Google now requires app developers to submit a "Delete Account URL" when publishing an app.

The Delete Account URL must allow users to initiate an account deletion request or provide information how users can delete their accounts. The URL must be accessible from the web, so users who deleted your app from their devices can access it without redownloading it. However, information on how to delete an account must be accessible from within the app as well.

This article will explain what the "Delete Account URL" requirement is about and what you need to do to comply.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What Does Google Require Regarding Account Deletion?

Google's new Account Deletion Requirements require all apps that allow account creation to also have an account deletion option. If your app doesn't have an option to create an account, this requirement does not apply.

Here is what Google's "Delete Account URL" policy requires.

Provide a Way for Users to Delete Their Accounts

You must provide BOTH an in-app option for account deletion as well as an external account deletion option which users can access in a web browser.

The idea here is that users should not have to redownload the app in order to delete their accounts.

Many users simply delete apps from their devices without realizing that doing so doesn't actually delete their account data. The new policy would provide them a way to request an account deletion without redownloading the app and logging in again.

Here's how Google describes this:

Google Play Console Help: Understanding Google Plays App Account Deletion Requirements - Overview section

Delete All User Data Associated With the Account

As per Google's Account Deletion Requirement, when a user submits a request to have their account deleted, you must comply with the request and delete the account from your system.

However, it's not enough to simply delete the account.

You must also delete any and all data you have collected about the user. Deleting their account but retaining the data in your database is not acceptable.

Here's how Google outlines this:

Google Play Console Help: Preview: User Data - Account Deletion Requirement section

The Deletion Must Be Permanent

When you delete the account, you must permanently delete it from your system and databases.

You can not temporarily freeze, deactivate, disable, or pause access to the account if a user requests an account deletion.

You may offer it as an option, but not as a replacement for a full account deletion.

For example, if a user visits your account deletion link, you can offer two options:

  • To temporarily freeze the account, or
  • To permanently delete the account

If the user selects the latter option, you must comply and completely delete the user's data.

You Must Answer Questions Regarding Your Data Deletion Policies

When you publish an app in Google's Developer Console, you must answer several questions regarding your data collection and deletion policies, including:

  • How you collect data from the user's device
  • How you share data, such as from one server to another
  • Which collected data is optional, and which is mandatory
  • Whether data you collect or share is encrypted during transit
  • Whether an independent security review has been performed
  • Whether your app provides a way for users to request deletion of their data

This information will be displayed to users in the Google Play Store, providing a greater level of transparency about the data deletion options you offer. This will be rolled out to Google Play users in early 2024.

Which Apps Does This "Delete Account URL" Policy Apply to?

The "Delete Account URL" requirement applies to all apps that provide users a way to create an account. This can include providing a way for users to log in with an email/username and password or authenticating their identity via a third-party login mechanism, such as Google or Facebook.

It doesn't matter whether creating an account is optional or mandatory. If there is an account creation option, the "Delete Account URL" is required, even if there is the option to use the app without an account.

In addition, it doesn't matter if creating an account is done within the app or externally. If the app redirects the user to an external website on which the user creates the account, after which it redirects the user back to the app while automatically logging them in, the URL requirement also applies.

What if the Account is Operated Entirely Offline?

According to Google, an app account is an account that will "serve the user across applications and/or devices." If the account is created and managed offline (all data is restricted to the device), the "Delete Account URL" requirement does not apply.

The requirement to have a Delete Account URL only applies to apps that allow users to create online accounts.

An example would be an account that syncs the user's data and account info across two devices on which they have the app installed (such as their phone and tablet). For example, Ookla, a speed test app, allows users to create accounts so they can view their speed test results from all of their devices on any device they are logged into.

However, if the account is created and managed offline and doesn't upload any data to the cloud, you are exempt from this policy.

Which Other Apps are Exempt?

Permanently private apps, which are not available to the public on the Google Play Store but rather to employees, enterprise customers, or other selected individuals, are exempt from having the Delete Account URL.

In addition, enterprise device management apps are also exempt. These include MDM (Mobile Device Management) apps that allow employees to convert their personal phones into a company work phone (known as BYOD, or Bring Your Own Device).

