Back to Blog

The best way to get user consent for Mobile Apps in 2019

March 14, 2019 | Nikola Kožuljević | | Smartlook for Mobile Apps

At Smartlook we welcomed Apple’s insistence on requesting apps asking or users consent to share the data with mobile 3rd party analytics software.

We wrote about this previously and have created open source SDKs app developers can use freely; both for iOS and Android.

Apple’s strict policy on user consent did create shockwaves through the industry.

Getting user consents required tweaking apps core functionality and design. This of course has resulted in annoyance and disruption for developers and their apps.

So in our usual random ‘team beering’ chats, I asked the team what is the best way to get user consents for mobile apps?

Back-and-forth with couple of twists we ended up agreeing that is a tough question since it is not obvious what ‘the best’ is.

Is it solely to complete the legal standpoint & requirement? User Experience first? Transparency all the way? Everyone had their fair share of the argument.

‘The best’, in this context as well, is a highly subjective and elusive concept.

Here, I’ll present my argument and some examples I found interesting and worth noting. Maybe they’ll help you (dear reader) as well next time you have a beer-coffee-tea infused conversation on this topic.

I suggest we start with the European Unions’ General Data Protection Regulation (EU GDPR) as the strictest regulation on privacy and user data protections. I’d argue it provides a solid foundation for an objective benchmark.

Although focused on privacy and identifiable data protection, the GDPR can be helpful in setting the  direction for user consents.

The GDPR is precise when it comes to the user consent. The Recital 32 of the EU GDPR notes that “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data…”

Furthermore, as it is defined, this could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of personal data.

At the same time GDPR defines that silence, pre-ticked boxes or inactivity are not to be considered a consent.

Consent should cover all processing activities carried out for the same purpose or purposes and when the processing has multiple purposes, consent should be given for all of them.

And finally, the GDPR defines a UX element to GDPR. It notes that the consent needs to be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Whether you’re working with the EU citizens or not, this article alone provides all the necessary principles for great consent and permissions requests.

I believe it should be followed to the letter.

But, does the industry follow?

In preparation of this article I’ve installed some apps and first handedly checked how popular apps ask for consent on data collection. I used a smartphone with Android OS for this brief research.

In general, I was disappointed how some of the major apps delivered or failed to deliver the request for consent upon first installation.

In almost all cases the request for consent on data protection is given in the step of creating an account. Wherever that happens. Like for example Twitter does:

 

twitter-account-creation-screen

Image 1 – Twitter App Data Privacy / Consent Screen on first login for new users

 

In this example the entirety of consent is requested in that one hyperlinked line and one button.

I think this is not a good approach since for the existing user, there is no consent on data collection or information whatsoever.

At the same time, this is the first screen an existing user would see upon login:

 

twitter-existing-account-screen

Image 2 – Twitter App GPS data consent. First screen for existing users.

 

And it relates only to the GPS data.

To my disappointment, this is the approach that is shared with many apps. Where – the consent is request upon initial account creation and then it just transcends through other platforms as well. Facebook’s Messenger does this. Uber as well.

On the flip side, an app from McDonalds has this screen:

 

mcdonalds-app-user-consent-screen

Image 3 – McDonald App Consent screen

 

At least it delineates it’s an app and data collection is connected to the app itself.

The problem I see here is that the terms are hidden, or at least it is not clear and obvious what kind of data or to what kind of privacy system you’re signing up.

Waze app, does that a bit differently. They put the entire user agreement right at the users face upon creation the account:

 

waze-app-terms-screen-1  waze-app-terms-screen-2Images 4 & 5 – Waze App introducing users with the privacy policy and Terms

 

It’s a bit dry on engagement and experience sure, but at least something… right?

On the positive side is that Google and Apple are enforcing apps to require permission to access sensitive data. To make it clear, these are different from personal and user identifiable data.

The sensitive data would here include location, contacts, microphone, photos… you get it. This is well respected from apps since they need the permitted access to function. Waze needs access to location functionality, Messenger needs contacts, recording apps need access to microphone and so on…

These permissions are managed on a device level and can be always tweaked within the app settings options. This is an example (found online) how Mozilla approached to it. Asking for multiple permissions at once:

 

mozilla-app-user-consent

Image 6 – Mozilla App asking for users permissions in one screen

 

Third party licenses

What I see as positive is the existence of separate space that holds information non Third Party licenses and usage for the apps themselves. These are usually found in the app settings privacy area or similar.

