User consent for mobile apps in 2021
Go back
7.5.2021

Data privacy issues are one of the most important challenges both for mobile app designers and developers. Obtaining user consent in an appropriate way so that it meets legal and UX requirements at the same time is really difficult. As we have observed, even the biggest companies struggle with this topic.

That’s exactly why we decided to tackle it again. In this article, you’ll find basic information about user consent in mobile apps and the most important regulations. Also, we’ve researched several examples of how apps get user consent.

Ready to dive in?

Intuitively, we all know what user consent is reflected, but it’s always worth going to the source. In this case, our source is Recital 32 of the EU GDPR. We can find there that “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data”.

We can see that “consent” counts only as an action that doesn’t leave any space for interpretation. From this definition, we can see that actions like scrolling through a site as a way to accept cookies are inadmissible. The same principle applies to mobile apps: the action needs to be unambiguous.

The short answer is: anytime you access and process some user data. Whenever your app sends some information about a user to any server in a way that the device or the user is identifiable, that’s data processing.

Think about things like using the users’ location, microphone, or implementing mobile analytics tools. Similarly, when you use their information for showing relevant ads or retargeting, it also requires user consent.

In 2021, consent management and data privacy topics are still hot. Let’s talk about two recent major changes that impacted the area of in-app user consent.

GDPR changes

The introduction of the GDPR law was a major challenge for any company that processes EU citizens’ data. In short, it gives users more power over how their data is processed. They need to know why you need that data and what you will do with it. Also, they can change it or remove it at any time.

GDPR is based on the philosophy that data is private unless explicit permission to process it is given: an opt-in perspective. That’s quite the opposite of the American point of view, which is from the perspective of having to opt-out.

In May 2020, the European Union updated its documentation on GDPR, giving more precise information about what practices are inadmissible. They concerned cookie walls, scrolling as a way to accept cookies, and other examples.

The GDPR guidelines are reflected also in other geographical areas, including California, Brazil, and South Africa, though obviously with some changes.

iOS 14.5 and App Tracking Transparency

When Apple announced the upcoming changes in their data privacy policy, it hit the big players on the ad market hard. What is all the buzz about? Apple wants apps to ask for explicit permission to track user’s activity for various purposes, including ad personalization.

Since we previously discussed the difference between the European and American approaches, we can see that Apple shares the European point of view.

Industry examples

Back in 2019, we covered some of the major apps to check how they follow the requirements regarding user consent. Now, let’s come back to them and find out how the industry has changed.

Again, we used an Android device to perform the research and looked for additional iOS examples concerning the latest changes.

Signing up

Let’s check out signing up for Twitter. Again, it asks for consent for processing data right when creating the account – at a moment when it still doesn’t have any information about the user.

twitter sign-up
view of Create your account in the Twitter app

This consent passes onto other platforms. If you access your Twitter account from your browser, it won’t ask you again for permission to process your data. And that’s one of the changes coming with iOS 14: even if a user has accepted given conditions via the web, an iOS app needs to get them again for that specific use.

After signing up, the app asks for further permissions, yet now they are optional. Also, you will notice they aren’t marked beforehand, which complies with the good examples of user consent practices.

twiter consent
a view of Customize the experience in the Twitter app

In their Privacy settings, users can find out what information Twitter collects to personalize their ads. In another window, the app lets them manage location data.

twitter location settings
a view of Personalization and data in the Twitter app

Let’s compare the changes with another example, Waze, which keeps up with its policy to present all of the terms right away. When opening the app for the first time, users are hit by a wall of text.

waze license
view of the Privacy Policy in the Waze app

When you download the Waze app, you can use it without setting up an account, but the app still asks you to agree to the terms. Later on, it presents the user with the most important points, gathered together and explained in plain language.

waze privacy policy
views of Review Privacy Policy in the Waze app

Here, as you have already accepted the final user agreement, there’s only one option to proceed. After that, Waze asks for specific permissions regarding the precise location of the device and showing personalized ads.

waze location
views of the Waze app asking for permission
waze location

While personalized ads are optional, the app needs precise location information to work. It asks about this user consent in an elegant way, giving the user an alternative option to manually provide the app with the address of a location.

waze location
a view of the Waze app asking for location permission

Let’s take a look at the Privacy settings too. The most important points, like gathering additional information for personalizing ads or invisible mode, are right on the first screen. To manage other preferences, the user has to slide down.

waze location
a view of Privacy settings in the Waze app

As we can see, Waze still opts for straightforwardness. Nevertheless, they have worked on aligning it with user experience principles, as we can see in the Privacy Policy Review.

