GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation) is the EU's foundational privacy law, effective May 2018. It governs how mobile apps (and any business) collect, process, and share personal data of EU residents — defined broadly to include device identifiers (IDFAGlossaryIdentifier for Advertisers (IDFA)Apple's per-device advertising identifier — historically used for deterministic ad attribution, now only available when the user explicitly opts in via App Tracking..., GAIDGlossaryGAID (Google Advertising ID)Google's per-device advertising identifier on Android — the equivalent of Apple's IDFA. Still broadly available in 2026, but Privacy Sandbox for Android will eventua...), behavioral data, IP addresses, location, contact information, and anything else that can identify a person. GDPR applies to any app serving EU residents, regardless of where the company is headquartered — a US-based app with EU users is subject to GDPR.

The core consent requirement: GDPR requires explicit, informed, freely-given consent before processing personal data for purposes like ad tracking, behavioral retargetingGlossaryRetargetingPaid advertising targeted at users who already installed your app — typically aimed at re-engaging lapsed users or driving specific in-app actions., or sharing with third parties. "Explicit" means an affirmative action (toggle, button, checkbox); pre-checked boxes don't count. "Informed" means the user understood what they were consenting to. "Freely given" means refusing consent shouldn't cost them access to the service. For mobile apps, this typically means showing a consent dialog at first launch that asks the user to opt in to ad-tracking-related data processing, with clear explanation of what data is collected and who receives it.

IAB TCF (Transparency & Consent Framework): most mobile apps don't build consent dialogs from scratch — they use the IAB's standard framework. TCF defines:

• Standardized consent UI patterns that ad networks and MMPs recognize.
• A consent string format that the app passes to every ad networkGlossaryAd NetworkA platform that aggregates ad demand from many advertisers and matches it to publisher inventory through real-time auctions. call, indicating exactly which categories the user consented to.
• A list of vendor IDs so users can grant / deny consent per ad network (or per ad-tech vendor).

TCF 2.2 (current version as of 2026) refined the framework to address regulator feedback. Most major MMPs (AppsFlyer, Adjust, Singular) and ad networks (Meta, TikTok, Google) integrate with TCF natively. Consent managementGlossaryConsent Management (CMP)A platform that manages user privacy consent (GDPR, CCPA, others) — the consent UI, the consent string, the vendor preferences, and the audit trail. platforms (OneTrust, TrustArc, Sourcepoint, Cookiebot, Didomi) provide pre-built TCF-compliant consent UIs.

Real-world enforcement

• Largest fines historically: Meta (€1.2B in 2023 for cross-border data transfers), Amazon (€746M), Google (€90M cookie consent bannerGlossaryBanner AdA small persistent ad shown at the top or bottom of the app screen — the lowest-attention and lowest-eCPM mobile ad format, but high in impression volume.), TikTok (multiple fines for kids' data).
• Mobile-app specific enforcement: less aggressive than enforcement against large platforms, but rising. EU Data Protection Authorities have audited dozens of mobile apps for tracking-without-consent.
• Reality for typical mobile apps: implement TCF-compliant consent, integrate with major MMPs in consent-respecting modes, and you're protected from typical enforcement. Edge cases (children's apps, health data, financial data) warrant additional legal review.

What every consumer mobile app needs

1. 01Privacy policy clearly explaining what data is collected, why, and who receives it. Updated when practices change.
2. 02Consent dialog at first launch — TCF-compliant, with granular opt-in / opt-out for ad tracking specifically.
3. 03Data subject rights handling — users can request access to their data, correction, deletion, portability. Have a process for these requests.
4. 04Data breach response plan — required to notify regulators within 72 hours if breach involves personal data.
5. 05Vendor management — ensure your MMPGlossaryMobile Measurement Partner (MMP)A third-party attribution provider (AppsFlyer, Adjust, Singular, Branch, Kochava) that adjudicates which ads drove which installs across multiple ad networks, with i..., ad networks, analytics platforms all process EU data in GDPR-compliant ways (DPAs — Data Processing Agreements).