Below is the example how Spotify presents third-party software that have been used within the Spotify app:

 

Spotify-third-pary-licenses-1Spotify-third-pary-licenses-2

Images 7 & 8 – Spotify’s Third Party Software information

 

I found a similar list on Messenger app. But couldn’t find it on the LinkedIn App for example.

These lists are helpful to understand what kind of software has been used to build the app. But, on the negative side the user does not have any control over this. Whether to accept the usage or a particular SDK or not.

Apple, within their App Store Guidelines update (2.5.14 and 5.1.2; more info here) requires, from apps using mobile analytics SDKs, full transparency to the user, and a choice – to consent (or not) to usage of mobile analytics tools.

And I completely agree that should be the standard.

So, what are the best ways to get user consent for mobile apps in 2019?

Ultimately, in my research I never found a demonstrable answer to that question.

I believe that, in principle, the consent for every mobile app should be a part of a broader attempt to safeguard user privacy and security. This approach would include:

  1. Providing users an easy to digest, clean and transparent information on the entire privacy policy and data processing
  2. Offering users a clear and transparent overview of all data collections streams and used third party software.
  3. Presenting users a clear and transparent overview of all collected data for the user
  4. Requesting users consent to accept or reject those data collection services without which the app would function, and the end user privacy strengthened. Like mobile app analytics SDKs.
  5. Request for permission to access sensitive data like location, personal info and so on… within context.
  6. Offering a clear and transparent overview of all collected data and a direct

Again, I had trouble finding a mobile app that would cover all of these points in one.

Waze’s app is good to push all the information transparently in front of the user. Although it’s not ideal for in UX terms. Spotify’s third-party library and presentation deserves commendations for openness and transparency.

The biggest problem here is developing a good and clear approach for users to accept the general terms and privacy policy. This is mainly due to the policies themselves. They’re big, legal, boring and in complete conflict with positive and engaging user experience.

The choice is often presented in a binary fashion – accept or not – and includes hyperlinks to respective policies.

If you know some apps that do this in an interesting way, please share them with me.

At the same time, I do have some interesting examples to share.

First example comes from our own efforts. Our developers created and open source user consent SDK that provides configurable user consent and a preference whether to allow analytics SDKs to work or not:

open-source-user-consent-sdk

Image 9 – User consent concept from SmartlookConsentSDK

 

SmartlookConsentSDK-Settings

Image 10 –  Settings Demo from SmartlookConsentSDK

 

At the same time these consent options could be added to the Preference center or Privacy center. Where users could have a greater control over privacy settings on specific elements. And where they can choose their preference over certain features.

Second interesting example of an app implementing the Privacy center in a clear and interactive manner:

 

zentoso-app-privacy-center

Image 10 – Data Privacy & Protection Center from Zentoso App (Source: Onetrust.com)

 

And for a third one, a request for permission to certain functionality, Waze has implemented a nice approach in context – to turn on the GPS and give Waze location access:

 

waze-app-location-access-permission

Image 8 – Waze App requesting user permission to use GPS data

 

Conclusion

Getting users consent for data processing and obtaining permissions is a tricky thing.

It’s a balancing act – between the user experience, their security and the businesses, their apps and dependency to user generated invasive data.

In my research I haven’t found well thought out examples of getting users consent for data collection.

Of course, I didn’t have the coffee or brandy to sustain research of millions of apps. But being an eternal optimist I’m willing to concede that there might be some apps out there that could blow my (our) mind.

So, if you know some that I missed, please share them in comments or on social media.

Ultimately, I’m confident that mobile app developers, especially the big ones, are aware of the GDPR and its general principles and consent requirements.

A positive thing here is that they’re doing everything they can to save themselves from reprimand and penalties which affect the bottom line. The sad thing is that they’re doing it only from the legal perspective.

What they are missing is a chance to stand firm behind end user privacy protection and lead the industry by offering users a UX driven, transparent overview of their privacy policy, data collection processes and by extent to request consents & permissions.

On a positive note, things are changing.

The GDPR definitely rocked the industry and had pushed developers and business to make some positive changes. Frequent data leaks and scandals are forcing companies to invest in security and stability. And finally, the aforementioned Apple’s insistence on consent is a welcomed addition to industry wide standardization of transparency and end user privacy protection and data security.

And yes, feel free to use our SmartlookConsentSDK for iOS (repository here) and Android (repository here) and enhance your apps transparency and user protection.

Discussion