CNIL publishes mobile app privacy guidance and announces enforcement campaign

Highlights from CNIL’s announcement and the implications for mobile app owners

On September 24, 2024, CNIL, France’s privacy regulator, published a 98-page set of recommendations to improve privacy compliance for mobile apps and announced a subsequent investigation campaign to begin spring 2025. 

The recommendations apply to all mobile app stakeholders responsible for data processing: publishers (app owners), developers, third parties (SDKs), app stores, and operating system providers.

In its recommendations, CNIL provides concrete requirements for each stakeholder group to be compliant with Europe’s GDPR (General Data Protection Regulation).  

CNIL’s announcement states, “starting from 2025 onwards, [CNIL] will ensure that these recommendations are taken into account through enforcement actions” and that they will “deploy a specific investigation campaign on mobile applications to ensure compliance with the applicable rules”.

The need for greater mobile app oversight stems from CNIL’s view that “the mobile environment poses greater risks to data confidentiality and security than the web. Mobile applications have access to more varied and sometimes more sensitive data, such as real-time location, photographs and health data.”

The CNIL recommendations provide further clarity and detail for how to comply with the existing rules set out in GDPR. We will focus on the implications specifically for app owners. 

App owners now have explicit instructions for how to collect consent and implement SDK governance that ensures data flows to third parties are limited accordingly.  

The recommendations and implications for mobile app owners

Build a complete inventory of personal data 

CNIL Recommendations [Section #]: 

• Identify the existence of personal data processing [5.1.1]
• Each processing implemented must have an identified legal basis [5.1.2.1]
• Identify the reading and/or writing operations on the terminals of persons [5.1.2.2]

Implications: 

• Identify all personal data elements processed by each mobile app
• Determine the processing purpose for each data element
• Ensure each processing purpose is based on consent, contract, or legitimate interest
• Document each processing activity executed by the app

Implement an SDK governance framework

CNIL Recommendations [Section #]: 

• Any implemented Software Development Kit (SDK), particularly third-party SDKs, is analyzed to identify if it carries out processing of personal data [2.2]
• Determine all the data processing involved in the integration of the SDK [6.3.1]
• Ensure the provision of elements making it possible to identify possible unauthorized transfers or disclosures of personal data [6.3.1]

Implications: 

• Before implementing a new SDK, assess and document data processing 
• Maintain inventory of all third-party SDKs integrated in each mobile app
• Identify all personal data elements processed by each SDK
• Conduct regular app audits to ensure SDKs only process approved data elements with proper consent 

Enhance monitoring and governance for sensitive data

CNIL Recommendations [Section #]: 

• Identify all sensitive data processed [5.1.2.5]
• Processing of sensitive data is prohibited without free, specific, informed, and unambiguous consent of the user [5.1.2.5]
• Any creation of audience segments based on sensitive data for advertising purposes is prohibited [5.1.2.5]
• Display a warning with specific sensitive data information before obtaining consent or collect consent separately for sensitive data [5.1.2.5]

Implications: 

• Categorize all personal data processed and flag all sensitive data elements as defined in GDPR article 9
• Maintain internal and external privacy policies that specify authorized and unauthorized sensitive data processing
• Design consent collection to account for sensitive data requirements
• Conduct regular checks to identify any unauthorized sensitive data processing, especially any sensitive data used for targeted advertising 

Enhance monitoring and governance for minors’ data

CNIL Recommendations [Section #]: 

• Additional measures must be implemented to protect minors’ personal data as defined by the CNIL here [5.1.2.6]
• Advertising based on profiling using personal data is prohibited when the recipient of the service is a minor [5.1.2.6]

Implications: 

• Categorize all personal data processed and flag all data elements from minors 
• Maintain internal and external privacy policies that specify authorized and unauthorized data processing for minors 
• Design consent collection to account for the requirements for minors
• Conduct regular checks to identify any unauthorized data processing of minors, especially any minors’ data used for targeted advertising 

Design apps with privacy mechanisms built in 

CNIL Recommendations [Section #]: 

• Determine the minimum personal data parameters needed to provide the requested service in the app and offer users those settings by default [5.1.3.1]
• Minimize the personal data transmitted to its partners [5.1.3.2]
• The possibility of integrating privacy protection mechanisms is studied from the design stage [5.1.3.3]

Implications: 

• Privacy, product, and engineering teams should align on prohibited data processing rules and data minimization principles to govern all future mobile app development 
• Privacy, product, and engineering teams should align on when privacy professional should be brought into discussions at the design stage
• Audit app updates early in the development stage to check against internal privacy policies and changes from the design stage  

Maintain up-to-data privacy compliance documentation

CNIL Recommendations [Section #]: 

• Maintain and keep up to date a Record of Processing Activities (RoPA) according to GDPR article 30 [5.1.4.1]
• Retention periods are justified and documented [5.1.4.2]
• Conduct a Data Protection Impact Assessment (DPIA) if the processing meets the requirements in GDPR article 35 [5.1.4.3]

Implications: 

• Implement processes to create and update RoPAs each time an app is updated
• Document retention policy by data type
• Define triggers and standardized process for conducting DPIAs  

Regularly audit consent banners and data flows 

CNIL Recommendations [Section #]: 

• Create an external privacy policy that is complete, concise, and understandable for its audience [5.3.1.1]
• Make the privacy policy accessible before downloading the application and within the application [5.3.1.2]
• Obtain valid consent from users according GDPR articles 4 and 7 [5.1.2]

