App GDPR compliance: How GDPR affects mobile app marketing

How would you feel if we told you that you could no longer use your favorite analytics tools? Well, for around 90% of apps out there, you can’t, or at least not in a way that is compliant with the GDPR.

Most apps are not collecting data in a way that is GDPR-compliant. The entities producing these apps seem to largely see the regulation (or any regulation) as a hindrance, something to be worked around, not talked about openly.

When the General Data Protection Regulation (GDPR) came into force on May 25th, 2018, it was a game-changer in terms of the degree of control it gave consumers over the way that companies collect, store and process their personal information. It shifted the responsibility to app owners to achieve and maintain GDPR compliance.

It also unequivocally changed the concept of consent. It went from something that could be tacitly assumed by dint of the fact that an individual had not opted out of giving permission for their personal data to be collected and used, to a scenario where the consumer must actively be informed and opt in.

GDPR app permissions

Clearly, this impacts digital marketing in general and app GDPR compliance in particular, especially where app permissions are concerned.

It is no longer acceptable for an app owner not to pay attention to what third-party SDKs (i.e. marketing tools) installed on the app are tracking about their users. Apps cannot track a user’s location or IP address, or other types of data that could lead to identifying a specific user, without their explicit consent.

But a study by Usercentrics in October 2022 found that most apps reviewed are not GDPR-compliant, more on this later. In this post, we will share what you need to do to ensure your app is GDPR-compliant. This will help you gain the trust and respect of your users by being open and transparent with them about the personal information the app collects, and for what purposes.

The GDPR rewrote the data protection rulebook, taking the onus away from consumers to ask companies not to collect, store and use their personal data, and placing it firmly in the hands of businesses and app owners to seek the consumer’s permission to do so.

But the way many app marketers are going about things is counterproductive, resulting in many users refusing to share their personal information. Without it, app marketers’ ability to run retargeting campaigns and evaluate the performance of their marketing campaigns is significantly reduced.

- Advertisement -

A recent case study from Blinkist found that setting up consent banners incorrectly could lead to a €300,000 revenue loss. According to a Sensor Tower report, 2022 was the first year on record that app store growth slowed to a halt, with Apple’s introduction of its ATT framework identified as the main cause.

It’s time for a change of perspective. Consent is not an obstacle to a thriving app business; it’s a necessity and presents a great opportunity. By being open and transparent with your customers about what personal data you want to collect, why you wish to do so, and what value the customer gets from the process, you gain their trust and long-term loyalty, which ultimately has a positive impact on the bottom line.

In a 2020 study of 1,000 North American consumers carried out by McKinsey, around half of the respondents said they were more likely to trust a company that only asks for information relevant to its products and that limits the amount of personal information requested.

Other reports back this up. A study from AdPushUp found that 80% of respondents would be more likely to buy from companies that they believe protect their personal data. Another from the IAB found that 85% of consumers globally want to deal with companies who are more trustworthy with their data. And another from Appsflyer found that 85% of consumers are concerned about privacy.

Consumer privacy

Source: Usercentrics

So when you are asking customers to share their personal data with you, ask yourself if you really need it. If you don’t, then don’t ask them for it.

Recital 42 of the GDPR, Burden of Proof and Requirements for Consent spells out in crystal clear detail that the responsibility for ensuring that the consumer is able to give their consent freely, and the extent to which it is given, lies firmly with the entity seeking the consent.

App GDPR compliance – the status quo

So what is the current state of mobile app GDPR compliance? To find out, in October 2022 Usercentrics carried out a European app industry report, looking at 250 apps across five popular categories, to see how they fared in terms of GDPR compliance.

What we found does not make for reassuring reading: 90% of the apps studied failed to achieve GDPR compliance by tracking users without their consent. The highest level of noncompliance was among Gambling apps, where 100% of the apps investigated were found to be non-compliant. Even in the best-performing category, Food, only 16% of the apps investigated were found to be GDPR-compliant. Clearly, the level of GDPR compliance in apps is much lower than it should be. Other, more extensive studies have delivered similar insights. In a study of one million apps carried out by Appvisory, 76% of the apps investigated failed to comply with the GDPR’s requirement to obtain user consent before tracking personal data.

Another study of two million apps, carried out by the University of Oxford, found that only 10% were GDPR-compliant. The same study found that, on average, apps transfer personal data to 10 third-party companies.

This should be a cause for concern for app owners everywhere. At a basic level, it shows a complete disregard for their users’ data privacy. How can any app hope to earn the respect and trust of its users if it tracks them without their permission and shares their data with other companies with whom they have no relationship whatsoever?

