Data privacy issues are one of the most important challenges both for mobile app designers and developers. Obtaining user consent in an appropriate way so that it meets legal and UX requirements at the same time is really difficult. As we have observed, even the biggest companies struggle with this topic.
That’s exactly why we decided to tackle it again. In this article, you’ll find basic information about user consent in mobile apps and the most important regulations. Also, we’ve researched several examples of how apps get user consent.
Ready to dive in?
Intuitively, we all know what user consent is reflected, but it’s always worth going to the source. In this case, our source is Recital 32 of the EU GDPR. We can find there that “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data”.
We can see that “consent” counts only as an action that doesn’t leave any space for interpretation. From this definition, we can see that actions like scrolling through a site as a way to accept cookies are inadmissible. The same principle applies to mobile apps: the action needs to be unambiguous.
The short answer is: anytime you access and process some user data. Whenever your app sends some information about a user to any server in a way that the device or the user is identifiable, that’s data processing.
Think about things like using the users’ location, microphone, or implementing mobile analytics tools. Similarly, when you use their information for showing relevant ads or retargeting, it also requires user consent.
In 2021, consent management and data privacy topics are still hot. Let’s talk about two recent major changes that impacted the area of in-app user consent.
The introduction of the GDPR law was a major challenge for any company that processes EU citizens’ data. In short, it gives users more power over how their data is processed. They need to know why you need that data and what you will do with it. Also, they can change it or remove it at any time.
GDPR is based on the philosophy that data is private unless explicit permission to process it is given: an opt-in perspective. That’s quite the opposite of the American point of view, which is from the perspective of having to opt-out.
In May 2020, the European Union updated its documentation on GDPR, giving more precise information about what practices are inadmissible. They concerned cookie walls, scrolling as a way to accept cookies, and other examples.
The GDPR guidelines are reflected also in other geographical areas, including California, Brazil, and South Africa, though obviously with some changes.
Since we previously discussed the difference between the European and American approaches, we can see that Apple shares the European point of view.
Back in 2019, we covered some of the major apps to check how they follow the requirements regarding user consent. Now, let’s come back to them and find out how the industry has changed.
Again, we used an Android device to perform the research and looked for additional iOS examples concerning the latest changes.
Let’s check out signing up for Twitter. Again, it asks for consent for processing data right when creating the account – at a moment when it still doesn’t have any information about the user.
This consent passes onto other platforms. If you access your Twitter account from your browser, it won’t ask you again for permission to process your data. And that’s one of the changes coming with iOS 14: even if a user has accepted given conditions via the web, an iOS app needs to get them again for that specific use.
After signing up, the app asks for further permissions, yet now they are optional. Also, you will notice they aren’t marked beforehand, which complies with the good examples of user consent practices.
In their Privacy settings, users can find out what information Twitter collects to personalize their ads. In another window, the app lets them manage location data.
Let’s compare the changes with another example, Waze, which keeps up with its policy to present all of the terms right away. When opening the app for the first time, users are hit by a wall of text.
When you download the Waze app, you can use it without setting up an account, but the app still asks you to agree to the terms. Later on, it presents the user with the most important points, gathered together and explained in plain language.
Here, as you have already accepted the final user agreement, there’s only one option to proceed. After that, Waze asks for specific permissions regarding the precise location of the device and showing personalized ads.
While personalized ads are optional, the app needs precise location information to work. It asks about this user consent in an elegant way, giving the user an alternative option to manually provide the app with the address of a location.
Let’s take a look at the Privacy settings too. The most important points, like gathering additional information for personalizing ads or invisible mode, are right on the first screen. To manage other preferences, the user has to slide down.
In most cases, an app will use not only your own code but also some third-party software. This information should be included somewhere in your design, as it lets the user know what was used to build and run the app.
Nevertheless, there’s no way to give the user control over that. That’s especially important in the case of mobile analytics SDKs. Now, Apple requires from apps that their users have full control over the usage of analytics tools, and that they can decide whether they want to be tracked or not.
We have already seen how Waze asks for enabling location permission. We can find a similar request in the fitness app by Puma, called PUMATRAC:
Here, we can observe that the Puma app doesn’t explain why they want to have access to location data. Even though it’s quite obvious, since the app can use it for tracking details of running training for example, adding this explanation would improve both UX and privacy compliance.
Let’s start by examining how Facebook Messenger deals with privacy settings. After looking them up in the app, users can’t change their permission settings: they get redirected to pages with the Facebook policy.
To manage those settings, users need to log into their Facebook account and manage their preferences from that point.
LinkedIn makes a great example of explaining what it does with users’ data and giving them ownership over particular aspects of ad personalization. When we enter the Data privacy tab, we can see multiple areas where we can make changes.
An important aspect of those settings is ad personalization. LinkedIn divided the information it gathers into several areas, letting the user choose which info to use when showing ads in their network. They also inform about the period when the changes will take effect.
The last area is using information from users’ activity outside of LinkedIn. They explain the goal of this and what type of data they will use.
How do things change with the privacy update in iOS? Apple redesigned the AppStore, adding much more detailed information about app privacy settings. This way, users can learn more about an app’s policies before they decide to install it.
Afterwards, the app has to ask for specific consent for tracking users. Only after getting this permission will the system share the device’s advertising identifier value.
Marrying privacy standards and user experience principles is a tough task, and in our opinion, none of the examples we presented succeeded completely. Yet, you can find valuable information in each case: either as a good or bad practice.
So, what makes the best user consent design?
That might sound obvious, but it’s the basis of creating the best user consent design for mobile apps. Keep your eye on data privacy regulations and regularly check for compliance.
Clarity and transparency
Remember the LinkedIn example? Users can choose what type of data they want to be used for ad personalization. Give them similar options in a simple way, without directing them to other places or complicating the process.
When asking for permission to use data like geographical position, make sure to give the user a minimum comfortable option. As shown in the example of PUMATRAC, the app can access the location only when in use. This option lets the users profit from higher comfort yet respects their privacy when they aren’t using the app.
When you ask for sensitive data, make sure it’s well placed in the context. That lets users better understand why you need it and minimize their doubts.
Watch out for overly general phrases. You don’t have to explain exactly how data contributes to better ad personalization, but don’t fall into the trap of highly generic phrases. LinkedIn makes a good example here.
As for 2021, we still haven’t found one example that gathers all of those characteristics. A company that achieves it has the chance to not only stand firm behind user privacy, but also deliver an impeccable experience in such an important field.
We hope to see more industry-wide standardization of transparency and data protection actions. From our side, we created Smartlook as a tool that’s GDPR compliant by design and supports app creators with careful data processing.