What Is GDPR?
The General Data Protection Regulation (GDPR) is a data protection law enacted by the European Union, effective since May 25, 2018. It governs how personal data of individuals in the EU and European Economic Area (EEA) must be collected, stored, processed, and deleted.
If even a single user from the EU downloads your app, GDPR applies. Penalties for non-compliance can reach 20 million euros or 4% of global annual revenue, whichever is higher.
Why GDPR Matters for Mobile Apps
Mobile apps collect vast amounts of personal data. Under GDPR, all of the following qualify as personal data:
- Advertising IDs (IDFA, GAID)
- IP addresses
- Analytics data tied to a device or user
- Push notification tokens linked to a user
- Location data, even approximate
Lawful Bases for Processing
GDPR requires a legal basis before processing personal data. The six lawful bases are:
| Basis | Common Use |
|---|---|
| Consent | User explicitly opts in to tracking |
| Contract | Processing needed to deliver the service |
| Legal obligation | Required by law (tax records) |
| Vital interests | Protecting someone's life |
| Public interest | Government tasks |
| Legitimate interest | Business need balanced against user rights |
For most mobile apps, consent and contract are primary. Consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes do not count.
Implementing Consent
A compliant consent flow includes:
- A clear consent banner on first launch, before any tracking starts
- Granular opt-in options for analytics, advertising, and third-party sharing
- Easy withdrawal of consent at any time
- No functionality gating based on consent
- Consent logging with timestamps stored server-side
On iOS, combine your GDPR prompt with App Tracking Transparency. On Android, show it before initializing data-collecting SDKs.
User Rights
Your app must support these rights:
- Access - Users can request a copy of all their data
- Rectification - Users can correct inaccurate data
- Erasure - Users can request deletion
- Portability - Users can export data in a machine-readable format
- Restrict processing - Users can limit how data is used
- Object - Users can object to processing based on legitimate interest
Build "Download My Data" and "Delete My Account" features into your app settings.
Privacy by Design
GDPR requires privacy to be built in from the start:
- Data minimization - Only collect what you need
- Purpose limitation - Use data only for stated purposes
- Storage limitation - Delete data when no longer needed
- Encryption - Protect data at rest and in transit
Data Processing Agreements
If you use third-party services (analytics, crash reporting, ad networks), you need a signed Data Processing Agreement with each one. Firebase, AWS, Mixpanel, and Amplitude all provide standard DPAs. Sign them before going live.
Cross-Border Transfers
Transferring EU user data outside the EEA requires safeguards: the EU-US Data Privacy Framework, Standard Contractual Clauses, or Binding Corporate Rules.
Compliance Checklist
- Display consent prompt before collecting personal data
- Provide granular consent options
- Implement account deletion and data export
- Publish a clear, accessible privacy policy
- Sign DPAs with all third-party data processors
- Encrypt personal data in transit and at rest
- Respond to data subject requests within 30 days