CNIL publishes privacy recommendations for mobile apps

On May 13, 2025, just five days ago, the French Data Protection Authority (CNIL) published its final recommendations aimed at improving privacy protection in mobile applications. The comprehensive guidelines, which will be enforced beginning in early spring 2025, clarify the roles and responsibilities of different stakeholders in the mobile application ecosystem while providing practical advice for GDPR compliance.

The CNIL's recommendations come at a time when French citizens increasingly rely on mobile applications in their daily lives. According to data cited in the document, French users downloaded an average of 30 applications in 2023 and spent approximately 3 hours and 30 minutes daily on their mobile phones.

The French authority identified several key privacy risks specific to the mobile environment compared to traditional web applications. Mobile apps can access more varied and potentially sensitive data, including real-time location, photographs, and health information. Additionally, the permissions required from users are often extensive, covering access to microphones, contact lists, and other personal information.

Another concern highlighted by the CNIL is the complexity of the mobile application ecosystem, where multiple stakeholders may process, collect, or share personal data within a single application.

Targeted recommendations for specific stakeholders

The CNIL's recommendations specifically address five key stakeholders in the mobile application ecosystem:

1. Application publishers - entities that make mobile applications available to users
2. Application developers - those who write the computer code that comprises mobile applications
3. Software Development Kit (SDK) providers - entities that develop ready-to-use functionalities integrated into mobile applications
4. Operating system providers - companies that provide the operating systems (like iOS or Android)
5. Application store providers - platforms that allow users to download applications

For each stakeholder, the CNIL provides specific guidance on their responsibilities and best practices for ensuring compliance with data protection regulations.

Key recommendations and obligations

The recommendations outline three primary objectives:

1. Clarifying stakeholder roles

The CNIL aims to provide legal certainty by specifying the division of responsibilities between different actors in the mobile ecosystem. According to the recommendation, "Each stakeholder must determine its qualification in the light of its actual role for each processing of personal data, following the criteria defined by the EDPB."

This includes determining whether each entity acts as a data controller, joint controller, or processor for specific data processing activities. The CNIL emphasizes that stakeholders "must be able to explain the classification adopted, specifying the reasons which led to the choice of that classification."

2. Improving user information

The guidelines stress the importance of clear, accessible information about data processing. According to the CNIL, application publishers must ensure that privacy policies are "easily accessible before any processing is implemented, directly from the application."

The authority also recommends making privacy policies available before downloading the application, for example on the publisher's website or on the application store page.

3. Ensuring informed and non-forced consent

The CNIL's recommendations place significant emphasis on ensuring valid consent is obtained for data processing operations. According to the document, "Internet users must be informed and give their consent prior to these storage or gaining of access to information stored in the terminal operations, unless these actions are strictly necessary."

The authority clarifies that consent must be freely given, specific, informed, and unambiguous, and that users must be able to refuse or withdraw consent as easily as they can give it.

System permissions and privacy by design

A notable aspect of the recommendations is the focus on system permissions, which the CNIL describes as being "at the heart of user protection." According to the document, permissions provide "a technical guarantee that applications respect the confidentiality of information and are a direct means for individuals to preserve their privacy."

The CNIL has refined its approach to focus specifically on "technical" permissions, which are designed to grant or block access to certain protected resources, regardless of the purposes for which access is requested.

The recommendations provide detailed guidance on how permissions should be implemented, encouraging operating system providers to:

• Apply access permissions to terminal sensors, functionalities, and storage
• Require user permission for all these elements
• Provide different levels of precision for data access
• Allow permissions to be granted on an ad-hoc basis rather than permanently
• Enable users to revoke permissions for unused applications

Balancing data protection with competition law

An important aspect of the CNIL's work on these recommendations was its collaboration with the French Competition Authority (Autorité de la concurrence or ADLC). For the first time, the CNIL formally referred the matter to the ADLC, recognizing the growing interaction between personal data protection and competition law.

The recommendations explicitly state that they "must be applied in compliance with competition law and the Digital Market Act (DMA)." For example, the document specifies that permission systems "must not lead to favouring applications that the OS provider has designed or pre-installed" and "should not be designed to prevent publishers from accessing relevant data but to ensure that people can have control over their data."

Enforcement timeline

The CNIL has outlined a clear timeline for the implementation and enforcement of these recommendations:

• In the coming months, the authority will provide support to industry through webinars to help stakeholders implement necessary measures
• From early spring 2025, the CNIL will deploy a specific investigation campaign on mobile applications to ensure compliance
• In the meantime, the CNIL will continue to handle complaints, conduct necessary investigations, and adopt corrective measures as needed

These enforcement actions will complement investigations already conducted by the CNIL, notably as part of its 2023 investigation priorities on applications that track users without consent.

Implications for marketers and advertisers

The CNIL's recommendations have significant implications for the marketing and advertising industry, particularly regarding the collection and use of data for targeted advertising purposes.

The document specifically addresses advertising IDs, which it describes as "digital identifiers... generated and associated with a terminal by the operating system" that allow "the identification of a single user by different applications." According to the CNIL, these identifiers are particularly used for advertising targeting.

Under the recommendations, the use of such identifiers for tracking and profiling users requires valid consent, which must be obtained prior to any data collection. Additionally, the recommendations prohibit "any categorisation or creation of segments on the basis of sensitive data for the purposes of advertising profiling" under Article 26 of the Digital Services Act.

This means marketers will need to ensure their mobile advertising strategies comply with these stricter consent requirements and avoid using sensitive personal data for targeting purposes.

Balancing innovation with privacy protection

The CNIL's recommendations represent a significant step toward establishing clearer rules for privacy protection in the mobile ecosystem while attempting to balance these protections with the need for innovation and competition.

By providing specific guidance for different stakeholders and distinguishing between obligations, recommendations, and best practices, the CNIL aims to create a more transparent and privacy-friendly mobile environment without unduly hampering technological development.

As mobile applications continue to play an increasingly important role in consumers' daily lives, these guidelines offer a framework for ensuring that privacy considerations are integrated into the design and operation of mobile services from the outset.

Timeline

• July 2023: CNIL publishes draft recommendations and opens public consultation
• December 4, 2023: French Competition Authority (ADLC) delivers its opinion on the draft recommendations
• December 2023: CNIL and ADLC sign a joint declaration committing to develop synergies between their regulatory missions
• May 13, 2025: CNIL publishes final version of recommendations for mobile applications
• Coming months: CNIL to provide support to industry through webinars
• Early spring 2025: CNIL to deploy investigation campaign on mobile applications