Mobile user consent under data privacy regulations [updated]

Mobile user consent under data privacy regulations [updated]

Joanna Kaminska
Joanna Kaminska (Smartlook Team)  |  Last updated: Sep 26, 2022
17 mins read
If you want your mobile app to succeed, you’ll need a responsive interface, an intuitive UX and an appropriate feature set. But there is one more thing to take care of — privacy, including consent collection on mobile.

Please keep in mind that Smartlook offers a qualitative and quantitative analytics tool but does not provide legal consultancy. If you’d like to discuss details relating to your application’s consent, we encourage you to consult with a professional attorney. 

If you want your mobile app to succeed, you’ll need a responsive interface, an intuitive UX and an appropriate feature set. But there is one more thing to take care of — privacy, including consent collection on mobile.

It’s no secret that topics surrounding privacy can be tricky. That’s because countries differ in terms of jurisdictions — the most well known privacy laws are GDPR, CCPA, LGPD, and ePrivacy regulations. Some regulations are stricter than others and some have different mechanisms when it comes to mobile consent collection.

In this article, you’ll learn about mobile consent and privacy regulations, including how to remain compliant. We’ll be discussing these issues mainly from a General Data Protection Regulation (GDPR) perspective, as GDPR is considered the strictest privacy regime and thus sets a good example to follow.

We believe in ethical practices and privacy by design principles. This means not only asking for consent regardless of whether you need it but asking for it in a way that allows users to opt-in. Providing that, here you’ll find the recommendations that we deem responsible in terms of data privacy.

Table of contents:

From the GDPR’s viewpoint, mobile app consent is a legal basis for the processing of user data. Art. 6 of the GDPR states that the processing of data is legal in 2 cases:

  • When it’s necessary for the performance of the contract, for compliance with a legal obligation, and for purposes of legitimate interests, etc.
  • When a user gives consent to the processing of his or her personal data for one or more specific purposes (this type of consent is often called secondary consent)

When do you need to get app user consent?

The short answer? Consent for storing data is necessary anytime you want to collect data for purposes other than fulfilling contract requirements or other legal obligations. 

For example, you don’t need to obtain user consent when it’s necessary for the functioning of the mobile application. Some technical cookies are necessary and must be active for the app to operate properly.

But if you want to collect user data with Google Analytics, Smartlook, or another analytics tool (and it’s not necessary from a function perspective), you’ll need to ask for user consent.  

If your app uses third-parties cookies, then mobile user consent may be necessary when sharing collected data for the purpose of another third-party company.

What user data falls within the scope of the GDPR?

  • name and surname
  • home address
  • email addresses such as name.surname@company.com
  • identification card numbers
  • location data (for example, the location data function on a mobile phone)
  • Internet Protocol (IP) addresses
  • cookie IDs
  • Your phone’s advertising identifier 
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person

When it comes to the mobile app itself, think about the user id, user’s location, microphone consent, or mobile analytics tracking technologies. Similarly, using customer information to display relevant ads or for retargeting purposes also requires user consent.

PRO TIP

Mobile analytics tools collect loads of personal data, storing it in mobile SDKs. That’s why it’s so important to choose a mobile analytics provider that gives you several options to protect user privacy. 

Before choosing a mobile analytics tool, make sure it will help you with the following:

The obfuscation of native visual elements that may contain private information. This includes password boxes and credit card details

Data collection minimization (the wireframe mode option). Wireframe mode guarantees that end-users remain anonymous. It also masks sensitive fields in the session recording feature

Hosting analytics data in a safe cloud environment. For example, this could be Amazon Web Services in Europe or the United States

An analytics provider should never sell, use, or track your data across other apps. At Smartlook, we stand by these values — we’re on a mission to build a tool that follows the highest privacy standards.

You can view all of Smartlook’s privacy options with our 10-day free trial (all premium features, including real-time data tracking included).

In this section, we’ll not only mention GDPR but also the California Consumer Privacy Act (CCPA) and App Tracking Transparency (ATT), including the Apple Store and Google Play privacy rules. Why? Because the mobile business must comply not only with national laws but with the rules of mobile marketplaces, too. 

