![Mobile user consent under data privacy regulations [updated]](https://hpassets.smartlook.com/wp-content/uploads/sites/2/2023/02/10163357/image5-2.png)
Please keep in mind that Smartlook offers a qualitative and quantitative analytics tool but does not provide legal consultancy. If you’d like to discuss details relating to your application’s consent, we encourage you to consult with a professional attorney.
If you want your mobile app to succeed, you’ll need a responsive interface, an intuitive UX and an appropriate feature set. But there is one more thing to take care of — privacy, including consent collection on mobile.
It’s no secret that topics surrounding privacy can be tricky. That’s because countries differ in terms of jurisdictions — the most well known privacy laws are GDPR, CCPA, LGPD, and ePrivacy regulations. Some regulations are stricter than others and some have different mechanisms when it comes to mobile consent collection.
In this article, you’ll learn about mobile consent and privacy regulations. We’ll be discussing these issues mainly from a General Data Protection Regulation (GDPR) perspective, as GDPR is considered the strictest privacy regime and thus sets a good example to follow.
We believe in ethical practices and privacy by design principles. This means not only asking for consent regardless of whether you need it but asking for it in a way that allows users to opt-in. Providing that, here you’ll find the recommendations that we deem responsible in terms of data privacy.
Table of contents:
- What is mobile app consent?
- Mobile consent management regulations
- How to design a mobile consent box
- 6 examples of mobile consent boxes
- Privacy-friendly principles for consent collection
- A mobile consent and privacy by design approach: next steps
What is mobile app consent?
From the GDPR’s viewpoint, mobile app consent is a legal basis for the processing of user data. Art. 6 of the GDPR states that the processing of data is legal in 2 cases:
- When it’s necessary for the performance of the contract, for compliance with a legal obligation, and for purposes of legitimate interests, etc.
- When a user gives consent to the processing of his or her personal data for one or more specific purposes (this type of consent is often called secondary consent)
When do you need to get app user consent?
The short answer? Consent for storing data is necessary anytime you want to collect data for purposes other than fulfilling contract requirements or other legal obligations.
For example, you don’t need to obtain user consent when it’s necessary for the functioning of the mobile application. Some technical cookies are necessary and must be active for the app to operate properly.
But if you want to collect user data with Google Analytics, Smartlook, or another analytics tool (and it’s not necessary from a function perspective), you’ll need to ask for user consent.
If your app uses third-parties cookies, then mobile user consent may be necessary when sharing collected data for the purpose of another third-party company.
What user data falls within the scope of the GDPR?
- name and surname
- home address
- email addresses such as name.surname@company.com
- identification card numbers
- location data (for example, the location data function on a mobile phone)
- Internet Protocol (IP) addresses
- cookie IDs
- Your phone’s advertising identifier
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
When it comes to the mobile app itself, think about the user id, user’s location, microphone consent, or mobile analytics tracking technologies. Similarly, using customer information to display relevant ads or for retargeting purposes also requires user consent.
Mobile analytics tools collect loads of personal data, storing it in mobile SDKs. That’s why it’s so important to choose a mobile analytics provider that gives you several options to protect user privacy.
Before choosing a mobile analytics tool, make sure it will help you with the following:
The obfuscation of native visual elements that may contain private information. This includes password boxes and credit card details
Data collection minimization (the wireframe mode option). Wireframe mode guarantees that end-users remain anonymous. It also masks sensitive fields in the session recording feature
Hosting analytics data in a safe cloud environment. For example, this could be Amazon Web Services in Europe or the United States
An analytics provider should never sell, use, or track your data across other apps. At Smartlook, we stand by these values — we’re on a mission to build a tool that follows the highest privacy standards.
You can view all of Smartlook’s privacy options with our 30-day free trial (all premium features, including real-time data tracking included).
Mobile consent management regulations
In this section, we’ll not only mention GDPR but also the California Consumer Privacy Act (CCPA) and App Tracking Transparency (ATT), including the Apple Store and Google Play privacy rules. Why? Because the mobile business must comply not only with national laws but with the rules of mobile marketplaces, too.
Apple Store and Google Play policies
Apps must remain in line with worldwide jurisdictions and application store policies alike. So if you provide your users with native options for iOS and Android, you’ll want to be familiar with App Store and Google Play policies.
You’ll also want to balance privacy compliance (e.g., GDPR compliance) with applicable marketplace compliance rules. This means remaining compliant with privacy jurisdictions and the App Store or Google Play privacy rules, too. As long as you’re in compliance with the marketplace’s rules, your app will not be removed.
So from my point of view, I think there are no rules from Google Play or App Store that are not in compliance with the GDPR rules.
There may be some specific information that should be provided by the developers and that the application should do. But still, nothing that is in breach with GDPR. So my recommendation is always read the policy, but still, firstly be in compliance with GDPR.
iOS 14.5 and App Tracking Transparency (ATT)
According to Apple’s announcement, with iOS 14.5, iPadOS 14.5, tvOS 14.5, and later systems, you’re required (as an app owner) to ask users for permission to track them across apps and websites owned by other companies.
