Does GDPR apply to mobile apps?

In recent years, the number of mobile apps has exploded. And your business wants a piece of the growing app market too. Completely understandable! But part of the success comes from the way mobile apps collect personal data on behalf of third-party SDK’s. But what are the rules for mobile apps? Read on to find out if the GDPR applies to your app.
Table of Contents
Your company has an app.
To build it, your app developers have used a range of third-party SDK’s.
They provide you with data for analytics and retargeting. Or help your app pinpoint user location.
But many of these third-party SDK’s collect a lot of personal data about your users.
And like for website cookies, privacy rules apply.
Here I break down how GDPR applies to your company’s mobile app and how you can make it GDPR compliant within 24 hours.

TL;DR – GDPR compliance for mobile apps ​​

Does GDPR apply to my company’s mobile app?

Yes! The rules for privacy that apply to cookies, also apply to mobile apps and mobile app SDK’s.

Who is responsible for the app’s GDPR compliance?

The app owner (the company) is responsible for ensuring that the app complies with international privacy laws like GDPR.

What do I have to do?

You must collect your users’ consent to the collection of their personal data.

Do privacy laws like the GDPR apply to your company’s mobile app? ​

Yes! And not just the GDPR.
Depending on where in the world your users are, different privacy laws apply to your mobile app.
In Europe, privacy laws like the ePrivacy Directive and the General Data Protection Regulation (GDPR) work to protect users’ online privacy.
In the US, you have privacy laws like the Californian CCPA and CPRA that work in similar ways.
Why do privacy laws apply?
Because most apps use a range of third-party SDK’s like Firebase, Flurry, Facebook Ads and Analytics.
These third-party SDK’s store, access and collect your users’ personal data.
Mobile apps for iOS and Android
The most popular advertising and monetization mobile SDK's for iOS and Android
The SDKs process this data to give you:
  • Analytics data
  • Data for retargeting
  • Location data
  • Much more
Privacy laws require you – the app owner – to collect valid consent for letting SDK’s collect and process personal data.

What do privacy laws say about mobile apps? ​

Here’s the legal basis for why you have to collect consent.
What you get here, are the most important parts of the ePrivacy Directive and the GDPR – in a non-legal language.

Mobile Apps and the ePrivacy Directive

If we look to the European ePrivacy Directive (the “cookie law”) from 2002, we see that:

you need consent to store or gain access to information on a user’s device.

Moreover, the user has

the right to refuse data collecting and further processing of his or her data.

That means:

If you use third-party SDK’s that store information or gain access to information on a user’s mobile device, then you need to obtain your user’s consent.

"Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller."

ePrivacy Directive 2002/58/EC - Article 5(3)

Are there exemptions? Yes of course.
You can use SDK’s that collect data only for:
  • Technical purposes (like technically necessary cookies), I.e., making sure the app works.
  • Facilitating transmission of communication.
  • Providing information explicitly requested by the user.

Mobile Apps and the GDPR​

The GDPR is only about personal data processing.
When your app uses third-party SDK’s that collect and process your users’ personal data:

you must collect your users’ consent for the data these SDK’s collect.

From a legal perspective, we turn to Article 6 of the GDPR.

You are only allowed to process personal data if the user has given consent to it.

That means:
  • If you use third-party SDK’s that collect and process your users’ personal information, then you need to obtain your users’ valid GDPR consent.

"Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes."

General Data Protection Regulation (GDPR) - Article 6(1a)

“But we don’t collect or process any data?”

Maybe not, but the mobile SDK’s you are using are.
They track your users’ behavior and send this data back to the mothership.
And that’s fine! As long as you collect a valid consent for it.
Obtaining valid consent on mobile apps is necessary to comply with privacy laws like GDPR, CCPA, LGPD etc.

What is personal data?​

Personal data is any information that relates to a person or information that can identify, directly or indirectly, a person.
That can be information such as:
  • Name
  • Identification number
  • Location data
  • IP-address
  • Online identifiers
  • User ID
  • Device ID
  • And much more
As the app owner (or developer), the responsibility of collecting this consent falls on you. You are the data controller.
But what is consent according to the GDPR?

What is a GDPR consent? ​

The GDPR is quite clear on how to collect a consent that complies with the regulation.
GDPR consent must be: ​
  • Freely given
    Your users must be able to reject data processing aka your use of data collecting SDK’s.

  • Informed
    You must inform your users about what data the SDK’s collect and process, and for what purpose.

  • Specific
    You have to ask permission to collect data for different purposes, e.g., marketing/advertising, statistics, functionalities (granular consent).

  • Unambiguous
    Your users must be absolutely aware that they have given or rejected consent. No swiping or merely using the app is not considered valid consent.
Remember to store all consents, so you can use it to document that your users have given consent (if the Data Protection Authority asks for it).
That’s about it!

How do I collect consent in our mobile app? ​

You could develop a mobile SDK to collect and handle all consents given.
But it takes a lot of time and it’s hard to maintain.
Privacy laws are even changing from time to time and vary from region to region. So you’d have to update and differentiate the mobile consent SDK a lot.
Or you could get a proven and stable Consent Management Platform to collect consents on your app.
Cookie Information's Consent Banner for Mobile Apps is easy to implement and maintain. Helps you ensure GDPR compliance on your app.
Use Cookie Information’s Consent Banner for Mobile Apps and protect your users’ privacy. Enables your app to comply with international privacy laws.
Deploy Cookie Information’s Consent Banner SDK into your app (works on iOS and Android).
The consent banner will present your users with a pop-up the first time they enter your app. It asks for their consent to your use of data-collecting SDKs like Facebook Ads, Firebase etc.
The consent banner stores all consents locally and on secure servers within the EU/EEA.
If your users do not give consent, the SDKs do not collect personal data.
You thereby secure your users’ privacy. And ensure your company’s GDPR compliance.
Get in touch with us to know how you secure your company’s GDPR compliance when owning a mobile app.