Ready for the new Google Consent Mode v2? Learn more »

Data protection for apps (incl. cookie checklist)

The requirements for collecting cookies and complying with data protection regulations worldwide do not only apply to websites. Mobile app compliance is just as important. And to comply with mobile app regulations, app developers and app owners need to be aware of the laws that apply to them and their users when processing personal data.

Personal data, a key issue in data protection law, is collected in many different ways with users’ consent when they use an app. They can be collected during account creation, location tracking, usage analysis or in-app purchases.

In this article, we take a closer look at how you can achieve compliance for your apps, specifically what important privacy laws like the GDPR require apps to comply with when processing personal data, and how cookies are used in mobile apps and the legal requirements that app developers and owners must meet to protect user privacy in this changing legal environment.

Let’s start with the basics!

Obtaining consent for mobile apps

What is obtaining consent for mobile apps?

When collecting consent for a mobile app, the user’s consent is obtained via a banner or notice, similar to a website.

But why?

Well, regulations like the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States require an app owner to obtain consent from its users before collecting their personal data and may process. In addition, the iOS or Android app must provide information on how it shares personal data with third parties.

The personal data that can be collected includes, but is not limited to, location data, contacts, device information or browser history. The following is an example of how a user can select or deselect the category of personal data that they consent to the processing of.

What is the difference between mobile app consent and website consent?

The basics of consent are the same for both mobile apps and websites. However, the main differences lie in the user interface and the platform.

  1. The platform: Mobile app consent refers to applications developed for mobile devices such as smartphones and tablets, which are typically installed and run directly on the device. Web consent, on the other hand, applies to websites and web-based services accessed through web browsers on different devices.
  2. The user interface: Mobile apps and websites have different user interfaces that can affect how the consent notice is displayed to users. For mobile apps, consent requests are typically built into the app onboarding process, where users are prompted to accept the app’s terms of service or privacy policy during installation or when the app is first launched. Consent requests in mobile apps can be designed to fit the app’s layout and user experience.

Due to the above factors, it is important that each CMP also provides the ability to create cookie notices that target different user interfaces and devices, such as browsers. B. mobile devices, can be adjusted.

👉 In a hurry? Then click here for a checklist with all requirements.

Does the General Data Protection Regulation (GDPR) also apply to apps?

Yes, the GDPR applies to mobile apps that collect, process or store personal data from individuals within the European Union (EU). Furthermore, the GDPR has an extra-territorial scope, meaning it applies not only to companies based in the EU, but also to organizations outside the EU that offer goods or services to people in the EU or monitor the behavior of people in the EU.

So if your mobile app collects personal data from EU residents, the requirements of the GDPR apply to you, regardless of where your app or business is based. Personal information includes any information that directly or indirectly identifies an individual, such as B. names, email addresses, location data, IP addresses or device identifiers.

Now that we know how important it is to get consent, here are a few pointers on how you can do the same.

How can I make my iOS or Android app GDPR compliant?

In general, to ensure your iOS or Android app is GDPR compliant, you can follow these steps:

  1. Learn about the GDPR: Understand the requirements of the GDPR and become familiar with the principles, rights and obligations set out in the regulation. Visit the official information page here.
  2. Know your data: Conduct a thorough audit of the personal data your app collects and processes across iOS and Android platforms. Identify the types of data, the sources of data collection and the purposes for which the data is processed.
  3. Determine which laws you need to comply with: Determine and document the legal basis for processing personal data under the GDPR. This includes obtaining the user’s consent, performing a contract, complying with a legal obligation, protecting vital interests, performing a task in the public interest or pursuing legitimate interests.
  4. Make sure you get user consent: Implement a clear and explicit consent mechanism in both the iOS and Android versions of your app to get user consent before collecting or processing any personal data. Users should be able to give specific consent for different types of data processing activities.
  5. Users should be able to exercise their rights: Allow users to exercise their rights under the GDPR, e.g. B. the right to information, correction, deletion and restriction of the processing of your personal data. Provide mechanisms in applications to allow users to easily exercise these rights.
  6. Third-Party Providers: If your application uses third-party services or SDKs that collect or process personal data, review their privacy practices and ensure they comply with the requirements of the General Data Protection Regulation. Enter into data processing agreements (DPAs) with these third parties.

Checklist: Cookie Banner Requirements for Obtaining Consent in a Mobile App

Is the cookie banner displayed clearly and prominently? The cookie banner should be easily recognizable to the user when they visit your mobile app.
Does it show an option to accept or decline? Provide users with a mechanism to actively and explicitly consent to the use of cookies. Users should be able to accept or decline cookies based on their preferences.
Can users enable different types of cookies? Users should be able to specify the type of cookies they consent to. For example, offer the ability to enable or disable certain categories of cookies, e.g. B. essential cookies, functional cookies, analysis cookies or advertising cookies.
Is there a link to the privacy policy? Include a link to your application’s privacy policy in the cookie banner. The privacy policy should provide detailed information about your data processing practices, including the use of cookies.
Can users withdraw their consent at any time? Give users the ability to easily withdraw their consent to the use of cookies at any time. Provide clear instructions on how users can change their cookie settings within the application.
Is the banner displayed permanently? Once a user has consented to the use of cookies or made a choice, ensure that the banner does not disappear on subsequent visits or launches of the application. Display a persistent notice or ad in the application to remind users of their cookie preferences.

And that was it!

Mobile compliance for apps: When in doubt, start here

Make sure you provide your users with a legally compliant app (iOS or Android) that complies with GDPR (for EU) or US data protection laws . To make sure you don’t forget the above steps, we’ve compiled these tips into a neat visual checklist that you can download here for free !

Do you have a website and are unsure whether you are processing personal data? Or do you not know which data protection laws apply to you?

Then start here with our free website cookie crawler , which will scan your website and send you a list of recommendations straight to your inbox

*do schema markup

more comments

EDPB opinion on pay or consent model
Legal, News

The latest decision of the EDPB on “consent or pay” models for online platforms

The Dutch, Norwegian and German (Hamburg) regulators asked the European Data Protection Board (EDPB) for guidance on whether large online platforms can implement ‘consent or pay’ models for behavioural advertising based on valid and freely given consent. This was prompted by Meta’s introduction of a subscription model in October 2023, where users were given the […]
New regulations US 2024

New US data protection laws come into force in 2024: Update your US-specific privacy settings

In the United States, new data privacy laws will take effect in the second half of 2024 – in Florida, Texas, Oregon and Montana . Companies that operate in these states or have customers in these states will need to review their data privacy practices to ensure compliance with the new data privacy laws. To […]