The Right to Forget Those That Request to Be Forgotten (Because: Apple IAP)

by swerling on 1/5/2021, 5:43:10 PM with 2 comments
Those of us that develop services with recurring billing on IOS are between a GDPR rock and an Apple IAP hard place.

The EU mandates that, should a user request to be forgotten, companies must delete all references to those users.

Apple mandates that, should you want to have recurring billing for a service accessed by an IOS app, you have to use Apple IAP.

Here is the problem: Apple IAP provides no way to cancel a user's subscription.

Intractable problems now arise, Eg:

    1. Alice requests to be deleted from Acme's computers
    2. Acme anonymizes and/or deletes all references to Alice
    3. Alice forgot to cancel her Apple IAP subscription. It happens to the best of us.
    4. Alice gets charged.
Sorry Alice.

Check mate, Acme.

Here is what follows:

    1. Apple webhooks come into Acme’s servers for Alice' sub, now causing warnings or errors, costing developer time.
    2. Alice raises hell, publicly trash talks Acme, and demands money back from Acme.
    3. Disproportionate amount of time spent by customer support personnel, and possibly devs, to help with Alice' situation.
The point of all this: GDPR is incomplete and must be amended. Companies must have the right to forget about users that have requested to be forgotten.

This can only mean one thing with regard to mandated IAP services, from Apple, Google, or anyone else: they must allow for companies to cancel auto-renew subscriptions by the same mode or API that those subscriptions were created.

That Apple does not permit companies to cancel subscriptions is egregious for many other reasons too. Eg. how to handle users that violate TOS, eg. by posting inappropriate material to your site? Have fun losing that user, Acme — you’re still taking their money!

But the GDPR <-> IAP conflict is not ludicrous in the standard Apple IAP manner, it is utterly intractable.

The developer community should band together to voice this dilemma to lawmakers. GDPR must be amended.

  • by zepto on 1/5/2021, 6:40:22 PM

    As far as I understand it, IAP doesn’t give the app vendor the customer’s personal data.

    This is in fact a chief complaint people raise against being forced to use IAP.

    Apple is the one holding the customer data, and does provide the customer with a right to be forgotten.

    I’m open to the possibility that there is a technical detail I’m overlooking here, but I can’t see the issue.

    What’s wrong with just saying: ‘We’ve deleted all the data we have on you. Remember to cancel your subscription in the App Store.’

    Where is the legal issue?

  • by Marjan24 on 1/5/2021, 6:01:46 PM

    I believe the situation already is covered by the providers right to keep personal information about customers to maintain and fully carry out contracted obligations such as a prescription service.

    A user can not have a binding contract and request to be forgotten.