Ensuring ePrivacy Directive Compliance in Mobile Applications
ePrivacy Directive (Directive 2002/58/EC as amended 2009) — "cookie law" in common parlance. For mobile apps it's much stricter than websites because it affects not just cookies but any trackers, SDKs, and regulators consider advertising ID equivalent to cookie.
How ePrivacy Differs From GDPR for Mobile
GDPR regulates personal data processing. ePrivacy regulates access to device and information storage on it. Different legal bases.
Advertising ID IDFA or GAID — device storage. Reading it requires ePrivacy consent independent of whether it's personal data per GDPR. That's why Apple introduced ATT (App Tracking Transparency) in iOS 14.5 — they literally implemented ePrivacy in system dialog.
Fingerprinting (collecting device characteristics for identification without cookies) — also under ePrivacy. If SDK collects screen resolution + OS version + device model + timezone and hashes into identifier — same as cookie, just can't delete.
ATT on iOS — ePrivacy in Action
AppTrackingTransparency.framework — mandatory component for any iOS app using IDFA or cross-app tracking:
import AppTrackingTransparency
func requestTrackingPermission() {
ATTrackingManager.requestTrackingAuthorization { status in
switch status {
case .authorized:
// Can read IDFA
let idfa = ASIdentifierManager.shared().advertisingIdentifier
self.initializeMarketingSDKs(with: idfa)
case .denied, .restricted:
// Can't use IDFA, can't send to ad networks
self.initializeMarketingSDKsWithoutIDFA()
case .notDetermined:
// Not asked yet
break
}
}
}
Request ATT after user understands app value — not on first launch. Apple may reject app if ATT dialog appears too early without context.
On Android no equivalent system dialog. Consent managed via app's own consent UI + IAB TCF/GPP strings.
What Requires Consent, What Doesn't
Consent not needed for:
- Technically necessary operations: session token storage, shopping cart, user settings
- Security: fraud detection, DDoS protection
- Aggregate analytics without cross-device tracking (disputed among regulators)
Consent needed for:
- Advertising ID / IDFA for any purpose except attributing install
- Behavioral ads
- Cross-app or cross-site tracking
- Fingerprinting
- Push notifications if not functional (transactional) but marketing
Consent Management for ePrivacy
IAB Europe developed Transparency and Consent Framework (TCF v2.2) for mobile apps. Implementation via IAB-certified Consent Management Platform (CMP):
// Read TCF consent string from SharedPreferences (IAB standard)
val consentString = sharedPrefs.getString("IABTCF_TCString", null)
val purposeConsents = sharedPrefs.getString("IABTCF_PurposeConsents", null)
// "1" at position N = consent for purpose N given
// Purpose 1 — basic ads (needed by most ad SDKs)
val adStorageConsent = purposeConsents?.getOrNull(0) == '1'
// Purpose 3 — personalized ad profile creation
val personalizationConsent = purposeConsents?.getOrNull(2) == '1'
Standard IABTCF_* keys read by all compatible SDKs automatically — AdMob, Criteo, The Trade Desk and other IAB-compatible partners.
ePrivacy Regulation — What to Expect
ePrivacy Directive should be replaced by ePrivacy Regulation (directly applicable without national implementation). Negotiations ongoing since 2017, final text missing. Current draft tightens consent requirements and expands scope to OTT communications (WhatsApp, Telegram equivalents).
For practice: building consent system per GDPR + current ePrivacy directive — correct base that with high probability compatible with final Regulation version.
Timeline: ATT integration on iOS + IAB TCF consent flow + ad SDK configuration: 2–3 days. With custom CMP UI and full SDK audit: 4–5 days.