App developers

App stores

OS / device manufacturers

Third parties

1. Be aware of, and comply with, their obligations as data controllers when they process data from and about users;
2. Be aware of, and comply with, their obligations as data controllers when they contract with data processors such as if they outsource the collection and processing of personal data to developers, programmers and for example cloud storage providers;
3. Ask for consent before the app starts to retrieve or place information on the device, i.e., before installation of the app. Such consent has to be freely given, specific and informed;
4. Ask for granular consent for each type of data the app will access; at least for the categories Location, Contacts, Unique Device Identifier, Identity of the data subject, Identity of the phone, Credit card and payment data, Telephony and SMS, Browsing history, Email, Social networks credentials and Biometrics;
5. Be aware that consent does not legitimise excessive or disproportionate data processing;
6. Provide well-defined and comprehensible purposes of the data processing in advance to installation of the app, and not change these purposes without renewed consent; provide comprehensive information if the data will be used for third party purposes, such as 
advertising or analytics;
7. Allow users to revoke their consent and uninstall the app, and delete data where 
appropriate;
8. Respect the principle of data minimisation and only collect those data that are strictly 
necessary to perform the desired functionality;
9. Take the necessary organisational and technical measures to ensure the protection of the 
personal data they process, at all stages of the design and implementation of the app 
(privacy by design), as defined in in section 3.6 of this Opinion;
10. Enable app users to exercise their rights of access, rectification, erasure and their right to object to data processing and inform them about the existence of these mechanisms;
11. Define a reasonable retention period for data collected with the app and predefine a period of inactivity after which the account will be treated as expired;
12. With regard to apps aimed at children: pay attention to the age limit defining children or minors in national legislation, choose the most restrictive data processing approach in full respect of the principles of data minimization and purpose limitation, refrain from processing children’s data for behavioural advertising purposes, either directly or indirectly and refrain from collecting data through the children about their relatives and/or friends.
13. Be aware of, and comply with, their obligations as data controllers when they process data from and about users;
14. Enforce the information obligation of the app developer, including the types of data the app is able to access and for what purposes, as well as whether the data is shared with third parties;
15. Give special attention to apps directed at children to protect against the unlawful processing of their data, and especially enforce the obligation to present the relevant information in a simple manner, in age specific language;
16. Provide detailed information on the app submission checks they actually perform, including those aimed to assess privacy and data protection issues.
17. Provide a single point of contact for the users of the app;
18. Provide a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:

• who they are (identity and contact details),
• what precise categories of personal data the app wants to collect and process,
• why the data processing is necessary (for what precise purposes),
• whether data will be disclosed to third parties (not just a generic but a specific 
description to whom the data will be disclosed), and
• what rights users have, in terms of withdrawal of consent and deletion of data.

1. Be aware of, and comply with, their obligations as data controllers when they process data from and about users;
2. Enforce the information obligation of the app developer, including the types of data the app is able to access and for what purposes, as well as whether the data is shared with third parties;
3. Give special attention to apps directed at children to protect against the unlawful processing of their data, and especially enforce the obligation to present the relevant information in a simple manner, in age specific language;
4. Provide detailed information on the app submission checks they actually perform, including those aimed to assess privacy and data protection issues.

1. Update their APIs, store rules and user interfaces to offer users sufficient control to exercise valid consent over the data processed by apps;
2. Implement consent collection mechanisms in their OS at the first launch of the app or the first time the app attempts to access one of the categories of data that have significant impact on privacy;
3. Employ privacy by design principles to prevent secret monitoring of the user;
4. Ensure security of processing;
5. Ensure (the default settings of) pre-installed apps are compliant with European data 
protection law;
6. Offer granular access to data, sensors and services, in order to ensure that the app 
developer can only access those data that are necessary for his app;
7. Provide user-friendly and effective means to avoid being tracked by advertisers and any 
other third party. The default settings must be such as to avoid any tracking;
8. Ensure the availability of appropriate mechanisms to inform and educate the end user 
about what the apps can do and what data they are able to access;
9. Ensure that each access to a category of data is reflected in the information of the user 
before the app’s installation: the categories presented must be clear and comprehensible;
10. Implement a security-friendly environment, with tools to prevent malicious apps from 
spreading and allow each functionality to be installed/uninstalled easily.

1. Be aware of, and comply with, their obligations as data controllers when they process personal data about users;
2. Comply with the consent requirement determined in Article 5(3) of the ePrivacy Directive when they read or write data on mobile devices, in cooperation with the app developers and/or app stores, which essentially provide user with the information on the purposes of data processing;
3. Not circumvent any mechanism designed to avoid tracking, as it currently often happens with the “Do Not Track” mechanisms implemented in browsers;
4. Communications service providers, when they issue branded devices, must ensure the valid consent of users for pre-installed apps and take on board relevant responsibilities when contributing to determining certain features of the device and of the OS, e.g. when limiting the user’s access to certain configuration parameters or filtering fix releases (security and functional ones) provided by the device and OS manufacturers;
5. Advertising parties must specifically avoid delivering ads outside the context of the app. Examples are delivering ads by modifying browser settings or placing icons on the mobile desktop. Refrain from the use of unique device or subscriber identifiers for the purpose of tracking;
6. Refrain from processing children’s data for behavioural advertising purposes, either directly or indirectly. Apply appropriate security measures. This includes secure transmission and encrypted storage of unique device and app user identifiers and other personal data.

1. Study the relevant guidelines with regard to specific security risks and measures;
2. Proactively inform users about personal data breaches along the lines of the requirements 
of the ePrivacy Directive;
3. Inform users about their proportionality considerations for the types of data collected or 
accessed on the device, the retention periods of the data and the applied security measures;
4. Develop tools to enable users to customise retention periods for their personal data based on their specific preferences and contexts, rather than offering pre-defined retention terms;
5. Include information in their privacy policy dedicated to European users;
6. Develop and implement simple but secure online access tools for users, without collecting 
additional excessive personal data;
7. Together with the OS and device manufacturers and app stores use their creative talent to 
develop innovative solutions to adequately inform users on mobile devices, for example through a system of layered information notices combined with meaningful icons.

1. In collaboration with the OS manufacturer, develop control tools for users, such as symbols representing access to data on and generated by the mobile device;
2. Subject all apps to a public reputation mechanism;
3. Implement a privacy friendly remote uninstall mechanism;
4. Provide feedback channels to users to report privacy and/or security problems;
5. Collaborate with app developers to pro-actively inform users about personal data 
breaches;
6. Warn app developers about the specificities of European law before submitting the 
application in Europe, for example about the consent requirement and in case of transfers of personal data to non-EU countries.

1. Enable users to uninstall apps, and provide a signal (for example through the API) to the app developer to enable deletion of the relevant user data;
2. Systematically offer and facilitate regular security updates;
3. Ensure that methods and functions allowing access to personal data include features 
aiming to implement granular consent requests;
4. Actively help develop and facilitate icons alerting users to different data usage by apps;
5. Develop clear audit trails into the devices such that end users can clearly see which apps 
have been accessing data on their devices and the amounts of outgoing traffic per app, in relation to user-initiated traffic.

1. Develop and implement simple but secure online access tools for users, without collecting additional excessive personal data;
2. Only collect and process data that are consistent with the context where the user provides the data.