The Right to Forget Those That Request to Be Forgotten (Because: Apple IAP) Those of us that develop services with recurring billing on IOS are between a GDPR rock and an Apple IAP hard place. The EU mandates that, should a user request to be forgotten, companies must delete all references to those users. Apple mandates that, should you want to have recurring billing for a service accessed by an IOS app, you have to use Apple IAP. Here is the problem: Apple IAP provides no way to cancel a user's subscription. Intractable problems now arise, Eg:
Sorry Alice.Check mate, Acme. Here is what follows:
The point of all this: GDPR is incomplete and must be amended. Companies must have the right to forget about users that have requested to be forgotten.This can only mean one thing with regard to mandated IAP services, from Apple, Google, or anyone else: they must allow for companies to cancel auto-renew subscriptions by the same mode or API that those subscriptions were created. That Apple does not permit companies to cancel subscriptions is egregious for many other reasons too. Eg. how to handle users that violate TOS, eg. by posting inappropriate material to your site? Have fun losing that user, Acme — you’re still taking their money! But the GDPR <-> IAP conflict is not ludicrous in the standard Apple IAP manner, it is utterly intractable. The developer community should band together to voice this dilemma to lawmakers. GDPR must be amended. |