Apple Store and Google Play policies

Apps must remain in line with worldwide jurisdictions and application store policies alike. So if you provide your users with native options for iOS and Android, you’ll want to be familiar with App Store and Google Play policies. 
You’ll also want to balance privacy compliance (e.g., GDPR compliance) with applicable marketplace compliance rules. This means remaining compliant with privacy jurisdictions and the App Store or Google Play privacy rules, too. As long as you’re in compliance with the marketplace’s rules, your app will not be removed.

I see that those rules for App Store and Google Play are changing really fast.

So from my point of view, I think there are no rules from Google Play or App Store that are not in compliance with the GDPR rules.

There may be some specific information that should be provided by the developers and that the application should do. But still, nothing that is in breach with GDPR. So my recommendation is always read the policy, but still, firstly be in compliance with GDPR.
Jiří Hradský
Lawyer at SEDLAKOVA LEGAL

iOS 14.5 and App Tracking Transparency (ATT)

According to Apple’s announcement, with iOS 14.5, iPadOS 14.5, tvOS 14.5, and later systems, you’re required (as an app owner) to ask users for permission to track them across apps and websites owned by other companies.

With this approach, Apple aims to protect users’ rights to privacy, ensuring a high standard for privacy, security, and content. If you’re building a native iOS mobile app, according to the App Store, you have to ask for explicit permission to track user activity for various purposes, including ad personalization.

You could say that Apple’s designated privacy standards match that of the GDPR’s gold privacy standards, so let’s take a look at the GDPR’s rules to see if that’s the case.

GDPR and mobile user consent  

If you’re working on a mobile app that deals with the personal data of the European Union (EU) or the European Economic Area (EEA), GDPR applies to your case.

It’s better that you consider consent design before you begin developing your app as consent has 4 basic principles. According to Recital 32 of EU GDPR, consent should be freely given, specific, informed, and unambiguous. There is also a 5th rule — the right to easily withdraw consent at any time. 

CCPA and mobile consent

The California Consumer Privacy Act (CCPA) affects every business that deals with the data of Californian citizens. While GDPR states that data should remain private unless users explicitly opt-in, CCPA states that users have the right to opt-out regarding the sale of their personal information.

Here’s the CCPA’s legal basis: “[…] A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.”

As mobile consent is a complex topic, there is no one way to design a box that’s compliant with privacy regulations. 

You need to start thinking about privacy by design before proceeding to mobile development itself. Consent regarding every mobile app should be part of a broader attempt to safeguard user privacy and security. 

This approach requires your mobile business to do the following:

  • Provide users with easy-to-digest, transparent information surrounding privacy policies and data processing
  • Offer users a transparent overview of all data collections streams and third-party software
  • Present users with a clear and transparent overview of all collected user data
  • Give users consent to choose freedom. This means the option to accept or reject cookies or mobile SDKs (unless strictly necessary)
  • Give users the right to change or withdraw consent
  • Even if your analytics tracker doesn’t collect personal data (e.g., in session recordings), if you identify and locate all recordings from one device, you should ask for user consent 
  • Request permission to access sensitive data like location and personal info providing reasonable reason and context
  • Offer a clear and transparent overview of all collected data 

Your main focus should be developing a clear approach so users can easily accept the general terms and privacy policy. This is due to the complexity of most policies. Keep in mind that consent boxes shouldn’t only be for accepting or rejecting consent but rather for allowing users to dive into the reasons for data collection. 

Ready for some practical examples?

Explore 6 practical examples of how different native mobile apps on iOS and Android handle mobile consent collection. Let’s dive into it. 

Twitter: communications company

Let’s check out how Twitter handles consent in their mobile app on Android.

screenshots from twitter with their privacy policy and consent boxes on mobile

As you can see in the image gallery above, Twitter’s users can manage their permissions. Also, you will notice that boxes aren’t marked beforehand, which complies with good examples of user consent practices.

What’s great about this example is that for each data collection purpose, there is a separate consent box. This is considered good practice under the GDPR.

Waze app: satellite navigation software

Let’s compare the changes with another example — Waze, a subsidiary of Google that provides satellite navigation software.

