Mobile applications have become essential tools in our daily lives, both for personal and professional use. They contain a wealth of sensitive data and interact with various systems, making them prime targets for cyberattacks.
To address these risks, the Commission Nationale de l’Informatique et des Libertés (CNIL)—the French data protection authority—has published a set of recommendations aimed at strengthening mobile application security and protecting users' personal data. The CNIL is an independent administrative body responsible for ensuring compliance with data protection laws in France and plays a key role in shaping privacy regulations at the European level. As part of the European Data Protection Board (EDPB), it contributes to the enforcement of the General Data Protection Regulation (GDPR), a framework that standardizes data privacy laws across the European Union.
“The mobile environment presents greater risks than the web for data privacy and security.” CNIL – Mobile Applications: The CNIL Publishes Its Recommendations to Better Protect Privacy
These recommendations have a clear objective: to help publishers, developers, and other stakeholders comply with the General Data Protection Regulation (GDPR) while adopting best practices to minimize risks. But how do these guidelines translate into concrete actions? And how does Pradeo support companies in this approach?
The CNIL emphasizes the need for a clear definition of roles among all participants in the mobile application ecosystem. Publishers, developers, SDK providers, app store managers, and operating system vendors must determine whether they act as data controllers, processors, or joint controllers for certain data processing activities. This distinction is crucial as it defines their respective responsibilities and obligations.
For example, a developer creating an application on behalf of a publisher without handling personal data collection does not have the same obligations as an application publisher using an SDK with advertising trackers for targeting purposes.
Transparency toward users is a key principle. When an application collects personal data, users must be clearly and comprehensibly informed about how their data will be used. Privacy policies are often lengthy, technical, or missing altogether. The CNIL recommends using accessible language and providing this information at the right time: before installation, during the first use, or at the point of data collection.
Asking users to accept general terms and conditions is not enough: consent must be freely given, informed, and collected for each distinct purpose. For example, an app cannot require users to agree to share their data with third parties unless it is strictly necessary for the service's operation.
Additionally, merely requesting permission to access smartphone features (such as the camera or GPS) is insufficient to ensure valid consent under the GDPR. A mechanism must be provided for users to easily withdraw their consent.
The CNIL has already sanctioned several companies for failing to comply with its recommendations. Notable cases include:
To enforce its directives, the CNIL has also announced an inspection campaign starting in Spring 2025, highlighting its commitment to ensuring industry-wide compliance.
The Privacy by Design approach recommended by the CNIL means that data protection should not be an afterthought but an integral part of application development.
This includes minimizing data collection, implementing strong security measures (such as encrypting sensitive information), and carefully monitoring third-party components integrated into the application, particularly SDKs.
To assist companies in this process, Pradeo offers a suite of application security solutions that ensure mobile applications comply with security best practices and CNIL requirements.