On September 24, 2024, the CNIL published a recommendation aimed at helping professionals develop and implement mobile applications that respect privacy and comply with personal data protection regulations.
Mobile applications have become an everyday tool for millions of French users. However, they pose significant risks in terms of data protection, as they often access sensitive information such as real-time location, photos, or health data without the users' knowledge.
Given the importance of the situation, it became necessary for the CNIL to remind the various market players of their obligations and to (re)emphasize on obligations that are too often overlooked.
I/ Aim of the Guidelines: Framework for Stakeholders and Transparency for Users
These guidelines aim to clarify and define the roles of the various actors involved in mobile applications development and ensure greater transparency regarding how user data is handled. They also seek to ensure that users ‘consent is obtained without coercion.
Specific recommendations are directed to each actor in the sector:
1. Measures for the application publisher:
The publisher (legal entity or individual company) responsible for making the application available via platforms like app stores must ensure their product complies with data protection regulations.
From now on, the publisher is required to:
- Identify the personal data processing carried out; - Ensure the processing complies with GDPR and the French law ; - Integrate data protection into the application design (privacy by design); - Map out its partners; - Manage user consent and rights as such (practical advice is provided by the CNIL on how to inform users, collect consent, and allow them to exercise their rights); - Maintain the application’s compliance throughout its lifecycle; - Implement control over usage permissions (e.g., access to location, microphone, etc.). 2. Recommendations for developersThe developer, responsible for creating the application, must:
- Develop applications that respect users' rights. - Ensure compliance with the principle of data minimization (collecting only what is necessary); - Incorporate processes for collecting user consent. - Guarantee the security of the application. 3. Recommendations for software development kit (SDK) providers:SDK providers, offering software components integrated into the application must:
- Apply data protection principles by design and by default; - Provide clear information on data processing related to the SDK’s use; - Facilitate the exercise of user rights, working with publishers to implement effective consent collection mechanisms. - Provide secure SDKs. 4. Recommendations for operating system providers:The operating system provider (the entity providing the specially configured operating system installed on the user’s mobile device, within which the application will run) must:
- Apply data protection principles by design, minimizing the data processed by the OS; - Inform partners and third parties of the OS's specific data processing activities; - Provide permission systems that respect the principle of data protection by design; - Protect minor users, particularly by incorporating parental control tools; - Guarantee platform security (encryption of connections, backups, etc.). 5. Recommendations for app store providers:App store providers (those responsible for the online distribution platforms of mobile applications such as App store or Google Play Store) must:
- Analyze submitted applications to detect security vulnerabilities; - Inform users (including providing information about third-party SDKs used by each app); - Provide reporting tools and clear procedures for users to exercise their rights.II/ Deadlines for Compliance and Sanctions
Industry actors in the mobile app sector have until March 2025 to comply with these new rules.
The CNIL has announced a major inspection campaign starting in early spring 2025 to ensure compliance with applicable rules and the implementation of its recommendations.
During these inspections, the CNIL is empowered to take corrective measures, including:
- A formal warning; - An order to bring the processing into compliance with legal requirements or to comply with requests to exercise users' rights. This order may be accompanied by a fine of up to €100,000 per day of delay; - Temporary or permanent limitation of data processing, its prohibition, or the withdrawal of an authorization; - Revocation of a certification; - Suspension of data flows to a recipient located in a third country or international organization; - Partial or total suspension of the approval of binding corporate rules; - An administrative fine of up to €20 million or 4% of global annual turnover for non-compliance with the fundamental principles of GDPR.Conclusion:
With these recommendations, the CNIL is setting a strict framework for mobile application stakeholders to strengthen the protection of users' privacy. The whole production and distribution chain is impacted.
Industry professionals must act quickly to comply by March 2025 or face sanctions.
The CNIL has also provided advice for mobile app users, informing them of their rights and how to protect their data.