Why GDPR and CCPA non-compliance could mean game-over for app makers

There was once a time when app makers could collect user data without second thought, but—with the arrival and enforcement of GDPR and CPPA regulations—this is no longer the case.

GDPR and CCPA compliance regulations require app makers to explicitly obtain user consent before collecting users’ personal data, IP addresses, and locations. They also obligate app owners to pay attention to the data that third-party SDKs collect. Despite this, 90% of apps still track users without consent and fail to achieve GDPR compliance.

The consequences? Fines, loss of trust, and missed opportunities—all undesirable for app makers.

In this article, you’ll learn more about these consequences, as well as what you can do to avoid them.

Shall we?

The GDPR data protection rulebook puts the onus back on app owners to seek permission before storing user data. Failing to do so attracts hefty penalties from regulators, creates a lack of trust among users, and results in lost revenue.

Let’s take a closer look at each of these repercussions.

Mobile app makers processing or retaining user data without consent face strict penalties from regulatory bodies. GDPR fines can go up to € 20 million and CCPA penalties can be up to $7,500 for each violation. Let’s take a closer look at each of these penalties.

• GDPR level one fine: Article 83(4) states that companies failing to appoint a data protection officer (DPO) or record data processing activities may be charged a fine up to € 10 million or 2% of worldwide annual revenue (whichever is higher). These penalties also apply to organizations not maintaining data records, not cooperating with supervisory authorities, or not communicating data breaches.
• GDPR level two fine: Article 83(5) levies up to € 20 million or 4% of worldwide annual revenue (whichever is higher) for severe violations. These violations include failure to obtain customer consent, transfer personal data without safety measures, and respect data subject rights.
• CCPA penalties: Businesses liable for civil penalties can be charged up to $7,500 per intentional violation and $2,500 per unintentional violation.

The financial implications of not adhering to GDPR and CCPA regulations are no joke. For example, the French data protection authority, CNIL, imposed € 3 million fines on Voodoo, a video game developer, for using an advertising identifier in the app without user consent.

Fines aren’t the only way app makers lose money. They can also lose revenue opportunities to user distrust.

When asked about their thoughts on how companies use personal data, 80% of respondents across Europe, Asia Pacific, and America said they’re more likely to buy from companies they believe protect clients’ personal data. Another survey on how brands can build trust shows that over 66% of 14,000 global consumers would stop supporting a company if their data was breached or shared without permission.

Obtaining user consent helps companies be transparent about their data security policies. As a result, it’s easier to win customer trust and foster brand loyalty. How they do it also greatly impacts revenue—as Blinkist found out.

Blinkist, a mobile-first microlearning app, relies on paid content to acquire customers on mobile and web. They leverage advertising and recommendation platforms like Outbrain and Taboola to serve relevant cookie-based ads. After identifying a discrepancy between internally recorded signups and signups transferred to the external platforms, Blinkist realized they’d been incorrectly classifying click IDs as sensitive, GDPR and CCPA-protected data—when it’s not.

Their cookie consent mechanism wasn’t configured correctly, so the platforms didn’t show recommendations to users who didn’t offer consent. This incorrect cookie policy setup cost them an estimated $300K in missed revenue.

Today’s privacy-driven landscape requires performance marketers to learn from mistakes and adapt to changes. Quick iteration and implementation abilities will matter even more as user consent is here to stay.

Most mobile apps use third-party analytics tools to collect and share in-app session and user behavior data, which is key to running user-level marketing campaigns. However, mobile marketing companies must pivot to a cohort-focused strategy in the light of privacy regulations.

It may seem difficult to achieve performance advertising efficiency without individual user addressability—but it’s not when companies bring together measurement and privacy.

Marketers need to centralize data from all ad network data—including SKAN, Apple Search Ads, and MMP—to assess and improve campaign performance. They can also execute geo holdouts, media mix modeling analysis, and geo holdouts to find the right media mix.

Going back to the basics of asking for explicit consent is perhaps the best solution for the user consent challenge. Make sure you ask users before collecting, selling, or using their personal data like name, location, address, health info, biometrics, or financial details. Also, consider obtaining permissions for any data that can identify individuals, such as IP address.

Not implementing user consent isn’t an option. Balancing value-adds for users and measurement tactics is the way forward.

App makers using re-marketing or re-engagement campaigns must embrace collecting user consent. Gathering user consent allows app companies to analyze visitors’ personal data and website usage behavior, which is vital to efficiently running re-marketing campaigns. Plus, they get to create a loyal user base who trust the app.

Without it, they can’t acquire customers cost-effectively or attribute app installs to campaigns. Moreover, they won’t be able to collect analytical data or use analytics or attribution SDKs.

So, app makers evidently need to adhere to GDPR and CCPA regulations. Your revenue and reputation depends on it. Let’s look at how app makers can use consent management platforms to adhere to GDPR and CCPA regulations.

Consent management platforms streamline user consent gathering for app makers. The result is efficient user data collection with cookies or trackers and improved compliance with data privacy laws.

A consent management platform (CMP) informs users about what data a website or app collects and how they use it. CMP software solutions also store and manage all user data, including data access and erasure requests. App makers use consent management platforms to gain insights into the users’ data lifecycle in a GDPR- and CCPA-compliant manner.

Here are some of the most important factors businesses must consider while selecting CMP software.

• Consent policy notification: A CMP solution must alert users to what personal data is being collected through a pop-up window or privacy policy. It should capture and consolidate consent too.
  The software must also enable app and website owners to integrate form-based cookie consent capture into web pages. A CMP generally also scans dropped cookies—cookies left by the app or website you visit but not stored by them—and adds them to cookie consent banners.
• Propagation management: Businesses must ensure that their CMP streamlines consent collection, notification, and propagation to third party solutions. Key features must include compliance with the Interactive Advertising Bureau (IAB) framework and consent data accessibility via APIs or webhooks.
• Consent mapping and correlation: An efficient CMP system seamlessly gathers, normalizes, clusters, and correlates consent from the same data subject across sources. This consent mapping gives organizations a 360° view of user identity categories, including customers, vendors, and employees.
• Consent tracking, governance, and management: The best CMP solution also eases propagating decisions to internal business applications. It helps organizations meet GDPR compliance by recording consent decisions and processing activities. Moreover, a CMP should be able to create single identity dashboards for user consent visualization.

App makers need efficient CMPs to comply with data privacy regulations and show consent requirements based on user locations. Moreover, CMPs help in tracking, managing, and storing users’ opt in/out decisions. They also block cookie scripts from running before obtaining user consent.

One such solution is Usercentrics.

Usercentrics is the number one CMP for GDPR, CCPA, LGPD and POPIA compliance for websites and apps. It enables you to obtain, manage, and analyze consents to protect ad revenue, minimize your legal risk, and boost user trust.

Talk to our expert today and start optimizing consent collection with Usercentrics.