Implications: 

• Regularly audit that consent banners and privacy policies display properly for every mobile app according to CNIL requirements
• Regularly audit consent banners and consent management platforms (CMPs) to ensure they limit data flows according to consent choices and GDPR requirements

Establish processes to follow data minimization principles 

CNIL Recommendations [Section #]: 

• Ensure that the data collected for each purpose is limited to what is necessary for the intended purpose [5.1.2.3]
• When possible, favor data provided manually by the user, who thus has control of the data provided and its precision, versus data provided by the application [5.1.2.3]
• When relevant, give the user the choice between manually providing the relevant data or allowing the automatic transmission of data within the application [5.1.2.3]

Implications: 

• Evaluate all personal data elements processed and their purpose against privacy policies at the design, development, and post-launch stages of a mobile app
• Create developer guidelines for how to collect personal data and monitor adherence by auditing the application’s code during the development stage 

Implement policies that minimize data retention 

CNIL Recommendations [Section #]: 

• Processed data must be kept for a retention period strictly necessary for the objective pursued by the processing as required by GDPR article 5.1.e [5.1.2.4]

Implications: 

• Privacy, product, and engineering teams should align on data retention policies that meet GDPR requirements
• Automated controls are needed to enforce data retention policies at scale 
• Minimizing personal data collected and processed by mobile apps will reduce data retention compliance risk 

Enable data subject requests that fully honor users’ rights

CNIL Recommendations [Section #]: 

• The publisher must facilitate the users’ right of access, the right to erasure, the right to object, the right to portability, the right to rectification and the right to limitation of processing [5.1.3.1]
• Provide users with a rights management center within the application where all rights can be exercised [5.1.3.2]

Implications: 

• Implement an automated solution that can collect and execute data subject requests at scale
• Maintain an up-to-date inventory of personal data processed and the storage location of each data element
• Regularly audit the data subject request process to ensure the data made available to users matches the current data inventory 

Establish security measures with third parties to prevent data breaches 

CNIL Recommendations [Section #]: 

• Implement measures to ensure data security, particularly via the subcontracting contract as specified by GDPR in articles 32 and 28.3.c [5.4.1.1]
• Require that subcontractors transmit security alerts that could lead them to formalize a data breach notification as specified by GDPR in articles 33 and 34 [5.4.1.2]

Implications: 

• Establish Data Protection Agreements (DPAs) with subcontractors outline data security requirements and protocols for data breaches 
• Establish internal data breach protocols and mechanisms to communicate breaches internally and externally as necessary
• Minimizing personal data collected and shared by mobile apps will reduce risk of data breaches  

Audit compliance throughout the application lifecycle

CNIL Recommendations [Section #]: 

• Monitor subcontractors’ compliance with data processing instructions (article 28.1 of the GDPR) [5.4.2]
• The app publisher (owner) can use a static analysis tool to verify that the included SDKs and requested permissions match its instructions [5.4.2]
• The app publisher can set up a test (or hire a third-party provider) to verify the proper functioning of consent collection tools and ensure that SDKs don’t collect personal data before consent is actually given [5.4.2]
• Update Records of Processing Activities (RoPA), Data Protection Impact Assessments (DPIA), and privacy policies to account for data processing updates [5.4.3.1]
• Set up a validation process to approve data processing changes such as choice of a subcontractor, SDK, functionalities, methods of obtaining consent [5.4.3.2]

Implications: 

• Regularly audit app SDKs to ensure they only process approved data elements with proper consent 
• Leverage automated privacy code scanning solutions that use static code analysis and test consent management platforms (CMPs) to accurately audit apps at scale
• Implement mechanisms to automatically update RoPAs, DPIAs, and privacy policies with solutions such as privacy code scanning that automatically update privacy assessments and generate alerts for processing changes not in line with policies 
• Establish process to review data processing change decisions by triggering privacy assessments at the design phase and code reviews during app development

Key Takeaways

• Mobile app GDPR violations will increase in 2025 from the CNIL’s planned campaign to enforce the recommendations summarized in this blog.
• CNIL plans to hold each stakeholder in the mobile app ecosystem accountable for adhering to GDPR, including accountability for personal data processed by a stakeholder’s partners. For app owners, this means violations can stem from not monitoring their third parties for compliance. 
• Mobile app owners are expected to conduct regular internal compliance audits and maintain up-to-date compliance documentation as apps are updated. With most mobile apps now being updated on a weekly or monthly basis, automated solutions such as privacy code scanning are needed to achieve compliance at scale. 
• To address most of CNIL’s new recommendations, organizations must maintain a complete and up-to-date personal data inventory to properly inform an SDK governance framework that sufficiently mitigates privacy risk.

How Privado can help

• Dynamic Data Maps: Build comprehensive and real-time data maps for mobile apps without manual assessments
• SDK Governance: Continuously scan apps to detect new SDKs and ensure SDKs only process approved data elements with proper consent 
• Auto-Risk Discovery: Proactively identify risks during app development and alert engineering teams before they go live
• Smart Assessments: Automatically update RoPAs and privacy assessments each time an app is updated
• Consent Compliance: Simulate app user behavior to test that CMPs properly display banners and limit data flows according to user consent choices
• Developer Tool Integrations: Enable developers to prevent risks with automated code scans that deliver privacy guidance as developers code