Third-party licenses

In most cases, an app will use not only your own code but also some third-party software. This information should be included somewhere in your design, as it lets the user know what was used to build and run the app.

spotify license
view of Settings and Third-party software in the Spotify app

Nevertheless, there’s no way to give the user control over that. That’s especially important in the case of mobile analytics SDKs. Now, Apple requires from apps that their users have full control over the usage of analytics tools, and that they can decide whether they want to be tracked or not.

A plain-language version of Spotify‘s privacy policy is also available. It doesn’t include legal jargon, it’s easy to understand, and doesn’t overuse the passive voice. On a Flesch Reading Ease readability scale, it’s easy to read at school grade level 8, making it understandable for 13-year-olds.

spotify privacy policy
view of Spotify’s Privacy Policy

Asking for permission

We have already seen how Waze asks for enabling location permission. We can find a similar request in the fitness app by Puma, called PUMATRAC:

puma track permission
a view of asking for location info in the PUMATRAC app

Here, we can observe that the Puma app doesn’t explain why they want to have access to location data. Even though it’s quite obvious, since the app can use it for tracking details of running training for example, adding this explanation would improve both UX and privacy compliance.

Managing data usage

Let’s start by examining how Facebook Messenger deals with privacy settings. After looking them up in the app, users can’t change their permission settings: they get redirected to pages with the Facebook policy.

facebook policy
a view of Data policy on the Facebook page

To manage those settings, users need to log into their Facebook account and manage their preferences from that point.

LinkedIn makes a great example of explaining what it does with users’ data and giving them ownership over particular aspects of ad personalization. When we enter the Data privacy tab, we can see multiple areas where we can make changes.

a view of Data privacy settings in the LinkedIn app

An important aspect of those settings is ad personalization. LinkedIn divided the information it gathers into several areas, letting the user choose which info to use when showing ads in their network. They also inform about the period when the changes will take effect.

connections LinkedIn
view of Advertising data settings in the LinkedIn app

The last area is using information from users’ activity outside of LinkedIn. They explain the goal of this and what type of data they will use.

LinkedIn app
a view of Third-party data settings in the LinkedIn app

iOS 14.5

How do things change with the privacy update in iOS? Apple redesigned the AppStore, adding much more detailed information about app privacy settings. This way, users can learn more about an app’s policies before they decide to install it.

apple policy
an image from the official Apple site

Afterwards, the app has to ask for specific consent for tracking users. Only after getting this permission will the system share the device’s advertising identifier value.

apple policy
an image from the official Apple site

Marrying privacy standards and user experience principles is a tough task, and in our opinion, none of the examples we presented succeeded completely. Yet, you can find valuable information in each case: either as a good or bad practice.

So, what makes the best user consent design?

Compliance
That might sound obvious, but it’s the basis of creating the best user consent design for mobile apps. Keep your eye on data privacy regulations and regularly check for compliance.

Clarity and transparency
These characteristics should apply to all privacy-related issues. Explain why you need certain information, what data you have collected so far, and what your users can do about your privacy policy.

Ownership
Remember the LinkedIn example? Users can choose what type of data they want to be used for ad personalization. Give them similar options in a simple way, without directing them to other places or complicating the process.

Data minimization
When asking for permission to use data like geographical position, make sure to give the user a minimum comfortable option. As shown in the example of PUMATRAC, the app can access the location only when in use. This option lets the users profit from higher comfort yet respects their privacy when they aren’t using the app.

Context
When you ask for sensitive data, make sure it’s well placed in the context. That lets users better understand why you need it and minimize their doubts.

Precision
Watch out for overly general phrases. You don’t have to explain exactly how data contributes to better ad personalization, but don’t fall into the trap of highly generic phrases. LinkedIn makes a good example here.

As for 2021, we still haven’t found one example that gathers all of those characteristics. A company that achieves it has the chance to not only stand firm behind user privacy, but also deliver an impeccable experience in such an important field.

We hope to see more industry-wide standardization of transparency and data protection actions. From our side, we created Smartlook as a tool that’s GDPR compliant by design and supports app creators with careful data processing.

author Smartlook Team

Your guidance in the world of analytics

Go Back

Recommended articles