CNIL’s recommendation on mobile apps

CNIL's recommendation on mobile apps

The ecosystem of mobile applications (smartphones and tablets) had, until now, remained outside the scope of the recommendations of the French Data Protection Authority (CNIL). However, for mobile application publishers and Software Development Kit (SDK) providers, implementing privacy principles is particularly complex.

Professionals in the sector have therefore welcomed with interest the CNIL’s recommendation regarding mobile apps, which has be published in its final version on September 24, 2024.

Aurele IT is shedding light on the challenges and impacts of this recommendation for players in this ecosystem.

Challenges and Impacts of CNIL’s Recommendation

Why has CNIL decided to focus on mobile applications?

Mobile devices are now the preferred means for the French population to connect to the internet. They involve extensive use of mobile apps, which pose significant privacy challenges for their users. For this reason, the CNIL has identified data collection in smartphone applications as a priority topic in its 2022–2024 strategic plan.

What is the scope of the recommendation?

The CNIL, like the European Data Protection Board (EDPB), has the ability to interpret the GDPR in a general and preventive manner. A CNIL recommendation falls under what is known as “soft law,” which, in practice, is binding in matters of data protection. Data controllers are required to comply with CNIL and EDPB recommendations, which can be enforced during inspections.

The publication of the recommendation signals the start of CNIL inspections starting of in spring 2025, targeting various players in the sector in France.

As was the case with CNIL’s previous recommendation on cookies and trackers, other European supervisory authorities are expected to follow suit and issue similar recommendations.

Who is affected by this recommendation?

The recommendation identifies the different types of stakeholders involved and defines their roles and responsibilities. These stakeholders include:

App Publishers and Developers

    • Developers provide the code for the mobile app.
    • Publishers release the mobile app, typically through app stores (iOS or Android).

SDK Providers

    • They supply third-party software modules embedded in apps, enabling specific operations. Through these modules, they may process data, such as:
      • Providing app features (e.g., QR code scanning);
      • Tracking users to provide analytics to the app publisher;
      • Allowing the publisher to profile users and monetize their audience with advertisers.

Operating System and App Store Providers

    • OS providers offer the operating system, such as those developed by mobile device manufacturers (Apple, Samsung, Huawei, Google).
      • App Stores : iOS (Apple’s mobile operating system) and Android (Google’s mobile operating system)

Which regulations apply?

Three regulations apply simultaneously to mobile applications:

    • GDPR on personal data
      The recommendation specifies how GDPR obligations translate into the context of mobile apps.

Emphasis is placed on permission systems, particularly “technical permissions” designed by OS providers. These permissions enable users to grant or block access to specific information (such as contact lists, geolocation, microphone, camera, etc.), regardless of the purposes for which this information may be used.

    • E-Privacy Directive on read and write operations on a mobile device
      The E-Privacy Directive establishes the conditions for lawful storage and access to information on mobile devices. The directive applies to all types of information, not necessarily personal data. The consent required under the Directive is subject to the same validity conditions as those set by the GDPR.Two exceptions to the consent requirement are noted under Article 5.3 of the Directive:

      • Storage exclusively for the transmission of electronic communications.
      • Operations strictly necessary to provide an information society service explicitly requested by the user.
    • The Digital Markets Act (DMA)
      The DMA is a European regulation that came into effect on March 6, 2024. It targets major digital platforms, referred to as “gatekeepers,” which include Tech companies with significant market influence, such as Google, Apple, Meta, Amazon, and Microsoft.
      Its objective is to combat anti-competitive practices by internet giants in the European Digital Market through strict rules on data access, transparency, and interoperability.

How are actors qualified under GDPR?

Actors’ roles must be determined on a case-by-case basis:

  1. An App Publisher may be the data controller if they are involved in the app’s operation. However, they are not responsible for processing carried out by third parties for their own purposes using data collected via the app.
  2. An SDK Provider acts as a processor when processing data on behalf of the publisher but may be a controller when processing data for its own purposes.
  3. An operating system provider is responsible for processing data related to the device.

Impacts for Professionals in the Sector

The CNIL provides a list of best practices for each type of stakeholder.

Some recommendations may translate into new obligations.

Examples:

For Publishers:

  • Ensure compliance during the app’s design and lifecycle;
  • Define a purpose for each data processing activity, identify a legal basis, and associate it with a retention period;
  • Identify read/write operations on user devices per Article 82 of the French Data Protection Act (LIL), which transposes the E-Privacy Directive. Provide clear instructions to developers about which trackers and device accesses require consent;
  • When consent is required, ensure it is collected under valid conditions.

For Developers:

  • Formalize interactions with the publisher and take on an advisory role;
  • Select and audit SDK providers.

For SDK Providers:

Use case: best practices recommended for the publisher regarding the management of geolocation, contacts, microphone, and camera permissions.

  • Geolocation: The publisher should prioritize minimal permissions (approximate location); when possible, the publisher should offer an alternative to using this permission, such as allowing the user to manually enter a postal code or address.
  • Contacts: Access to contacts should be justified, with minimal permissions and explicit consent, especially when sharing contacts with other users. Therefore, if certain access permissions require sharing contact data between multiple users of the app (e.g., discovering contacts registered on a messaging platform), it is essential to obtain consent for reading these contact data on the user’s device and ensure all individuals potentially affected are informed.
  • Microphone: Access should be occasional and justified, with local alternatives (e.g., manual input by the user).
  • Camera: Access to necessary permissions should be limited. Consent is required for remote collection of images.

Additional recommendations are provided for each category of professionals.

Aurele IT has specialized expertise and supports stakeholders in the mobile app environment.
Contact Maître Florence Ivanier for any inquiries: .

  • Document information on data processing resulting from the SDK and provide it to partners in an accessible format, such as a detailed registry;
  • Design tools to facilitate consent collection.