With this approach, Apple aims to protect users’ rights to privacy, ensuring a high standard for privacy, security, and content. If you’re building a native iOS mobile app, according to the App Store, you have to ask for explicit permission to track user activity for various purposes, including ad personalization.
You could say that Apple’s designated privacy standards match that of the GDPR’s gold privacy standards, so let’s take a look at the GDPR’s rules to see if that’s the case.
GDPR and mobile user consent
If you’re working on a mobile app that deals with the personal data of the European Union (EU) or the European Economic Area (EEA), GDPR applies to your case.
It’s better that you consider consent design before you begin developing your app as consent has 4 basic principles. According to Recital 32 of EU GDPR, consent should be freely given, specific, informed, and unambiguous. There is also a 5th rule — the right to easily withdraw consent at any time.
CCPA and mobile consent
The California Consumer Privacy Act (CCPA) affects every business that deals with the data of Californian citizens. While GDPR states that data should remain private unless users explicitly opt-in, CCPA states that users have the right to opt-out regarding the sale of their personal information.
Here’s the CCPA’s legal basis: “[…] A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.”
How to design a mobile consent box
As mobile consent is a complex topic, there is no one way to design a box that’s compliant with privacy regulations.
You need to start thinking about privacy by design before proceeding to mobile development itself. Consent regarding every mobile app should be part of a broader attempt to safeguard user privacy and security.
This approach requires your mobile business to do the following:
- Provide users with easy-to-digest, transparent information surrounding privacy policies and data processing
- Offer users a transparent overview of all data collections streams and third-party software
- Present users with a clear and transparent overview of all collected user data
- Give users consent to choose freedom. This means the option to accept or reject cookies or mobile SDKs (unless strictly necessary)
- Give users the right to change or withdraw consent
- Even if your analytics tracker doesn’t collect personal data (e.g., in session recordings), if you identify and locate all recordings from one device, you should ask for user consent
- Request permission to access sensitive data like location and personal info providing reasonable reason and context
- Offer a clear and transparent overview of all collected data
Your main focus should be developing a clear approach so users can easily accept the general terms and privacy policy. This is due to the complexity of most policies. Keep in mind that consent boxes shouldn’t only be for accepting or rejecting consent but rather for allowing users to dive into the reasons for data collection.
Ready for some practical examples?
6 examples of mobile consent boxes
Explore 6 practical examples of how different native mobile apps on iOS and Android handle mobile consent collection. Let’s dive into it.
Twitter: communications company
Let’s check out how Twitter handles consent in their mobile app on Android.
As you can see in the image gallery above, Twitter’s users can manage their permissions. Also, you will notice that boxes aren’t marked beforehand, which complies with good examples of user consent practices.
What’s great about this example is that for each data collection purpose, there is a separate consent box. This is considered good practice under the GDPR.
Waze app: satellite navigation software
Let’s compare the changes with another example — Waze, a subsidiary of Google that provides satellite navigation software.
Waze keeps up with its policy of presenting all of the terms right away. When opening the app for the first time, users are faced with a big block of text. This text format might be discouraging for some users who may opt to skip it.
- When you download the Waze app, you can use it without setting up an account, but the app still asks you to agree to the terms. Later, it presents the user with the most important points, gathered together and explained in plain language
- Here, as you have already accepted the final user agreement, there’s only one option to proceed. Afterward, Waze asks for specific permissions regarding the precise location of the device and shows personalized ads
- While personalized ads are optional, the app needs precise location information to work. It asks about this type of user consent in an elegant way, giving the user an alternative option to manually provide the app with an address
- Now, let’s take a look at the privacy settings. The most important points, like gathering additional information for personalizing ads or invisible mode, are right on the first screen. To manage other preferences, the user has to scroll down
- As we can see, Waze still opts for straightforwardness. Nevertheless, they have worked on aligning it with user experience principles, as we can see in the privacy policy review
PUMATRAC: training application
We can find a similar request in this fitness app by Puma, called PUMATRAC.
We can observe that the PUMATRAC app is transparent and clear about consent collection. For example, the app explains why they want access to location data. They ask for it to be able to “record runs and optimize app experience.” This additional context might be useful for users.
When it comes to consent, they explain what it’s about when it comes to each purpose (e.g., personalized marketing). They also give users the option to either accept or reject data collection.
HBO Max: subscription video-on-demand service
First, when you want to set up an account in HBO Max, you get a request from them to “find and connect to devices on your local network.” Below, there is additional information about how this will work in practice.
Next, there is another request, this time about the “usage of Bluetooth.” After that, a user consent window pops up that gives either the option to “Accept” or “Manage preferences.” This also looks transparent and gives the user a choice.
More importantly, when you press “Manage preferences,” all of the cookies that require secondary consent are left unchecked. This is in line with GDPR’s strict rules.
In summary, HBO Max gives users plenty of choice in terms of consent collection. However, you should always look at national rules that may uncover some “dark patterns” that are not in accordance with the law.
LinkedIn: business and employment-oriented online service
LinkedIn does a great job explaining what it does with users’ data and gives them ownership over particular aspects of ad personalization. When we enter the Data privacy tab, we can see multiple areas where we can make changes.
