Home

Internal

Global

Contatto

Rödl & Partner Italia e Studio Gottardo per la partnership tra Officine MTM S.p.A. e Gruppo Dawang Metals |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

GDPR compliance for mobile apps: French CNIL clarifies the difference between ‘permissions’ and ‘consent’

published on 27 January 2025 | reading time approx. 6 minutes

While GDPR compliance has increasingly been adopted on websites, with tailored privacy policies, cookie banners, and consent systems, most mobile applications are still lagging behind. Many apps fail to meet even the most basic requirements for personal data protection, such as providing clear links to privacy policies, offering accurate legal information about their publishers or obtain valid consent to certain processing.

This gap is particularly concerning given the growing role of mobile apps in our daily digital routines. With more users relying on apps for a wide range of services, the need for privacy protection has never been greater. Developers, especially startups and companies outside the European Union, can no longer afford to neglect the GDPR regulations. As regulators tighten their focus on online platforms and mobile apps, allocating the necessary time, budget, and resources to meet legal requirements when developing the business model for the applications has become essential.

The stakes are high. In its 2025 action plan, the French data protection authority (“CNIL”) has placed mobile apps at the forefront of its priorities, spotlighting their importance in the digital lives of citizens. To help professionals design apps that respect user privacy, the CNIL recently released important recommendations.

A key aspect of these recommendations addresses “permissions” in mobile operating systems (OS), defined as the (mere) technical mechanisms that enable users to control what data and features their apps are allowed to access. For example, users can choose whether or not to grant apps access to device sensors, such as the location services, camera, microphone and brightness sensors. Permissions also regulate access to the device memory, including files, photos, videos, audio recordings, contacts, and browsing history.

These technical permissions carry the risk that app users may confuse what they are granting access to with what they are giving their consent for. Through its recommendations, the CNIL reminds OS providers and app developers that permissions do not, except in certain specific cases, fulfill the role of obtaining users’ “consent” when data processing requires it, and provides best practices to implement.

Permissions vs. Consent collection

The CNIL recognizes the role of technical permissions in protecting user privacy. These permissions enable users to block access to specific data, ensuring that their information remains confidential. This simple yet effective mechanism gives users control over what data they share with an app publisher and helps identify excessive requests, such as a simple flashlight app asking for access to…contacts!

However, the CNIL makes a key distinction: technical “permissions” provided by OS vendors do not equate to “user consent” as defined under the GDPR and the French Data Protection Act (“Loi Informatique et Libertés”).

First, OS providers may suggest permissions to app developers in situations where user consent is not even legally required. For instance, a navigation app does not need explicit consent to access location data since it is essential to provide the service. Still, OS providers often require the app to ask for permission to access this information, which raises the question of the real purpose of these unnecessary requests for permission.

Second, and this is where the CNIL's recommendations bring valuable clarity: even when user consent is legally required, a simple technical permission request does not always meet the GDPR's requirements for freely given, informed, and unambiguous consent.

The CNIL notes that a technical permission request is sufficient only in limited cases : when it relates to one processing activity, one precise purpose, and one data recipient. In such cases, the permission request window must clearly display (i) the specific purpose for the request, (ii) hyperlinks to the full information required by the regulation, and (iii) clear instructions on how to easily revoke access.

Therefore, in most cases, consent request is necessary alongside the permission request, to ensure that consent is collected in compliance with the GDPR's strict standards for freedom, clarity and specificity.

What does it mean for OS providers and app developers?

The CNIL specifically recommends that OS providers design their permission systems to allow app developers to further define:

the level of data precision based on the very purpose of its collection (e.g., more or less precise location data);
the limited scope of the permission (e.g., access to selected photos rather than the entire media gallery);
the duration of the permission (e.g., granting access temporarily or for a predefined period).

For app developers, the CNIL’s recommendations provide important clarifications regarding the integration of permissions on the one hand and the collection of consent on the other hand:

Firstly, developers should ensure they adhere to the principle of data minimization by carefully assessing, on a case-by-case basis, which OS permissions are necessary for the app to function. Where possible, the CNIL therefore recommends that developers choose the least intrusive version of each permission that fulfills their strictly necessary and legal needs. This means, for example, choosing more precise or less precise location data depending on the purpose, or restricting access to selected photos rather than the entire media gallery;
Secondly, as data controllers, developers should identify the limited situations in which regulations actually require explicit user consent, in addition to the permission granted by the OS provider. In such cases, the implementation of a Consent Management Platform (CMP, an external software solution) is very likely to be necessary to complement the technical permission request;
Additionally, to reduce user fatigue from excessive or repetitive requests, the CNIL recommends collecting consent contextually - i.e., only when it is actually needed - rather than relying on a single initial consent screen;
Finally, developers must ensure proper coordination between permission requests and consent collection. When both a CMP and a permission request are presented to users, they must be clearly distinguished to avoid confusion. In practice, this means that developers need to ensure they both obtained technical access to the required data (via permission) and demonstrate that, where necessary, they have obtained valid, GDPR-compliant consent from users;

In this regard, the CNIL clarifies that, when required by law, consent can be obtained either before or after the permission request. However, if the user refuses either permission or consent, the second request should not be presented in order to avoid overwhelming the user unnecessarily.

The takeaway is that, even if a user’s consent is valid, it is still necessary to obtain technical access permission in order to carry out the processing, hence the attention that should be given to permissions provided by OS providers. Conversely, even if the user has granted technical access, consent must still be obtained to ensure the processing has a legal basis (if consent is the legal basis); otherwise, the data processing would lack legal grounds and therefore be unlawful.

At the beginning of 2025, the CNIL published additional information to its recommendations, graphically summarising the two operations as follows.

(Source: CNIL recommendation)

Should you need assistance in ensuring compliance with data protection regulations or if you have questions regarding your app development processes, feel free to contact us. Our team is ready to provide the legal support you need to navigate these requirements.