On September 24, following a public consultation, the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), published its recommendations for the mobile application market players. The objective behind these new recommendations is to remind industry actors of the principles laid down by the legal texts and to assist them in designing applications that respect users' data protection and privacy.
Along with the recommendations, the CNIL announced an enforcement campaign set to begin in the spring, underlining the importance of understanding these new guidelines, assessing your company's level of exposure, and determining the appropriate next steps.
I'm Sébastien Gantou, external DPO at Didomi, moderator of expert working groups on data protection, and CEO of the company Digital DPO. I use my expertise, skills, and know-how to serve my network and clients, particularly in the media and online advertising sectors. I frequently participate in EDPB or CNIL prior consultations on these topics.
In this article, after carefully analyzing the 98 (!) pages of the CNIL's recent recommendations, I highlight the main points to remember to understand what's coming next.
TL;DR: The CNIL has drawn up a compliance policy for each category of player, detailing the obligations, advice, and best practices it expects to see in place.
To achieve this, it specifies the scope of the processing operations in which each party is involved, identifies the measures that will enable them to comply with the regulations, and ensures others do the same as part of a “privacy by design” approach—sometimes going into a level of detail that will create strong constraints in terms of compliance for the future.
Players will have to clarify their roles and define their relationships, ensure that users are better informed - particularly regarding the permissions requested - and confirm that consent is freely given and informed. On this last point, the directive particularly targets processing activities for advertising or using application data for subsequent advertising or behavioral targeting. In-app CMPs are thus officially confirmed, if confirmation was even needed, as a tool for obtaining and retaining proof of regulatory compliance. Enjoy your reading.
The CNIL recommendations regarding mobile applications in brief
The CNIL initiated this recommendations project in 2023, issuing a call for contributions to players in the mobile app ecosystem, a summary of which the organization subsequently shared. After public consultation, the CNIL finally published its final recommendations last September.
The document’s size and density may make it challenging for many companies to summarize and/or digest. Here, and over several upcoming events, we'll highlight the most important elements and identify practical advice before sharing our interpretation.
Why is this important for CNIL?
Today, mobile applications play a central role in the digital lives of French consumers, whether for communication, entertainment, orientation, or shopping. In 2023, users downloaded an average of 30 apps and spent 3h30 daily on their phones (source: data.ai).
Apps access sensitive information such as real-time location, photos, or health data, often requiring numerous permissions (microphone, contacts, etc.). Furthermore, several players are involved in an application's operation, increasing the risks of personal data being collected or shared.
In its recommendations, the CNIL reiterates the importance of designing privacy-friendly applications and stresses that “mobile environments present more risks than the web for data privacy and security."
The president of the CNIL recently reaffirmed this concern during a speech to online content publishers (GESTE).
What is the legal scope?
The CNIL aims to develop recommendations for better GDPR compliance. Let's remember that the recommendation has a broad scope. It completes its 2020 guidelines on “Cookies and other trackers.” Therefore, it does not explicitly target media, retailers, and the digital advertising sector but also service applications, gaming applications, and social networks.
Published on Legifrance, the advice and best practices constitute — despite what some may say — a foundational set of provisions that the authority expects to find in place during inspections starting next year. Publication is an act of soft law.
This doctrine is also part of the EDPB's work on the conditions of application of Article 5.3 of the ePrivacy Directive (consultation at the European level will also open in 2024).
Who is affected by the recommendations?
The recommendations cover all those involved in developing and delivering mobile applications. The result is a document that is sometimes very (perhaps too?) detailed but which addresses:
- Publishers make mobile apps available to users.
- Developers write the computer code for the mobile app.
- SDK providers develop features integrated by developers.
- Operating system providers provide the environment in which mobile apps will run.
Application store providers provide download platforms.
What are the CNIL's objectives with this recommendation?
The three objectives, as stated by the supervising authority, are:
- Clarify and define the role of each player
- Improve user information on the use of their data
- Ensure that consent is informed and freely given
In line with GDPR, the user is placed at the center of complete and transparent information to enable the collection of optional consent for processing not strictly necessary for the subscribed services, all within a clarified ecosystem. This need was also highlighted by some professional app publishers who feel they lack sufficient information during initial negotiations or flexibility in implementing specific SDKs.
Let's look at each objective in detail.
Clarifying and framing the role of each player
The CNIL's analysis of the subject appears to be thorough and well-supported. After identifying the players and their roles, it qualifies them under the GDPR with concrete use cases. The data protection authority thus defines a matrix for determining and sharing responsibilities among players in the mobile ecosystem. Throughout the recommendations, the consequences of this initial analysis follow, specifying the respective obligations of the parties to provide legal certainty for professionals. Most of these obligations are to be formalized in contractual legal instruments or in information to be provided prior to the implementation of processing operations.
I note that the CNIL sets forth the level of compliance and diligence expected in its recommendations. Published in detail on Légifrance, they will likely guide future enforcement and the DPA's 2025 agenda.
Improve user information on the use of their data
This has now become a routine exercise as part of the progressive implementation of its GDPR doctrine: the CNIL recommends improving user information on how their data is used.
