Digital Health Apps Must Allow Users to Delete Accounts, Per New Apple App Store Rules

Foley & Lardner LLP

Foley & Lardner LLPThe regulatory scrutiny on telemedicine and digital health companies continues to tighten, whether it is privacy warning shots, new direct-to-consumer (DTC) advertising limits, a wave of reimbursement audits, or multistate DOJ investigations. Now, any company that wants to be listed on Apple’s App Store must give users the ability to delete their account.

Apple just announced all apps that allow for a user to create an account must also give that user the ability to delete their account from within the app itself. The new rule is effective January 31, 2022, so product development teams may want to order some extra cold brew and prepare for a programming sprint.

The announcement also reminds companies that Apple Guidelines require the app to have a privacy policy that details how the app collects, shares, uses, maintains, and deletes user data. This privacy policy must be publically accessible and will be reviewed by Apple upon the app’s submission to the Apple Store. In addition to federal and state law privacy requirements and Federal Trade Commission (FTC) guidelines, Apple’s rules also require that the privacy policy clearly and explicitly:

  • Confirm with any third party with whom the app shares user data, such as analytics companies, advertising networks, and third-party software development kits, that they will provide the same or equal protection to the user data;
  • Explain its data retention and deletion policies; and
  • Describe how a user can revoke consent or request deletion of the user’s data.

Under the Apple rules, Apps in the digital health space that collect health, fitness, and medical data must not disclose any of this sensitive data to third parties for advertising, marketing, or use-based data-mining purposes unless the disclosure is with permission and for improving health management or health research purposes. Failure to abide by these guidelines may result in the app’s removal from the App Store. 

This is just the start, and telemedicine and digital health companies should expect to see more rules from Big Tech and social media platforms designed to ensure the accuracy and privacy of health-related content and data. Therefore, entrepreneurs can take the following actions now to anticipate these forthcoming restrictions and therefore minimize disruption and friction among patient-users (as well as ensure regulatory compliance):

  • Conduct, under attorney-client privilege, a risk assessment of health data maintained and transmitted by the organization.
  • Review all privacy policies to ensure they actually reflect your real use cases and business practices of what you do with patient-user data. The privacy policy must be accurate, transparent, and comply with applicable laws, guidelines, and best practices. If you have not updated your privacy policy in a year or have simply copypasted it from another companys website, we strongly urge you to undertake this review immediately.
  • Survey your company’s website and app to understand its data collection and use practices by reviewing the user experience and workflow to ensure the user experience matches the company’s expectations, external policies, and procedures.
  • Review all third-party vendors that manage and collect data to ensure their compliance with your privacy practices and policies by requesting and reviewing their privacy policies.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley & Lardner LLP | Attorney Advertising

Written by:

Foley & Lardner LLP

Foley & Lardner LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.