Mobile applications: CNIL publishes its recommendations for better privacy protection

24 September 2024

Following a public consultation, the CNIL has published the final version of its recommendations to help professionals design mobile applications that respect privacy. Starting from 2025 onwards, it will ensure that these recommendations are taken into account through enforcement actions.

French citizens increasingly use mobile applications in their daily life, whether to communicate, play, find their way around, shop, meet new people, monitor their health... In 2023, for example, they downloaded 30 applications on average and used their cell phones for an average of 3 hours 30 minutes a day (source: data.ai).

However, the mobile environment poses greater risks to data confidentiality and security than the web.

Mobile applications have access to more varied and sometimes more sensitive data, such as real-time location, photographs and health data. Moreover, the permissions required from users to access functions and data on their device are often quite extensive (microphone, contact list, etc.). Finally, many stakeholders are involved in the operation of a single application, and are therefore likely to collect or share personal data.

In its recommendations, the CNIL reiterates the principles laid down by law and offers advice to help professionals design privacy-friendly applications.

Recommendations for better GDPR compliance

Resources for all mobile application stakeholders

The CNIL recommendations are aimed at all those involved in developing and making available mobile applications, to ensure enhanced protection of personal data at every stage:

  • Mobile application publishers, who make mobile applications available to users.
  • Mobile application developers, who write the computer codes that make up a mobile application.
  • Software development kit (SDK) providers, who develop "ready-to-use" functionalities that can be directly integrated by developers into mobile applications (audience measurement, advertising targeting, etc.).
  • Operating system providers, who provide the operating systems (e.g. iOS or Android) on which mobile applications will run.
  • Application store providers, who offer platforms for downloading new applications.

The objectives of the recommendations

  1. Clarifying and framing the role of each stakeholder

The recommendations specify the division of responsibilities between stakeholders in the mobile ecosystem, and clarify their respective obligations to provide legal certainty. They also provide practical advice on how to manage their collaboration.

  1. Improving user information on the use of their data

The recommendations are aimed at improving user information on the use of their data. This information should always be clear, accessible and presented at the right time in the application.

They offer advice and best practices to stakeholders, in particular to ensure that users understand whether the permissions requested are really necessary for the application to function.

  1. Ensuring that consent is informed and not forced

The recommendations reiterate that applications must obtain consent to process data that is not necessary for their operation, e.g. for targeted advertising purposes. 

They specify the conditions under which consent must be sought, and in particular that it must not be forced. Users must be able to refuse consent, or to withdraw their consent if they change their mind, as simply as they are asked to give it. Finally, the recommendations indicate how the collection of consent can be articulated with the system of technical permissions.

Read the recommendation (in French)

A follow-up of the consultation with stakeholders

Rich contributions from a variety of stakeholders

Following the example of its work on cookies, the CNIL held consultations with various stakeholders representing the mobile application ecosystem, to gain a better understanding of all the issues at stake in this complex sector. The CNIL's work was also informed by a reflection on the economic issues associated with data collection in the mobile world.  The CNIL published a summary of the contributions received on its website (in French).

The draft recommendations resulting from this work was then submitted for public consultation in July 2023, to gather the opinions of all stakeholders, whether from the associative sector, the general public or professional circles.

The CNIL received contributions from various stakeholders in the mobile application ecosystem.

The opinion of the French Competition Authority, a first concrete expression of the ADLC-CNIL joint declaration

For the first time, this work led the CNIL to formally refer the matter to the French Competition Authority (Autorité de la concurrence or ADLC in French), in view of the growing interaction between personal data protection and competition law. The ADLC delivered its opinion on December 4, 2023.

The referral to the ADLC, which follows on from the joint declaration signed by the two authorities in December 2023, is the first concrete expression of the commitments made by the two institutions. They thus reaffirm their shared desire to develop and exploit the synergies in the framework of their missions as regulators, for a responsible and equitable digital industry.

New clarifications from the CNIL

The contributions received during the public consultation and the opinion of the ADLC have broaden and consolidated the recommendations, published in their final version.

The CNIL has clarified its recommendations on several points, both in form and substance: 

  • In particular, the CNIL has made a clearer distinction between what is mandatory – and applies to everyone – and what is a recommendation or best practice, in order to provide greater legal certainty.

    It also explained the interactions between the recommendations and the consideration of competition issues. It points out that the recommendation must be applied in compliance with competition law and the Digital Market Act (DMA).
     
  • Finally, the CNIL has refocused its recommendations on permissions systems, targeting so-called "technical" permissions, designed by OS suppliers, which enable the user to give or block access to certain information (contact book, geolocation, microphone, camera, etc.), regardless of the purposes for which they might be used (advertising, statistics, technical, etc.).

Next steps

Over the coming months, the CNIL will be providing support to the industry, notably through webinars. The aim is to help them make the most of the rules and guarantees set out in the recommendation, and implement the necessary measures to ensure that they are effectively complied with.

From early spring 2025, the CNIL will deploy a specific investigation campaign on mobile applications to ensure compliance with the applicable rules. In the meantime, the CNIL will continue to deal with any complaints it receives, carry out any investigation it deems necessary and, if necessary, adopt any corrective measures required to effectively protect the privacy of mobile application users.

This investigation campaign will complement the investigations already carried out by the CNIL, notably as part of its 2023 investigation priorities, on applications that track users for various purposes (advertising, statistics, etc.) in the absence of user consent.