Your company has an app.
To build it, your app developers have used a range of third-party SDK’s.
They provide you with data for analytics and retargeting. Or help your app pinpoint user location.
But many of these third-party SDK’s collect a lot of personal data about your users.
And like for website cookies, privacy rules apply.
Here I break down how GDPR applies to your company’s mobile app and how you can make it GDPR compliant within 24 hours.
TL;DR – GDPR compliance for mobile apps
Does GDPR apply to my company’s mobile app?
- Yes! The rules for privacy that apply to cookies, also apply to mobile apps and mobile app SDK’s.
Who is responsible for the app’s GDPR compliance?
- The app owner (the company) is responsible for ensuring that the app complies with international privacy laws like GDPR.
What do I have to do?
- You must collect your users’ consent to the collection of their personal data.
Do privacy laws like the GDPR apply to your company’s mobile app?
Yes! And not just the GDPR.
Depending on where in the world your users are, different privacy laws apply to your mobile app.
In Europe, privacy laws like the ePrivacy Directive and the General Data Protection Regulation (GDPR) work to protect users’ online privacy.
In the US, you have privacy laws like the Californian CCPA and CPRA that work in similar ways.
Why do privacy laws apply?
Because most apps use a range of third-party SDK’s like Firebase, Flurry, Facebook Ads and Analytics.
These third-party SDK’s store, access and collect your users’ personal data.
The SDK’s process this data to give you:
- Analytics data
- Data for retargeting
- Location data
- Much more
Privacy laws require you – the app owner – to collect valid consent for letting SDK’s collect and process personal data.
What do privacy laws say about mobile apps?
Here’s the legal basis for why you have to collect consent.
What you get here, are the most important parts of the ePrivacy Directive and the GDPR – in a non-legal language.
Mobile Apps and the ePrivacy Directive
If we look to the European ePrivacy Directive (the “cookie law”) from 2002, we see that:
- you need consent to store or gain access to information on a user’s device.
Moreover, the user has
- the right to refuse data collecting and further processing of his or her data.
- If you use third-party SDK’s that store information or gain access to information on a user’s mobile device, then you need to obtain your user’s consent.
Are there exemptions? Yes of course.
You can use SDK’s that collect data only for:
- Technical purposes (like technically necessary cookies), I.e., making sure the app works.
- Facilitating transmission of communication.
- Providing information explicitly requested by the user.
Mobile Apps and the GDPR
The GDPR is only about personal data processing.
When your app uses third-party SDK’s that collect and process your users’ personal data:
- you must collect your users’ consent for the data these SDK’s collect.
From a legal perspective, we turn to Article 6 of the GDPR.
- You are only allowed to process personal data if the user has given consent to it.
- If you use third-party SDK’s that collect and process your users’ personal information, then you need to obtain your users’ valid GDPR consent.
“But we don’t collect or process any data?”
Maybe not, but the mobile SDK’s you are using are.
They track your users’ behavior and send this data back to the mothership.
And that’s fine! As long as you collect a valid consent for it.
What is personal data?
Personal data is any information that relates to a person or information that can identify, directly or indirectly, a person.
That can be information such as:
- Identification number
- Location data
- Online identifiers
- User ID
- Device ID
- And much more
As the app owner (or developer), the responsibility of collecting this consent falls on you. You are the data controller.
But what is consent according to the GDPR?
What is a GDPR consent?
GDPR consent must be:
- Freely given
- Your users must be able to reject data processing aka your use of data collecting SDK’s.
- You must inform your users about what data the SDK’s collect and process, and for what purpose.
- You have to ask permission to collect data for different purposes, e.g., marketing/advertising, statistics, functionalities (granular consent).
- Your users must be absolutely aware that they have given or rejected consent. No swiping or merely using the app is not considered valid consent.
Remember to store all consents, so you can use it to document that your users have given consent (if the Data Protection Authority asks for it).
That’s about it!
How do I collect consent in our mobile app?
You could develop a mobile SDK to collect and handle all consents given.
But it takes a lot of time and it’s hard to maintain.
Privacy laws are even changing from time to time and vary from region to region. So you’d have to update and differentiate the mobile consent SDK a lot.
Or you could get a proven and stable Consent Management Platform to collect consents on your app.
Use Cookie Information’s Mobile App Consent and secure your users’ privacy. Rest assured that your app complies with international privacy laws.
Deploy Cookie Information’s Mobile App Consent SDK into your app (works on iOS and Android).
The Mobile App Consent will present your users with a consent pop-up the first time they enter your app. It asks for their consent to your use of data collecting SDK’s like Facebook Ads, Firebase etc.
The Mobile App Consent stores all consents locally and on secure servers within the EU/EEA.
If your users do not give consent, the SDK’s do not collect personal data.
You thereby secure your users’ privacy. And ensure your company’s GDPR compliance.
Get in touch with us to know how you secure your company’s GDPR compliance when owning a mobile app.