Waze keeps up with its policy of presenting all of the terms right away. When opening the app for the first time, users are faced with a big block of text. This text format might be discouraging for some users who may opt to skip it.

screenshots from waze app with their privacy policy and consent boxes on mobile
  1. When you download the Waze app, you can use it without setting up an account, but the app still asks you to agree to the terms. Later, it presents the user with the most important points, gathered together and explained in plain language
  2. Here, as you have already accepted the final user agreement, there’s only one option to proceed. Afterward, Waze asks for specific permissions regarding the precise location of the device and shows personalized ads
  3. While personalized ads are optional, the app needs precise location information to work. It asks about this type of user consent in an elegant way, giving the user an alternative option to manually provide the app with an address 
  4. Now, let’s take a look at the privacy settings. The most important points, like gathering additional information for personalizing ads or invisible mode, are right on the first screen. To manage other preferences, the user has to scroll down
  5. As we can see, Waze still opts for straightforwardness. Nevertheless, they have worked on aligning it with user experience principles, as we can see in the privacy policy review

PUMATRAC: training application

We can find a similar request in this fitness app by Puma, called PUMATRAC.

screenshots from PUMATRAC app with their privacy policy and consent boxes on mobile

We can observe that the PUMATRAC app is transparent and clear about consent collection. For example, the app explains why they want access to location data. They ask for it to be able to “record runs and optimize app experience.” This additional context might be useful for users. 

When it comes to consent, they explain what it’s about when it comes to each purpose (e.g., personalized marketing). They also give users the option to either accept or reject data collection.

HBO Max: subscription video-on-demand service

First, when you want to set up an account in HBO Max, you get a request from them to “find and connect to devices on your local network.” Below, there is additional information about how this will work in practice. 

Next, there is another request, this time about the “usage of Bluetooth.” After that, a user consent window pops up that gives either the option to “Accept” or “Manage preferences.” This also looks transparent and gives the user a choice. 

More importantly, when you press “Manage preferences,” all of the cookies that require secondary consent are left unchecked. This is in line with GDPR’s strict rules.

In summary, HBO Max gives users plenty of choice in terms of consent collection. However, you should always look at national rules that may uncover some “dark patterns” that are not in accordance with the law.

LinkedIn: business and employment-oriented online service

LinkedIn does a great job explaining what it does with users’ data and gives them ownership over particular aspects of ad personalization. When we enter the Data privacy tab, we can see multiple areas where we can make changes.

An important aspect of those settings is ad personalization. LinkedIn divides the information it gathers into several areas, letting the user choose which info to use when showing ads in their network. They also inform their users about when the changes will take effect.

The last area uses information from users’ activity outside of LinkedIn. They explain the goal of this, including what type of data they will use.

Apple software license — iOS 14.5

Apple adopted privacy by design principles as reflected in the following statement: “Privacy is built in from the beginning, from the moment you open your new device to every time you use an app.”

They provide iPhone users with multiple built-in security and privacy protections. These settings give users control over the data they share. But like in any other case — it’s up to you to choose which privacy options you use. 

In the first picture, you can see that Apple gives users transparency and control over the data they share with apps. As a user, you can choose to allow the “Calendar” to use your location. You have 3 clear options. 

On another screen, you see that Apple explains how they approach Data & Privacy. They follow the data collection minimization principle, along with transparency and user control over data.

Another aspect of consent involves gathering analytics and advertising data. Here, Apple is again transparent about every single purpose. They give users the choice to opt in. If you do so, Apple can collect:

  • First screen: Citing Apple’s website: “Analytics about your device and any paired Apple Watch and send it to Apple for analysis. This analysis helps Apple improve products and reduce problems like apps crashing. The collected information does not identify you personally and can be sent to Apple only with your explicit consent.”
  • Second screen: Citing Apple’s website: “Apple is committed to delivering advertising in a way that respects your privacy. Apple‑delivered ads may appear on the App Store, Apple News, and Stocks. The Apple advertising platform does not track you, nor does it buy or share your personal information with other companies.”

In summary, it looks like Apple transparently and clearly asks for consent for each purpose separately — these are great practices. They even go one step further by being transparent about the safety measures they take before analyzing user data.

