Implementing GDPR compliance in mobile applications
GDPR fine calculated from global annual revenue — up to 4% or €20M, whichever is more. For mobile app the problem is concrete: app collects data from EU users, must comply with regulations. This isn't legal advice — list of technical tasks to implement in code.
What counts as personal data in mobile app context
GDPR broadly interprets "personal data". In mobile context this is: email, name, phone — obviously. But also: IP address, advertising identifier (IDFA/GAID), push token, geolocation, device fingerprint, behavioral data (which screens opened, how long spent). If Firebase or Amplitude analytics collects user_id linked with any of listed — personal data.
Consent on processing (Consent)
Consent must be: specific (for each purpose separately), informed (what collected and why), voluntary (refusal doesn't restrict functionality) and revocable.
Technically: before first data collection show CMP (Consent Management Platform). Popular: OneTrust, Usercentrics, Didomi, Cookiebot. All integrate into iOS and Android via SDK. Important: Firebase Analytics, Facebook SDK, AppsFlyer don't initialize before consent obtained.
Store consent with timestamp and Privacy Policy version. On policy update — request consent again.
Data subject rights — technical implementation
Right to access (Art. 15). User can request all data about themselves. Implementation: API endpoint aggregating data from all databases and services (main DB, analytics, CRM, push service) returning JSON or PDF. Automating this saves support time.
Right to deletion (Art. 17, "right to be forgotten"). Not just mark user as deleted — really delete or anonymize all personal data from all storage. Includes: main DB, analytics systems (Firebase — deleteUserData, Amplitude — Delete User API), backups (with delay per backup schedule), logs (de-identifying IP, user_id).
Full deletion from backups — complex task. Standard practice: backups stored max 30–90 days (documented in Privacy Policy), after this deleted users' data naturally disappears.
Right to data portability (Art. 20). Export data in machine-readable format (JSON, CSV). Implemented as function in app settings.
Right to correction (Art. 16). User edits profile — usually already exists. Check that changes sync to all related systems.
Data minimization and retention
GDPR requires collecting only what's actually needed. Technical audit: go through all analytics sending places, remove unnecessary fields. Firebase Analytics by default collects much — disable via setAnalyticsCollectionEnabled(false) before consent, limit via setUserProperty only necessary attributes.
Retention policy: data stored only necessary time. In Firebase Console — retention period setting. In main DB — cron job to anonymize old records.
Processing minors' data
For users under 16 (in some EU countries — under 13) need parental consent. Technically: on registration ask birth date, on finding minor — separate flow with parental consent verification or blocking.
Data breach notification
GDPR requires notifying supervisory authority within 72 hours of finding leak. Technically means: monitoring system with alerts on anomalous data access, documented incident response process, logging all operations with personal data.
What app needs specifically
- CMP SDK integration with conditional analytics/ad SDK initialization
- Privacy settings screen with consent management
- API for data export and deletion
- Privacy Policy with current description of all processed data
- Consent logging (who, when, which version accepted)
- Mechanism for notifying of policy changes
Scope varies from 3–5 days (only technical changes in existing app with CMP present) to several weeks when building data management infrastructure from scratch. Pricing calculated after current state audit and list of used services.