Penetration TestJan Kahmen9 min read

Data Protection and Data Security - Account Deletion within Apps soon Mandatory

A new feature is mandatory account deletion: If users are asked to set up an account for an app, it must also be possible to delete it.

Table of content

Privacy and data security are important topics. No one wants to find their private photos on any websites or know their company secrets in the hands of the competition. Knowing your way around protects against fraud and prevents financial as well as personal damage.

What is the Difference between Privacy and Data Security?

Data protection is a right that every citizen has. It guarantees according to the Federal Commissioner for Data Protection and Information Security (BfDI): "Every citizen protection against improper data processing, the right to informational self-determination and the protection of privacy." The focus is thus on personal data.

What is and is not permitted under data protection law is regulated by the German Federal Data Protection Act (BDSG) and the data protection laws of the German states.

Data security is neither a right nor a law. Data security includes measures to protect data against manipulation, loss, unauthorized access by third parties or other threats. All data is affected, regardless of whether it has a personal reference or not. Inadequate data security can become a problem for companies and private individuals alike. Namely, if this results in data loss or even if company secrets are stolen.

Concepts for Data Protection and data Security

Fortunately, there are concepts to protect data. A distinction is made between data protection and data security concepts.

A data protection concept relates to both digital and analog personal data. It describes and assesses the information required under data protection law for the collection, use and processing of personal data. In other words, it establishes who has access to certain personal data, how, for what reason and to what extent.

A data security concept, on the other hand, is a mixture of a data protection concept and an IT security concept with the maturity level. It concerns all private data or all data of a company - whether analog or digital, whether personal or not. It is intended to prevent unauthorized persons from accessing data in any form. The right cybersecurity framework is a great help here.

To check the security of such a concept, Penetration Testing is used. It reveals vulnerabilities and gaps in digital data protection, which then need to be closed.

Privacy and data security in apps in general

Apps must also provide data protection and announce data processing with a statement that users must first confirm. The Telemedia Act (TMG) and the German Federal Data Protection Act (BDSG) provide the framework for such privacy statements in apps.

The BDSG imposes the following requirements on an app's privacy policy:

  • Disclosure of the reason for the data collection, storage and/ or processing.
  • Information about the type of data collected by the app. This includes metadata, content data, and personal data.
  • Information about the duration of storage.
  • Which third parties are authorized to access.
  • An instruction for the purpose of the right of access, revocation and deletion of data.
  • The naming of the responsible body, including contact options.

Violation of these requirements is punished as an administrative offense. This means that anyone who provides apps and makes dishonest or incomplete statements in the privacy policy must expect heavy fines or even a prison sentence.

Previous Data Protection in the Apple App Store and Google Playstore

Previously, especially before downloading an app, it was unclear what data it wanted to use and for what purposes. After the download, you then had to agree to the terms of use. Substantially smarter one was after reading through these nevertheless not always. Apple caused an outcry among app developers after the company announced that it would change this lack of clarity in the future. Now Google is following suit with the Android Play Store and wants to ensure more data protection and user-friendliness.

Apple and the App Store

Privacy is now a big priority for Apple. In its view for "app privacy", the Apple Store already allows a look at the privacy information of the app before downloading. This means that the user can get an overview of what data the app is interested in before downloading. The privacy information is divided into three areas:

  • Data for tracking the person using the app.
  • .
  • Data directly linked to the user.
  • Non-linked data.

Tracking data is the data that is generated when a user views web pages. The app or its operator uses this data to create a tracking profile. This is used by third parties to display advertising tailored to the user.

Android and the Google Play Store

On Android, privacy is to be strengthened: So the Google Play Store for Android wants to follow suit and offer a similar format to Apple by Q2 2022. In the future, users should also know in the Play Store before downloading which data the selected app wants to collect. The development will take place step by step.

Initially - that is, by Q4 2021 - all app developers will have to specify which types of data they store and how. This includes location, contacts, personal information, photos and videos, audio and storage files. In addition, by that date, vendors should provide all information about how they use that data. That is, whether it is necessary for app functionality and/or personalization, for example.

From the 1st quarter of 2022, this and other information about an app should then be available in the Play Store. Similar to Apple with its privacy label. From Q2 2022, the information should then be mandatory for all apps.

New for Data Protection and Data Security in the App Store: Mandatory Account Deletion

The mandatory account deletion is completely new: If users are requested to set up an account for an app, it must also be possible to delete it. More precisely, providers must ensure that they can delete the account from within the app.

This development is long overdue. Especially when you consider that deleting an app does not necessarily mean the account disappears.

After all, without deleting the account, the connection to the app-developing company can continue even without using the app. However, without having access to the own account and thus to the own data.

Consumers in mind - the App Store Guidelines could be a pioneer here again

The new regulations make things easier for consumers with regard to app use. It is also desirable that the Google Play Store and other app stores follow suit soon.

The innovation could also be a model for other areas of digital data protection. When it comes to data protection in the cloud, there is often similar uncertainty as with the powers of apps. Users are often unaware of their own responsibility in cloud use. Clear information such as that provided for "app data protection" in the App Store would be a good service here.

Conclusion - The New App Store Guidelines are a Win for all App Users

The new App Store Guidelines have the consumer in mind: They make it easier for them to maintain control over their data. This is a positive development that will hopefully rub off on other areas of the digital world in the coming years. This would be immensely beneficial for more security, transparency, and thus user satisfaction.


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: