GDPR Rules & Mobile App Permissions 2021

Mobile applications and their users are subject to data protection laws just as web-based applications are regulated. One such law is the General Data Protection Regulation (GDPR), that places limits on companies that process or sell personal data, which is one of the most-wanted commodities.

All mobile applications that have European Union (EU) users or process EU citizens' data must follow GDPR. Otherwise, they are subject to legal action.

Jump to:


The General Data Protection Regulation, a sweeping law that covers all European Union citizens, tells companies how they must protect EU residents' personal data and be transparent about its use. Personal data includes personal identifiers, such as name, health data, and physical features, and technological identifiers, such as IP address.

The European Union, a legislative body that spans 27 countries, created GDPR to replace existing data laws from the 1990s. GDPR was introduced to the public in 2016, with an official enactment date two years later in May 2018. Businesses were given two years to become compliant.

The intent of GDPR is twofold: 

  • To simplify data protection regulations for all European Union countries, rather than having differing sets of regulations, which would be harder for companies and national authorities to employ and enforce
  • To make European Union residents fully aware of how their personal data is used and give them more control over that usage

GDPR wields enormous power, as the EU has the legal right to protect its residents. Failure to comply with GDPR can exact penalties, including fines.  

GDPR regulations force businesses to give customers a choice about having their personal data processed or sold, explain what data is collected and why, and send customers detailed information regarding how and why their data is processed.

Under GDPR, processing personal data is only legal if it meets at least one "legal base" listed in Article 6 (1) of the regulation. These include if the data subject has given specific consent, if the data controller — a person or, more commonly, an organization —  has a legal obligation to do so, and if processing will protect the "vital interests" of the “data subject” — the person whose data they're collecting — or someone else. 

An employee uses their smartphone in a city. Courtesy Adobe.

Courtesy Adobe.

GDPR regulations

GDPR includes 99 articles and 173 recitals, with a significant number of restrictions that businesses must satisfy. The following rules highlight some of the key concepts of the regulation, especially focused on mobile application developers and users.

Consent prior to data collection

A data controller that collects and processes data must obtain the consent of a data subject. This consent must be voluntarily given, not just assumed by the organization's underlying legal procedures.

For example, if a data subject is creating an account with a new mobile application on their smartphone, a statement to the effect of "by using this app, you agree to our privacy policy" does not count. The data subject must have the choice to actively accept the privacy policy, such as by using a check box.

Granted, declining to accept the privacy policy or terms of use typically means forfeiting an account, but the data subject still has an active choice. 

The right to be forgotten

If a mobile app user decides to stop using an app altogether and exercises their right to be forgotten, the data controller may no longer store their data for an indefinite period of time. 

The right to request

Application users have the right to request a copy of their personal data as processed and stored by the data controller. The data controller must promptly supply that information.

Users also have the right to request erasure. If they want the data controller to delete all of their personal data, GDPR legally obligates the data controller to follow through and delete all data, per their request.

GDPR enforcement

GDPR covers every aspect of a business that involves processing or storing personal data in any way. This includes any third-party companies with which a business shares data. They must also be compliant with GDPR. Otherwise, the initial business is not compliant. 

From 2015 to 2019, a group of German researchers performed a study in which they tracked how data controllers responded to data access requests from data subjects. They studied a variety of apps and business sectors and both Android and iOS applications. They also took three different time samples — two before GDPR was enacted and one after it was required.

Of the apps contacted by users in 2019, after the enactment, 22% failed to respond to the initial request for data and 28% gave a helpful report. One vendor sent the wrong user's personal data and another responded rudely without provocation. The findings from the study are "unsatisfactory," according to the researchers, who say the following in their introduction:

“Our subject access requests were fulfilled in 15 to 53 % of the cases, with an unexpected decline between the GDPR enforcement date and the end of our study,” the researchers say. “The remaining responses exhibit a long list of shortcomings, including severe violations of information security and data protection principles.”

EU and U.K. authorities issued more than 100 million euros in fines during 2020. Researchers have noticed that since 2020, authorities have begun to crack down on GDPR offenders more than during the first year and a half of its enactment. 

Large companies, including Marriott, have been fined by the U.K. Information Commissioner's office for data breaches when customer personal information was endangered. In Poland, a public agency took legal action against a university that didn't inform relevant data subjects of a breach. GDPR requires that subjects be notified within three days.

The creators of the regulation knew being entirely compliant would be difficult, but experts recommend keeping some general principles in mind:

  • Ensure a mobile app has legal basis for all the data it processes
  • Make a privacy policy that's understandable and readily available
  • Be receptive to any requests from data subjects


GDPR does pose potential financial loss to companies, particularly in marketing and advertising, that make money off of customer data. 

Apple has been making changes to its iOS privacy policies, now requiring any non-Apple applications in the App Store to state how they’ll process user data and what else they'll do with it. When iPhone or iPad users download those applications, they'll have the choice to opt out of the data collection and processing that happen through the identifier for advertisers (IDFA). Although the right to be informed under GDPR includes more than just initially letting mobile app users know how their data will be collected and processed, that is part of it. 

Facebook pushed back fiercely against Apple's new policies. The social network makes money from targeted advertisements, and focused ad tracking is a primary victim of Apple's recent regulations.

For businesses that develop and use mobile applications to serve customers,  new data policies and GDPR require some retooling or constructing financial plans that don't entirely depend on large stores of customer data collected through those apps. This is challenging, since the current tech landscape demands data and since data is incredibly valuable to businesses — and users.

Related articles


compliance, mobile app, mobile application, regulatory and compliance requirements, data protection regulation, GDPR, GDPR compliance requirements