The people responsible for enforcing regulations have shown they are serious about it, issuing several large fines. In November 2022, Facebook’s parent company, Meta, was fined €265 million for breaching European data protection laws. In December 2021, dating app Grindr was fined US $7.1 million by Norway’s data protection authority for passing user data to advertisers without users’ consent. The French data protection authority, Commission Nationale de l’informatique et des Libertes (CNIL) has made clear its intention to focus its regulatory attention on mobile apps.

So how does the GDPR impact mobile app marketing?

The increased scrutiny and enforcement of the GDPR by data protection authorities means that mobile app marketers have to take user privacy and data collection seriously. They must be 100 per cent transparent:

• What data does the app collect?
• How is the data collected, stored and processed?
• What purposes are the data used for?
• How can consumers opt out of data collection (or withdraw consent later on)?

The GDPR stipulates that it must be as easy for a consumer to refuse consent, or to withdraw it in the future, as it was for them to give it. But rather than seeing all this as a negative thing, app marketers should see it as a positive. It presents them with an opportunity to gain the trust of their users by being completely open with them about the data they want to collect, their reasons for doing so, and the value exchange.

The ways in which data is collected are also important. If you want to make your app GDPR-compliant, there must not be any pre-filled information. App marketers cannot assume, for example, that the user self-identifies as a man or a woman, even if they know their name. Consent for data use cannot be checked off by default, either. Actions like these are called “nudges” or “dark patterns” and are frowned upon and illegal in some jurisdictions. Consumers must be free to populate all fields in any form they are asked to complete with the app, without the app pre-populating any fields on their behalf.

App marketers must respect user privacy at all stages of the app lifecycle, especially when they are in the process of building the app. This is called “privacy by design”. At this stage, the app developer has a blank canvas to work with and can ensure that the design of the app, including any instances of data collection, ensures that the user’s privacy is respected. When it comes to the GDPR and app permissions, if you take this to the extreme in the most user-centric way possible, you can incorporate privacy settings that enable a user to see what data is collected for many purpose categories to a granular degree. For example, App Performance and Analytics; Messaging; Personalization, Functional, or Essential. Within each of these, the app user can access all the instances of data collection that the app would like to invoke and switch each one off or on.

By giving the user this granular ability to opt in or out of multiple data collection instances, you will gain their trust, and this will help the bottom line. According to a 2022 study by Google and Ipsos, providing a positive privacy experience can increase your app’s brand preference by 43%. The same study also found that users are twice as willing to share their personal data with a brand they trust.

It’s a virtuous circle: be open and honest with your users about what data you want to collect and why. This will help gain their trust so that they are more willing to share their personal data with you, and more likely to become long-term customers. Having access to this data will then enable you to continue to run remarketing and re-engagement campaigns. It will also enable you to attribute installs accurately to a particular campaign and to build predictive models for building a strong user acquisition strategy, supported by whatever mobile analytics tools you rely on.

How a consent management SDK can help with privacy compliance

You know why your app needs to be GDPR-compliant, so how do you achieve that? Here, many app marketers have found that a good consent management SDK can help. It can be easily integrated with your app to automate all data privacy compliance tasks, freeing up the app marketer’s time to focus on the business of developing and optimizing great user experiences.

Consent management SDK

Source: Usercentrics

The Usercentrics Consent Management SDK is designed to address complex compliance issues automatically, so your app can continue to thrive. It uses industry-leading technology that balances data privacy with the app marketer’s desire to grow their app business. With support for iOS, Android, Flutter, React Native and Unity, the Usercentrics SDK offers a flexible approach to solving data privacy compliance for mobile apps and can be integrated into your app in less than an hour. Seamlessly integrate consent requests into the overall app experience, leveraging features such as our lean banners that reduce the visual impact of a consent banner while enabling you to achieve privacy compliance.

Conclusion

App GDPR compliance should not be seen as a nice-to-have or something to look at when all other boxes have been ticked. It should be the first item on the app developers’ to-do list when they start working on the wireframes of the app.

Studies of the mobile app economy show that CRM and lifecycle tactics are becoming more important than ever, which will require an increased focus on user retention and remarketing campaigns, for which user data is vital. Several recent studies clearly show that consent is key to user acquisition and retention, yet many apps fail to see this as an opportunity to build customer trust, avoid large fines, and grow their app business better by being compliant with data privacy regulations.

In other words, consent is becoming a clear competitive advantage, and those who evolve first and draw up better data strategies for their companies will profit in the long run. The internet economy is moving towards end-user consent, as evidenced by Google’s introduction of Google Consent Mode, and server-side tagging as a response to the widespread deprecation of third-party cookies.

Having a functional consent solution that enables full compliance for your app is likely to result in higher acceptance rates from users, which means more consent and more high-quality data. It’s time for a change of perspective. Consent is not an obstacle to a thriving app business, it’s a necessity and a great opportunity for app marketers to get ahead of the game.