Those of us that develop services with recurring billing on IOS are between a GDPR rock and an Apple IAP hard place.<p>The EU mandates that, should a user request to be forgotten, companies must delete all references to those users.<p>Apple mandates that, should you want to have recurring billing for a service accessed by an IOS app, you have to use Apple IAP.<p>Here is the problem: Apple IAP provides no way to cancel a user's subscription.<p>Intractable problems now arise, Eg:<p><pre><code> 1. Alice requests to be deleted from Acme's computers
2. Acme anonymizes and/or deletes all references to Alice
3. Alice forgot to cancel her Apple IAP subscription. It happens to the best of us.
4. Alice gets charged.
</code></pre>
Sorry Alice.<p>Check mate, Acme.<p>Here is what follows:<p><pre><code> 1. Apple webhooks come into Acme’s servers for Alice' sub, now causing warnings or errors, costing developer time.
2. Alice raises hell, publicly trash talks Acme, and demands money back from Acme.
3. Disproportionate amount of time spent by customer support personnel, and possibly devs, to help with Alice' situation.
</code></pre>
The point of all this: GDPR is incomplete and must be amended. Companies must have the right to forget about users that have requested to be forgotten.<p>This can only mean one thing with regard to mandated IAP services, from Apple, Google, or anyone else: they must allow for companies to cancel auto-renew subscriptions by the same mode or API that those subscriptions were created.<p>That Apple does not permit companies to cancel subscriptions is egregious for many other reasons too. Eg. how to handle users that violate TOS, eg. by posting inappropriate material to your site? Have fun losing that user, Acme — you’re still taking their money!<p>But the GDPR <-> IAP conflict is not ludicrous in the standard Apple IAP manner, it is utterly intractable.<p>The developer community should band together to voice this dilemma to lawmakers. GDPR must be amended.