GDPR Checklist for Apps

We help you achieve privacy compliance with your apps. Build user trust and accelerate user acquisition to boost growth.
Checklist app
Resources / Checklists / GDPR Checklist for Apps
Published by Usercentrics
3 mins to read
Mar 14, 2022

Following these steps will help ensure that your mobile app is compliant with the GDPR and ePrivacy Directive. This will protect your company from fines and your users’ data from misuse. Tick the boxes to see how compliant you are or need to be.

Compliant data is a critical business resource

Marketing strategy and data privacy regulations are both evolving rapidly. Move beyond performance-based to outcome-based marketing with a bulletproof and futureproof user acquisition strategy that centers user consent.

Privacy regulations and enforcement bring complexity to the digital business landscape that app professionals are navigating. We help manage the complexity for you. Mobile publishers, developers, and the mobile advertising ecosystem need high-quality data, for which user consent is now critical.

User consent enables:

  • running remarketing or re-engagement campaigns
  • correct attributions for installs to specific campaigns
  • decreased user acquisition costs
  • permission to use analytics, attribution, advertising, and other marketing tools and SDKs

This toolkit provides a step-by-step guide to help align your app marketing strategy with the GDPR and the ePrivacy Directive.

Our SDK supports 4 platforms, is globally compliant and provides consented user-data insights

Step 1: Conduct an audit of your mobile app

  • Identify all SDKs installed in your apps
  • Document the scope of each third-party technology: what data they access (i.e. AAID, IDFA, IP address, etc.) and why
  • Make sure third-party technologies (i.e. ad network, mediation etc.) can receive and apply user consent choice (i.e. can they receive and apply GDPR consent?)
  • Avoid access to persistent identifiers (e.g. IMEI and device number)
  • Limit your apps permissions request only to the essentials to run your service

Step 2: Explain what the tracking technologies are doing and why in a comprehensive privacy policy

  • Inform users about what data are collected, how, and why in the privacy policy
  • Check relevant data protection laws for further details
  • Ensure the privacy policy is updated and is easy to find, read, and understand for the average user

Step 3: Let users know you are using tracking technologies (e.g. SDKs) via a consent banner

  • Show a consent banner before any SDK starts collecting data
  • Ensure that you inform users and receive valid consent (check #4), especially for non-essential technologies (e.g. marketing, monetization, mediation, attribution)
  • Collect consent again every time technologies in use change
  • Inform users about the purpose of each SDK separately in the consent banner

Step 4: Obtain valid user consent per the GDPR

For consent to be valid, it has to be:

  • Explicit: active acceptance, e.g. ticking a box or clicking a link
  • Informed: what, why, by whom, for how long
  • Documented: ensure you can provide proof of consent in the case of an audit (also check #7)
  • In advance: no data can be collected before opt-in, e.g. SDKs cannot “fire” before the user’s consent has been passed to them
  • Granular: individual consent options for each purpose must be offered – consent cannot be bundled to cover other purposes or activities
  • Freely given: “Accept” and “Reject” options, e.g. button or link
  • Easy to withdraw: easy access to change consent preferences in the future (also check #8)

Step 5: Enable users to access your service even if they do not consent to tracking technologies

  • If a user refuses data processing, no non-essential tracking can collect data, essential tracking technologies needed for the app to function can keep operating
  • Ensure users can still access your app even if they refuse the use of tracking technologies, blocking them can be a discriminatory action

Step 6: Collect and process data only after obtaining valid consent

  • Ensure that SDKs are not loaded until the user has given consent
  • Once you have obtained valid consent, you can collect and process personal data (e.g. AdID, IDFA) for the purposes that users have been informed about

Step 7: Document and store consent received from users

  • Comply with your documentation obligation and ensure you are able to verify users’ consent in case of an audit by data protection authorities (DPA)

Step 8: Opt out must be as simple as opt in

  • Make it as easy for users to withdraw their consent as it was to give it in the first place – easy in, easy out
  • External links to a third page for opt out are not sufficient
  • Make sure that the options for acceptance and rejection are comparably designed, e.g. on the same level, in the same format, with the same degree of simplicity

Step 9: Opt out must be as simple as opt in

  • After opt out ensure that no further data is collected or forwarded

 

Sign up for your 30-day free trial today