European Regulators Issue Opinion on Mobile Apps

by Wilson Sonsini Goodrich & Rosati

On March 14, 2013, the European data protection regulators (the Article 29 Working Party, or WP) issued a 30-page opinion addressing how mobile apps should comply with EU data protection law (the Opinion). The main focus of the Opinion is on app developers, but it also describes the obligations of other parties involved in the development and distribution of apps, such as app stores, operating system and device manufacturers, and third-party advertising providers.

While the WP opinions are not binding, they give a clear indication of how data protection authorities in the EU (DPAs) would interpret their national laws and therefore should be taken into account when developing new apps targeted at EU individuals. According to the Opinion, the use of apps entails a number of risks such as a lack of transparency and awareness with regard to the type of processing an app may undertake, a lack of meaningful consent from individuals, poor data security measures, and a high degree of fragmentation among the various players in the app ecosystem.1 To address these risks, the WP provides a number of recommendations that we have summarized below.

1. EU Data Protection Law Applies to Any App Targeted at EU Users

The WP takes the view that EU data protection law applies not only to entities with an establishment in the EU processing personal data via an app, but also to any entity located outside the EU collecting personal data of individuals located in the EU via an app, regardless of the location of the app developer or the app store. According to the WP, targeting users within the EU and collecting personal data via an app is sufficient to trigger the application of the whole set of EU data protection requirements.

Under EU data protection law, the concept of "personal data" is interpreted extremely broadly. In the app context, this includes location, contacts, unique device identifier (e.g., IMEI, IMSI, UDID, and mobile phone numbers), identity of the user of the phone, credit card and payment data, SMS, browsing history, email, social-network authentication credentials, pictures, videos, and biometrics.

In addition, the cookies consent requirements of the EU e-Privacy Directive apply to any entity that reads or accesses information on mobile devices of users located in the EU, wherever their location may be.

2. Roles and Responsibilities of Players in the App Ecosystem

The Opinion identifies the various players involved in the app ecosystem and defines their roles and responsibilities.

  • App developers: App developers are the main players responsible for compliance with EU data protection law since they decide to what extent the app will access and process the several categories of personal data in the device and/or through remote computing resources (e.g., the app requires access to the entire address book to deliver the service). They therefore are considered to be data controllers and should comply with the whole set of requirements of EU data protection law. Unfortunately, no consideration is given to situations where app developers only develop an app that is then used by a corporation for its own purpose.
  • Operating system (OS) and device manufacturers: In some cases, the OS or device manufacturers also can be considered to be data controllers subject to EU data protection law. For example, when an app uses location data, the OS may collect this data to provide it to the app, and also may consider using the data to improve its own location services. In addition, OS and device manufacturers play a key role in implementing the principles of "privacy by design" and "privacy by default."
  • App stores: App stores also may process personal data as data controllers and thus be subject to EU data protection law. For example, an app store typically collects record log-in credentials, the history of previously purchased apps, and user credit-card numbers. According to the WP, app stores must implement checks and procedures to ensure that every app targeted at EU individuals complies with the main EU data protection principles. For instance, the app store should check the hyperlinks to privacy notices posted on the apps and remove those with broken links or otherwise inaccessible information.
  • Third-party advertising and analytics: Third parties may execute operations on behalf of the app developer (e.g., provide analytics) and thus be considered to be data processors. Third parties also may collect information across apps to supply additional services of their own (e.g., provide personalized recommendations) and thus be data controllers directly subject to EU data protection law. When online behavioral advertising (OBA) is conducted, companies must comply with the e-Privacy consent requirement—in particular for the analysis and combination of data to create user profiles and for accessing or storing information on user devices.

3. User Consent as a Cornerstone of App Compliance

According to the WP, the principal legal basis for processing personal data in the context of apps is consent. However, consent must meet a number of requirements to comply with EU data protection law. In particular, it must be:

  • Freely given: Users must have the choice to accept or refuse the processing of their personal data and should not be confronted with a screen containing a single "Yes I accept" option in order to finish the installation. Instead, an option to cancel or otherwise halt the installation must be available.
  • Specific: In line with a recent U.S. Federal Trade Commission (FTC) report,2 the WP endorses granular consents for each type of data that the app intends to access. Therefore, agreeing to a lengthy privacy policy does not constitute specific consent. For example, the user's consent to process geolocation data should not allow the app to continuously collect location data from the device without additional information and separate consent. Tracking by default must be avoided to allow users to give specific consent to this specific processing. Similarly, consent for accessing the user's contact list should not be extended to the entire address book, including contact details of non-users of the app who cannot have consented to the processing of their data.
  • Informed: To obtain meaningful consent, users must be provided with the information necessary to form an accurate judgment. In most cases, such information should be provided prior to the app installation.

Furthermore, users have the right to withdraw their consent at any time and should be provided with the ability to do so in a simple way (e.g., via an option to uninstall the app and have all data deleted).

4. Additional Guidelines for App Developers

In addition to the consent requirement described above, the WP provides comprehensive guidance on how to comply with the EU data protection principles. It emphasizes the concept of privacy by design (e.g., app developers should take this guidance into account at an early stage) and encourages the various players in the app ecosystem to work together to ensure compliance during the app's entire lifecycle. We have listed below some of the main learnings from the Opinion.

  • Data minimization and purpose limitation: App developers must only collect and process the data that is strictly necessary to perform the app functionalities. A sudden change of purpose after the data collection or the intent to process data in a new way (e.g., merging data from different apps) would require additional consent. In addition, obtaining consent from users does not give "carte blanche" to the data controller and does not justify data processing that is excessive or disproportionate to the service (e.g., alarm clock app with verbal "snooze" features performs recordings while alarm is not sounding).
  • Notice: Special emphasis is given to the obligation to inform individuals. Notice should be presented directly on screen and be easily available, comprehensible, and highly visible. Small screens are not an excuse for non-compliance. The WP advocates the use of layered notices, where the initial notice to the user contains the minimum information required by the EU legal framework, and further information is available through links to the complete privacy policy. It also advocates the use of icons, images, video and audio, and contextual real-time notification (e.g., warning pop-up boxes) when an app accesses certain personal data (e.g., address book or photos). Importantly, the WP requires data controllers to provide information on the exact third parties with whom data is shared, including those used for advertising and/or analytic purposes. In line with the FTC, the WP strongly recommends consumer testing of information strategies.3
  • Security measures: According to the WP, the involvement of various actors in the app ecosystem can lead to weak security measures and consequently to unauthorized processing and data breaches.4 All players thus should implement the "privacy by design and by default" principles in the various stages of the app's lifecycle. The WP describes in detail what it considers to be good security practices.
  • Users' rights: Apps must clearly and visibly inform users about their rights, in particular about the existence of access and correction mechanisms, through secure online access tools that should be available within the app or by a link to an online feature. Users also should be provided with the possibility to withdraw their consent in a simple and non-burdensome manner.
  • Retention periods: Personal data only may be retained for a pre-defined and reasonable period of time. In addition, app developers should pre-define a period of inactivity upon expiration of which the app should alert the user and, in the case of non-responsiveness, have the data deleted or irreversibly anonymized.
  • Children protection: The WP shares the concerns expressed by the FTC in its Staff Report on mobile apps for kids5 and emphasizes the need for fair processing of children's data within apps. Apps for minors should pay attention to the age limit defined under national legislation, the requirement of parental consent, and data-minimization and purpose-limitation principles. Children's data should not be used for behavioral advertising purposes, directly or indirectly, as this will be outside the scope of a child's understanding. Information directed to children should be presented in age-specific language.

5. Increased Global Scrutiny

The Opinion follows a trend of increased scrutiny of the mobile app ecosystem by both EU and U.S. regulators. Just last month, the FTC issued a report on mobile privacy disclosures containing recommendations for app platforms, operating system providers, app developers, ad networks, and other third parties on how to improve privacy disclosures for consumers using mobile devices.6 The FTC also released two reports last year that surveyed mobile apps for children and criticized current disclosure practices. The FTC has stepped up enforcement in the mobile space as well, recently entering into consent decrees with handset manufacturer HTC over alleged security concerns and mobile developer Path over alleged privacy misrepresentations and the collection of children's personal information.7 The FTC's demonstrated interest in mobile privacy and security, along with the WP's issuance of the Opinion, shows that entities in the mobile app ecosystem need to be aware of the increased scrutiny they may face both at home and abroad.


Mobile apps are definitely on the radar of EU regulators. According to the Opinion, every entity involved in the app ecosystem and targeting EU individuals is subject to the whole set of EU data protection obligations, regardless of location. Although one can argue over some of the Opinion's points, it is clear that it demonstrates the interest of EU regulators in the mobile app field and gives a good indication of how EU regulators would apply EU data protection principles in a particular case. Therefore, mobile app providers targeting EU individuals should review their practices in light of EU data protection law and assess how they can comply with those requirements.

Wilson Sonsini Goodrich & Rosati's privacy and data security practice routinely advises clients on privacy and data security matters, including compliance with EU privacy or data protection legislation. The firm also regularly assists companies with all legal aspects associated with the collection, use, and disclosure of consumer data. For more information on our privacy and data security practice, please click here. For additional information, please contact Christopher Kuner at or +32 2 274 57 20, Cédric Burton at or +32 2 274 57 22, Anna Pateraki at or +32 2 274 57 21, or Edward Holman at or +1 202 973 8804.

1 Article 29 Working Party Opinion 02/2013 on apps on smart devices, adopted on February 27, 2013,

2 The Working Party Opinion refers to the FTC's February 2013 Staff Report on Mobile Privacy Disclosures, titled "Building Trust Through Transparency," which is available at

3 The FTC's February 2013 Staff Report titled "Mobile Privacy Disclosures: Building Trust Through Transparency" is available at

4 For more information on the current status of EU data breach notification requirements, please see

5 The FTC's February 2012 Staff Report titled "Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing" is available at

6 For more information on the FTC's Mobile Privacy Disclosures report, please see

7 Please see our WSGR Alert discussing the FTC's recent settlement with mobile app developer Path at

Written by:

Wilson Sonsini Goodrich & Rosati

Wilson Sonsini Goodrich & Rosati on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.