By mentioning Differential Privacy, they show that the intention of the analysis is to discover usage patterns within the dataset while withholding information about individuals. That’s aligned with GDPR’s strict rules. 

In general, we think companies are moving toward privacy, giving users control over their own data. Let’s see what our guest marketing expert thinks about mobile consent collection and users’ privacy.

Mobile devices have access to a vast amount of sensitive private information about us, yet users are rarely given the choice to opt out of tracking, and data collection. While Apple and Google gradually roll out measures to protect users’ privacy, it is in the hands of the developer to provide a clear, transparent way to enable the control of one’s personal data. Many consent management platforms (CMPs) are offering a smoothless and customizable integration in order for the developers to easily make their apps GDPR compliant.
Santi Roc Castells
Head of Marketing at Cookie Information

Privacy-friendly principles for consent collection

Marrying high privacy standards with a great user experience, intuitive interface, and clear value for users might be a tricky task. But it’s doable. The question is, what makes the best user consent design? Here are 6 privacy-friendly principles. 

Compliance

It’s the basis for creating the best user consent design for mobile apps. Keep your eye on data privacy regulations and regularly check for compliance.

Clarity and transparency

These characteristics should apply to all privacy-related issues. Explain why you need certain information, what data you have collected to date, and what your users can do about your privacy policy.

Ownership

Give users choice regarding what type of data they wish to consent to. Put everything in a simple manner, without directing them to other places or complicating the process.

Data minimization

When asking for permission to use data like geographical position, give the user a minimum of a few comfortable options. For example, your app can access your location only when in use. This option lets users profit from higher comfort yet respects their privacy when they aren’t using the app.

Context

When you ask for sensitive data, make sure it’s clearly laid out. This helps users better understand why you need it, minimizing doubts.

Precision

Watch out for overly general phrases. You don’t have to explain exactly how their data contributes to better ad personalization, but don’t fall into the trap of highly generic phrases. 

When it comes to self-education about privacy and the newest regulation alterations, we think it’s good to be up-to-date with privacy law changes. Remember that consent collection is just another step in making a great, user-centric product. 

Let’s see what our expert thinks about self-education around privacy and consent topics. 

I’d suggest not being afraid about data processing. If you’re engaged in a mobile app project, always think about risks and make decisions under those risks. That’s the main thing to do every time

Forget about fines and think about your mobile apps and company’s reputation instead. And if you want to educate yourself about privacy topics, development, mobile development, look on some official websites of national bodies.

For example:

The French data protection office has really cool websites with lots of interesting information

– Great Britain and their ICO has a lot of information as well as technical information for developers 

Also look at the European Data Protection Board. They issue some guidelines and recommendations, they have guidelines for example, for payments for storing of payment cards, they have guidelines for consent issues.

Approach consent collection like you approach paying insurance. You pay insurance but you’re hoping that there will be no harm to you. But you still pay for it because you want to be safe when there is an issue. 

Jiří Hradský, lawyer at SEDLAKOVA LEGAL

You can view all of Smartlook’s privacy options with our 10-day free trial (all premium features, including real-time data tracking included).

Mobile consent and privacy by design approach: next steps

When done right, mobile consent collection is just another step in the app development cycle. If you plan out the privacy options from the very beginning, you’ll have peace of mind during later stages.

Also, during app development, you’ll be weighing your options when it comes to piecing together your toolbox. We recommend verifying every tool provider and checking to what extent they provide options to remain compliant with applicable regulations.

There are many more benefits to choosing privacy by design tools, including:

  • Better preparation for privacy audits performed by regulators
  • A higher level of user trust and loyalty
  • Improved company reputation
  • Improved employee morale
  • A better reputation in the eyes of stakeholders 

When it comes to choosing a mobile analytics provider, the rules are the same. There is one last key thing to remember about analytics —  it’s up to you to set your mobile analytics, remain compliant, and choose the correct consent box. If you have questions, it’s always good to ask your analytics provider or hire an analytics expert. 

Joanna Kaminska
Joanna Kaminska

is a content marketing strategist at Smartlook. She is a seasoned writer interested in storytelling, SaaS and new technologies. Her goal is to create content that is easy to understand for all. After work, she enjoys hiking and nature photography. | LinkedIn profile

0 %