BYOD is preferred by some employees as opposed to carrying two phones (both a personal phone and a work phone) with them everywhere.

An MDM app allows an employer to regulate and/or monitor an employee's phone remotely. The MDM software may place restrictions on what kind of apps the user can install, for example.

Such apps are exempt from this requirement to have a Delete Account URL.

Google Play Console Help: Understanding Google Plays App Account Deletion Requirements - Exemptions section

What Kind of Data Must You Delete?

As mentioned, when you delete the account, you must also delete all data associated with the user.

This includes:

  • Personal data, such as the user's name
  • Personally identifiable information, including data with which the user can be identified, such as their IP address and personal address
  • Financial and payment information, such as credit cards
  • SMS and call logs
  • Microphone, camera, and other usage data
  • Health data

How Quickly Must You Delete the Data?

Google only requires you to delete the data within a "reasonably quick period of time." However, additional laws may apply in your jurisdiction.

For example, in the UK, organizations have one month to respond to and comply with user data deletion requests, according to the Information Commissioner's Office, although extensions of two months may be requested in certain circumstances.

Are Any Types of Data Exempt and Allowed to be Retained?

In some cases, it may be necessary to retain some user data. Examples include:

  • You require this data to prevent fraud
  • You need access to the data for governmental regulatory compliance
  • The data is essential for your security operations

In those cases, you must delete the account upon request, but you may retain certain important information, but you must still inform users about this retention in your Privacy Policy or elsewhere.

What if You Shared the Data With Third Parties?

If you shared the data with third parties, such as marketing agencies, you must still delete the data from your own databases and servers. In addition, you must submit a request to all third parties you have shared the data with so that they delete the data as well.

Your responsibility does not go beyond that. You can't force those third parties to delete the data, but you must still submit a request that they do so.

What are the Requirements for the Delete Account URL?

The Delete Account URL must link to a page that provides a way for users to initiate a data deletion request. For example, the page can provide:

  • A form with which they can request an account deletion, after which you delete the associated account within a certain period
  • An email address so users can email support and request account deletion
  • A link that takes users through a self-guided account deletion request process

As you can see, the page doesn't have to have an account deletion button on it directly. However, it must provide information to the user on how to initiate an account deletion request without logging into the app again.

In some industries, such as healthcare and finance, it is acceptable to require additional processes the user must go through before you can delete all data.

Where Must You Enter The Delete Account URL When Publishing an App?

When publishing an app, you will see a Data Safety Form in the App Content section. There, you will be presented with various questions regarding your data deletion mechanisms and policies as well as a field in which you can enter this URL:

Google Data Safety Form with Delete data url field highlighted

What are the Requirements for the In-App Data Deletion Request?

As mentioned, in addition to an external web page, you must also provide in-app data deletion information.

This could be either:

  • A process which users complete within the app, such as a form, that allows them to request an account deletion, or
  • A link to an external webpage where they can request account deletion or learn more information on how to initiate an account deletion request. This could be the same as your Delete Account URL.

However, it must be prominent and easily accessible. That doesn't mean it has to be visible on every page. However, the way to access it must be intuitive. For example, you can create a menu option in the settings with the title "Delete Your Account."

Here's an example of how this can look:

Instagram Account menu with Delete account highlighted

What is the Deadline to Complete This?

The deadline has already passed. It was December 7, 2023. However, if you have not yet completed the requirement, you may submit a request for an extension.

You can do this by clicking on "Request additional time" in the App Content section of your console. If you have not yet fulfilled the requirement, you will see this option.

An extension can be granted until May 31, 2024. After that time, though, your app may be removed from the Google Play Store if you haven't fulfilled the requirements.

Summary

In summary, here is what you need to know about Google's new account deletion requirements:

  • Developers must create an external webpage that provides information on how users can initiate an account deletion request. This Delete Account URL must be submitted in the data safety form in your developer console.
  • You must also link to this Delete Account URL from within the app or provide a separate in-app account deletion mechanism:

    • This applies to all public apps that allow users to create cloud-based user accounts within the app.
  • Once you receive a request, you must not only permanently delete the account but also delete any user data associated with the user.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy