Skip to content
LegalVision UK

UK GDPR Requirements For Mobile Apps 

Avatar photo

By Sej Lamba

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

Mobile apps often collect a lot of personal data. Accordingly, they are subject to data protection law rules. Therefore, if your business utilises a mobile app, complying with data protection rules is something you must understand and take seriously. This article will explore key issues around mobile app requirements under the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). 

Data Protection Laws and Mobile Apps

The UK GDPR is the law governing the use of personal data. It contains many rules you must follow, depending on the types of personal data your business processes. 

Complying with the GDPR is a big topic. Accordingly, let us explore a few key issues you must consider for mobile apps. 

Lawful Basis for Processing Personal Data on Mobile Apps 

Mobile apps will process a heavy amount of personal data, such as: 

  • individual contact data;
  • credit card and bank details; and 
  • location data. 

As such, mobile apps need to determine a ‘lawful basis’ for processing personal data.

Processing is lawful under Article 6 of the UK GDPR if one of the following legal grounds applies.

1. Consent

Relying on consent means the individual has given clear consent for you to process their data for a specific purpose. Consent must be: 

  • freely given;
  • specific; and 
  • informed. 

Generally, this is a difficult ground to rely upon. Accordingly, you must take particular care if you intend to rely on consent. 

2. Contract

You may have a lawful basis to process the data under a contract. For example, the processing may be necessary as part of a contract with the individual or because they have asked you to take specific steps before entering a contract.

3. Legal Obligation 

Under this basis, processing data is necessary to comply with the law. You can rely on this legal basis if you must process personal data to comply with a legal obligation. 

4. Vital Interests

A vital interest refers to where processing is necessary to protect someone’s life. You are likely to be able to rely on this ground if you need to save an individual’s life. However, this ground is very limited in scope.

5. Public Task

The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. This ground usually applies to public authorities.

6. Legitimate Interests

The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data, which overrides those legitimate interests. 

It will be up to the mobile app provider to consider the appropriate lawful basis to process personal data. However, most providers tend to rely on the grounds of ‘consent’, ‘performance of a contract’ and ‘legitimate interests’ to process personal data (depending on how they use the personal data of app users).

Additional rules and considerations will apply if:

  • the apps targets children; or 
  • you collect a special category personal data. 

This is a complex topic. Therefore, you should take legal advice on this if you need clarification. 

Mobile App Privacy Policy

It is mandatory to give clear privacy information to all individuals from whom you collect personal data as a data controller. A data controller is an organisation that decides how and why to use personal data. 

A mobile app will often collect a large amount of personal data from individuals, for example, when they first sign up or create an account. 

The most common way to provide privacy information on a mobile app is through a privacy policy document. The privacy policy should tell individuals various facts about how the app will use their data.

For example, as a mobile app owner, and data controller, you should confirm:

  • what personal data do you collect from users; 
  • how you will use their personal data; 
  • how long you keep their personal data; 
  • who you share their personal data with; 
  • how you will keep their personal data safe; and
  • what their data protection rights are. 

Businesses should provide this information so that users know how you will use their data before they sign up for the app. For example, a mobile app privacy policy can pop up before a user is prompted to sign up and insert their personal details. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Often, mobile apps deploy cookies. When doing so, app users need to be informed about cookies, give consent for their use or decline them. In the UK, the key law governing the use of cookies is the PECR. In addition to the UK GDPR, the PECR law requires mobile apps to get informed consent from users before storing cookies on their devices. If you are deploying cookies, you must also provide a cookie policy. This must be available to the user before they install the app. 

A cookie policy is a document that provides detailed information about cookies. The policy needs to explain various details on the different types of cookies a business uses and allow users to control and change their preferences around using cookies. 

Therefore, it is vital to carry out a cookie audit to understand what cookies your app uses and how they work. This can be a fairly technical exercise. Accordingly, most app providers engage technical software developer experts to assist with this process. 

Apps using cookies must provide users with comprehensive information in a user-friendly format. The key is to be extremely transparent and provide ‘clear and comprehensive’ information so users understand what cookies you use and what they will do. You should also understand the practicalities around how users can turn cookies on or off. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Key Information You Should Provide

Some of the key information you should provide includes:

  • which cookies you will use; 
  • the purpose you are using cookies for; 
  • how long you will use cookies for;
  • whether third parties will have access to the cookies; 
  • how users can opt out of the use of cookies; and
  • any relevant technical information about cookies. 

These are some of the key requirements for mobile apps. Mobile app owners should carefully review the GDPR (and any other relevant) legal rules and ensure their operations comply. For example, additional considerations include ensuring data security on the mobile apps. Similarly, you might apply the principles of ‘privacy by design’, including designing the apps with data protection considerations in mind.

Key Takeaways

Mobile apps often collect a lot of personal data. As such, they are subject to the rules under the UK General Data Protection Regulation (GDPR) data protection law regime. Some key issues include determining the appropriate lawful basis to process personal data and providing users with a compliant privacy policy. Additionally, app owners must comply with Privacy and Electronic Communications Regulations rules if they deploy cookies. Mobile app owners should follow all applicable UK GDPR rules when operating mobile apps. 

If you need legal advice on compliance with the UK GDPR, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Documents Your Company Needs to Demonstrate GDPR Compliance

4 Common Challenges Your Company Will Face With the GDPR in the UK

Are Email Disclaimers Mandatory for UK Businesses Under the GDPR?

Do GDPR Rules Cover My Company’s Telephone Conversations in the UK?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards