Does the GDPR Apply to Mobile Apps?
While most GDPR coverage has focused on personal data collection and processing on websites, and not much has been said about mobile apps. So, does GDPR apply to mobile applications, or doesn’t it? If the intent of the law was to give people control over their own personal data, then it'd be hard to argue that mobile applications are exempt.
Recital 15 provides some clarity, declaring that the protection of data should be "technologically neutral". A fundamental principle of the GDPR is “Privacy by Design and By Default" (Article 25), which also suggests that "how" personal data is collected is largely irrelevant. What matters is whether it isbeing collected.
When reading through the 57,509-word, 209-page document (yes, it’s also a bedtime story), there’s no mention of mobile apps, or a reference to the difference between how the law applies to a website versus an application. We believe that's because the law is meant to focus on the protection of personal data and how it can be lawfully collected and used, regardless of where or how it’s gathered.
If we interpret the law this way, then mobile apps are not exempt from GDPR compliance. That’s why when we studied the mobile app landscape to see whether companies were complying with the regulation, we were so surprised.
Over a month after the GDPR became the law of the land, we launched a study of the top 50 free mobile apps in the iOS app store, and the top 50 mobile apps in the Android app store to assess what these apps had done to comply with the GDPR requirement of providing "fair processing notices" and data protection.
To set up this experiment, we underwent the following steps:
- We downloaded each app individually on test devices.
- We used VPN to tunnel to France, changed our region and language settings to be EU specific. Essentially, we emulated what an EU user looks like.
- We then used each app in the same manner that an end user would.
What we learned was that out of the 100 apps we downloaded, only 21 apps had some form of a consent notice. Of those 21 apps, 19 were using an “explicit” notice, which means they were notifying the user of tracking and data collection but they required that the user consent to the data collection and processing to use the app. This practice is commonly referred to as a "cookie wall" and is generally considered a violation of the required "freely given" notion of consent, as written in WP259 by the Article 29 Working Party (WP259 Rev. 0.1).
Of the 21 apps that had some form of a consent notice, 2 apps had something that resembled a proper consent tool which allowed users access to full functionality of the app without requiring that the user provide consent. However, both apps employed confusing wording/design elements that did not appear to meet the threshold of "informed" and "unambiguous" consent.
So out of 100 apps, only 2% were even close to compliant with the GDPR.
That’s why we are excited to announce the launch of App Notice, which has been engineered to comply with the web consent requirement of the GDPR. Built for iOS and Android apps, notice can be configured by the company to provide “explicit” or “implied” consent. It’s powered by our proprietary database, the largest of its kind including over 5,000 companies, SDKs, and Opt-Outs.
Developed to guarantee your app meets the threshold of "informed" and "unambiguous" consent, App Notice also ensures that your brand’s look and feel is never compromised. Customize elements to match your branding, ranging from text and localization customization, text color, background color, button color, and choose from 10 languages.
Contact us to learn more or schedule a demo.