The process includes three main steps. The first is to organize the information as a record of processing activities, which should then be presented in clear, accessible privacy notices and policies and displayed at the appropriate moments in the mobile app. Finally, the last step is to ensure that information is updated ahead of any changes and, if necessary, new consent requests are obtained.
At this stage, there are two main points to note.
Firstly, the CNIL no longer mentions the option to “Continue without agreeing,” which was established in the 2020 “Cookies and trackers” recommendations and has since been adopted by many websites and apps. Secondly, permissions are particularly highlighted, with a legal framework for accepting technical features now formalized. This clarification specifies the distinction between technical permissions and consent, especially when they may conflict. The CNIL does not explain how a publisher could obtain feedback from the OS to enforce user choices through a settings reset, but this issue will likely come up in the coming months.
On this topic, the CNIL aims for this information to help users understand whether the requested permissions are truly necessary for the app’s functionality.
The CNIL clarifies its expectation: decisions made and the reasons behind them must be documented.
Ensuring that consent is informed and not coerced (freely given)
This is nothing new for Didomi’s clients, but it serves as a reminder for those who have yet to implement a CMP in their mobile applications. The CNIL emphasizes the obligation to obtain consent for processing data that is not necessary for the functioning of apps, such as for advertising purposes (again highlighted due to the volume of data and number of parties involved).
Unsurprisingly, the requirements for valid consent and the imperative to implement a CMP for online advertising are reaffirmed. This means recording whether or not users have consented and retaining proof of its validity. Here, I’ll reiterate the principles of consent that are at the core of Didomi’s CMP: consent must be informed, freely given, specific, unambiguous, as easily withdrawn as it is given, and demonstrable both in its expression and in the conditions that validate it.
Is all data processed in an application affected?
No, and it’s important to clarify this: the data processing in question includes activities subject to the General Data Protection Regulation (GDPR) or the ePrivacy Directive. Therefore, data processing that occurs solely on the user’s device, without external access, and only at the user’s request is not covered by the CNIL’s recommendation.
Highlights of the main impacts
Application publishers will need to create enhanced internal documentation (specific records of processing, information notices, privacy policies, contracts, and qualification justifications) and establish procedures (data processing governance, coordination of permissions, management of updates, and impact analysis updates).
This will lead them to perform due diligence (record of processings, questionnaires, and information gathering from SDKs) and to strengthen the contracting process when selecting vendors, thereby placing greater responsibility on developers. This also requires tracking the instructions provided to developers and the commitment made by SDKs regarding the processing chain and compliance with data subject access requests.
My interpretation: What should we expect from this recommendation?
Some publishers in the sector anticipated these recommendations to establish conditions for better legal security between players.
Due to the document's complexity and high level of detail, there’s a risk of misinterpretation, making it essential for DPOs to engage at the right level. Now, it’s all about implementation. This perspective is echoed by Thomas Adhumeau, Chief Privacy Officer at Didomi, who shared this insight during a talk for Mind Media:
“The project is very detailed. But paradoxically, the more we move away from generality, the greater the risk of incompleteness, potentially leading to misunderstandings.”
- Thomas Adhumeau, Chief Privacy Officer at Didomi (source: Mind Media)
We anticipate mobilizing key players, primarily mass media and large e-commerce entities, supported by ad tech companies working in targeted advertising in France and several businesses and sectors currently under CNIL review, based on the authority’s 2023 priorities.
The CNIL plans to include mobile applications in its targeted action, scheduled for 2025, and will involve a wave of sector-specific inspections and enforcement.
Gradually, through the pressure of inspections, the influence of major stakeholders, and the work of DPOs, these recommendations will spread, impacting discussions on the contractual frameworks governing services among players.
I note four main limitations at this stage:
- The document is in French, while many stakeholders, especially SDK providers, agencies, and SSPs, are predominantly US-based or work in English.
- National scope, despite the CNIL’s leadership in innovative technical processing within the EDPB. The absence of progress on a new ePrivacy regulation and the fact that not all national authorities oversee ePrivacy processing will be barriers.
- Significant emphasis on developers, who are often freelancers with limited means to train, potentially posing a risk for publishers.
- As a DPO of major publishers, I regret the lack of a mechanism to allow application publishers to revert users to their settings choices after a clear and transparent information update. This might lead them to make different choices than what was initially set in their device’s general settings.
In practice, what concrete actions should concerned companies take?
Steps for compliance to be scheduled over the next 6 months
Here are six steps to implement if you are affected by these new recommendations to achieve compliance:
How will Didomi support its clients by next March?
As an SDK provider, Didomi will support its clients in documenting their processing activities related to collecting and storing user choices in the CMP.
As your compliance partner, Didomi provides access to its customer support teams to answer your questions or guide you to experts who can help address your challenges.
And don’t forget the upcoming Didomi Breakfast at the end of November, which will help guide French clients in the best direction for the coming year. Stay tuned.
More questions? Contact our team:
{{talk-to-an-expert}}