GDPR Compliance for Mobile Apps 2021

Many enterprises depend on user data from mobile applications to both serve their customers and generate revenue. However, the flow of user data isn’t unregulated, and mobile apps must comply with data protection laws just like web-based applications that process personal data. 

The General Data Protection Regulation (GDPR) is the most widespread set of data protection laws and applies to the largest set of people. Every company that does business in the European Union (EU), which can include just advertising to potential customers, must comply with GDPR regulations or be subject to fines. 

See below to learn about GDPR, some of its key regulations, and ways that enterprises can help their mobile apps comply with the law. 

Jump to:


Publicized in 2016 and officially enacted in 2018, the General Data Protection Regulation protects the personal information of European Union citizens and residents. GDPR was enacted not only to provide strict guidelines for businesses that process and store personal data, but also to standardize one set of rules that all EU countries — and all countries that process EU data — can follow.

Under GDPR, every organization or person who processes individuals' personal data is known as a data controller. The individuals whose data they process — whether customers, potential customers, or employees — are known within the regulation as data subjects. 

To be able to process data legally, data controllers must have at least one applicable legal basis, or valid reason to process data, from a list of six. The six legal reasons include:

  • Specific consent, given to the data controller by the data subject 
  • A contract made between a data controller and data subject who requires personal data
  • Compliance with a legal obligation that the data controller must meet, such as having to provide someone’s data to the government by law
  • Protection of an individual’s vital interests, whether the data subject or someone else
  • Public tasks that require personal data to be processed, particularly ones that the data controller must perform to do their job
  • Protection of the data controller’s legitimate interest, typically for legal purposes. This can be overridden by personal protection rights, such as data subjects who are minors

Though GDPR does contain many rules about handling personal data, the app development company Fueled sees its regulations as being more about individuals' agency and having a say in how their data is managed. 

"Depends on the project, of course, but GDPR guidelines generally focus on personal ownership of private data," said Sage Young, director of mobile engineering at Fueled.

"This not only means that software platforms are not supposed to share personal information without a user’s permission or consent, but it also covers the rule that users should be able to download their own data and be allowed to delete their accounts (and any associated personal data) if they so choose.

"It’s really less about technical guidelines and more about a set of required best practices for dealing with a customer or user’s personal information."

A mobile user holds their smartphone. Courtesy Adobe.

Courtesy Adobe.

Mobile apps and GDPR compliance

Mobile applications, like all business technology that collects any data, must comply fully with GDPR. If not, the data controller or organization that manages them is subject to fines and legal action.

Informed consent 

Under GDPR, mobile apps must offer clear consent, and therefore refusal, to data collection and processing. Though there may be exceptions — such as legitimate interest, which could mean legal use — some data collection specifically necessitates consent, including for advertising purposes. Apps should also request permission to access any other app within the device. For example, Instagram should request to access your camera. 

Users choose whether Instagram may access their camera. GDPR Recital 42 says permission should be "freely given," and a user's refusal to give permission shouldn't be detrimental to their use of the app. 

Mobile applications should have privacy policies accessible within the app. Privacy policies should be easy to locate and understand. Users also should be able to retract permissions they have previously given. If, for example, they no longer want Instagram to have access to their camera or microphone, they can change the permission. 

The first step to making a mobile application compliant with Recital 42 and the rule of informed consent is adding the option to opt out of data collection. This should be clearly stated, give users the choice to agree to personal data collection, and provide a link to the app's entire privacy policy.

Right of access 

Data subjects have the right to request a report of their data and how it has been processed. This includes:

  • The reason the data controller is processing the data
  • The categories of personal data
  • The third parties that will also receive that data
  • The right to object to or restrict data processing

Data controllers are required to send a copy of the processed data to data subjects upon request. This information should be sent in a "commonly used electronic form," unless it wasn't requested electronically or the subject specifies otherwise, such as requesting a hard copy by mail. Data controllers are allowed to charge a "reasonable fee" if a data subject asks for more than one copy, but they must provide the first one for free. 

Some mobile applications have a form where users can submit a request for data. Commonly used electronic forms include Word and Google documents, PDFs, and emails. All compliant copies should have, at the bare minimum, accurate records of each instance of processed data and legible text.

Copies should be straightforward, simple, and honest. They should include details about any personal data that has been transmitted to other organizations or countries. A company should also include how long it will store the data or general criteria for determining that time frame. 

Right to be forgotten 

Otherwise known as the right to erasure, the right to be forgotten allows data subjects to request that their data be removed from the data controller's records. A few different situations allow data subjects to request erasure, including:

  • Objection per Article 21, which allows data subjects to object to the use of their data particularly for profiling and direct marketing 
  • The data controller no longer needs the data for the original reason they collected or processed it
  • The data needs to be deleted, so the data controller can comply with regional legal requirements

If the data controller has transmitted the personal data to other parties, they must notify those parties as much as they can that the data subject has requested erasure, so the third parties can also delete the data.

If a mobile user requests erasure, the data controller should ensure that all data from the user's account is deleted. There are some reasons in which the data controller can maintain records, most of them for either legal or public interest purposes. If the data controller must store the data for legal reasons, they should first ensure the legal reason is valid and falls under Article 17's provisions. 

Right to be informed

Every data subject — that is, every customer or potential customer whose data is collected or processed — has the right to be informed when their data is "directly obtained." This means that when a data controller directly takes data from a data subject, they must notify the subject immediately.

A data subject should be informed of various details on obtained data, including:

  • The specific identity of the data controller, whether an organization or individual
  • Contact information for the company's data protection officer if there is one
  • Purpose for processing the data and the applicable legal basis 
  • Other people or organizations that will receive data from the controller
  • The length of time the data will be stored
  • Any profiling that will occur

To ensure that mobile applications are compliant with the right to be informed, data controllers must inform customers and potential customers when their data will be collected, processed, or stored. They must clarify exactly who they  are and why they’re processing the data subject’s data as well as inform them if they’re sending the data to any third parties or another country.


The proliferation of companies using mobile apps to reach customers has partly led to the creation of rules to control how those applications manage user information.

Customer data is an important commodity to enterprises, and it enables some businesses, Facebook most notably, to make a large portion of their revenue. 

As user data collection has increased through mobile apps and caused privacy concerns, data protection regulations attempt to empower users to control how that data is used. Data laws, particularly GDPR, do pose a financial risk to companies that profit from processing or selling data as users can, for instance, opt out of ad targeting.

Data protection regulations are becoming a standard that companies have to meet. Authorities are beginning to crack down on violations and issuing fines for failures to comply. 

To successfully comply with GDPR, all companies that use mobile applications should be transparent in every way when collecting, processing or selling personal data. They must respond quickly and accurately to all valid requests from data subjects — including erasing valued user data. 

Related articles


compliance, mobile app, mobile application, regulatory and compliance requirements, GDPR