safety section, you must:

1. Declare that your app provides a way to request data deletion
2. Provide the URL to your web-based deletion resource
3. Specify any data that is retained after deletion and the reason

Implementation Guide

Step 1: Design the User Flow

Keep it simple and accessible:

1. User navigates to account settings
2. User taps "Delete Account" (clearly labeled)
3. App shows a confirmation screen explaining what will happen
4. User confirms the deletion
5. App processes the request and logs the user out

Step 2: Backend Processing

When a deletion request comes in:

1. Mark the account for deletion with a timestamp
2. Start a grace period (optional, typically 7-30 days)
3. Send a confirmation email letting the user know the process has started
4. Delete or anonymize all PII after the grace period expires
5. Revoke all authentication tokens (including Sign in with Apple tokens)
6. Remove data from backups according to your retention schedule
7. Notify third-party services that process the user's data

Step 3: Handle Edge Cases

• Active subscriptions - Warn the user that deleting their account does not cancel active subscriptions. Direct them to manage subscriptions through the platform first.
• Pending transactions - Complete or refund any pending purchases before deletion
• Content attribution - Decide whether to delete, anonymize, or retain content the user created (comments, posts). Anonymization is acceptable in many cases.
• Legal retention - Some data may need to be retained for legal reasons (financial records, tax compliance). Disclose this clearly.

What to Tell the User

Your deletion confirmation screen should clearly state:

• What data will be deleted
• What data may be retained and why
• The timeline for deletion (immediate or after a grace period)
• That the action is irreversible after the grace period
• How to cancel a pending deletion (during the grace period)

Compliance Overlap

Account deletion requirements align with broader privacy regulations:

• GDPR (EU) - Right to erasure (Article 17)
• CCPA (California) - Right to delete personal information
• LGPD (Brazil) - Right to deletion of personal data
• PIPL (China) - Right to request deletion

Implementing account deletion properly helps you comply with all of these simultaneously.

Common Mistakes

• Hiding the delete option so deep that users cannot find it
• Only deactivating accounts instead of actually deleting data
• Not handling Sign in with Apple token revocation
• Not providing a web-based deletion option (Google requires this)
• Retaining more data than necessary without justification
• Not communicating the deletion timeline to the user

Related Topics

• iOS Privacy Labels Guide
• Data Safety Form Guide
• Apple App Review Guidelines