An important aspect of those settings is ad personalization. LinkedIn divides the information it gathers into several areas, letting the user choose which info to use when showing ads in their network. They also inform their users about when the changes will take effect.
The last area uses information from users’ activity outside of LinkedIn. They explain the goal of this, including what type of data they will use.
Apple software license — iOS 14.5
Apple adopted privacy by design principles as reflected in the following statement: “Privacy is built in from the beginning, from the moment you open your new device to every time you use an app.”
They provide iPhone users with multiple built-in security and privacy protections. These settings give users control over the data they share. But like in any other case — it’s up to you to choose which privacy options you use.
In the first picture, you can see that Apple gives users transparency and control over the data they share with apps. As a user, you can choose to allow the “Calendar” to use your location. You have 3 clear options.
On another screen, you see that Apple explains how they approach Data & Privacy. They follow the data collection minimization principle, along with transparency and user control over data.
Another aspect of consent involves gathering analytics and advertising data. Here, Apple is again transparent about every single purpose. They give users the choice to opt in. If you do so, Apple can collect:
- First screen: Citing Apple’s website: “Analytics about your device and any paired Apple Watch and send it to Apple for analysis. This analysis helps Apple improve products and reduce problems like apps crashing. The collected information does not identify you personally and can be sent to Apple only with your explicit consent.”
- Second screen: Citing Apple’s website: “Apple is committed to delivering advertising in a way that respects your privacy. Apple‑delivered ads may appear on the App Store, Apple News, and Stocks. The Apple advertising platform does not track you, nor does it buy or share your personal information with other companies.”
In summary, it looks like Apple transparently and clearly asks for consent for each purpose separately — these are great practices. They even go one step further by being transparent about the safety measures they take before analyzing user data.
By mentioning Differential Privacy, they show that the intention of the analysis is to discover usage patterns within the dataset while withholding information about individuals. That’s aligned with GDPR’s strict rules.
In general, we think companies are moving toward privacy, giving users control over their own data. Let’s see what our guest marketing expert thinks about mobile consent collection and users’ privacy.
Privacy-friendly principles for consent collection
Marrying high privacy standards with a great user experience, intuitive interface, and clear value for users might be a tricky task. But it’s doable. The question is, what makes the best user consent design? Here are 6 privacy-friendly principles.
It’s the basis for creating the best user consent design for mobile apps. Keep your eye on data privacy regulations and regularly check for compliance.
These characteristics should apply to all privacy-related issues. Explain why you need certain information, what data you have collected to date, and what your users can do about your privacy policy.
Give users choice regarding what type of data they wish to consent to. Put everything in a simple manner, without directing them to other places or complicating the process.
When asking for permission to use data like geographical position, give the user a minimum of a few comfortable options. For example, your app can access your location only when in use. This option lets users profit from higher comfort yet respects their privacy when they aren’t using the app.
When you ask for sensitive data, make sure it’s clearly laid out. This helps users better understand why you need it, minimizing doubts.
Watch out for overly general phrases. You don’t have to explain exactly how their data contributes to better ad personalization, but don’t fall into the trap of highly generic phrases.
When it comes to self-education about privacy and the newest regulation alterations, we think it’s good to be up-to-date with privacy law changes. Remember that consent collection is just another step in making a great, user-centric product.
Let’s see what our expert thinks about self-education around privacy and consent topics.
I’d suggest not being afraid about data processing. If you’re engaged in a mobile app project, always think about risks and make decisions under those risks. That’s the main thing to do every time
Forget about fines and think about your mobile apps and company’s reputation instead. And if you want to educate yourself about privacy topics, development, mobile development, look on some official websites of national bodies.
For example:
– The French data protection office has really cool websites with lots of interesting information
– Great Britain and their ICO has a lot of information as well as technical information for developers
Also look at the European Data Protection Board. They issue some guidelines and recommendations, they have guidelines for example, for payments for storing of payment cards, they have guidelines for consent issues.
Approach consent collection like you approach paying insurance. You pay insurance but you’re hoping that there will be no harm to you. But you still pay for it because you want to be safe when there is an issue.
Jiří Hradský, lawyer at SEDLAKOVA LEGAL
You can view all of Smartlook’s privacy options with our 30-day free trial (all premium features, including real-time data tracking included).
Mobile consent and privacy by design approach: next steps
When done right, mobile consent collection is just another step in the app development cycle. If you plan out the privacy options from the very beginning, you’ll have peace of mind during later stages.
Also, during app development, you’ll be weighing your options when it comes to piecing together your toolbox. We recommend verifying every tool provider and checking to what extent they provide options to remain compliant with applicable regulations.
There are many more benefits to choosing privacy by design tools, including:
- Better preparation for privacy audits performed by regulators
- A higher level of user trust and loyalty
- Improved company reputation
- Improved employee morale
- A better reputation in the eyes of stakeholders
When it comes to choosing a mobile analytics provider, the rules are the same. There is one last key thing to remember about analytics — it’s up to you to set your mobile analytics, remain compliant, and choose the correct consent box. If you have questions, it’s always good to ask your analytics provider or hire an analytics expert.
