If your app is deployed in France, you need to pay attention to the final ”Recommendations on Mobile Applications” from CNIL, which was published in April 2025, intended to help professionals design mobile applications that respect privacy. Starting from 2025 onwards, CNIL will ensure that these recommendations are taken into account through enforcement actions.
This blog gives a summary of the recommendations and some guidance on how to comply.
Summary
CNIL (France’s data protection authority) issued this updated recommendation on March 27, 2025 (published April 8). It replaces the July 2024 version, refining how mobile app stakeholders must comply with the GDPR and ePrivacy Directive. The move responds to growing complexity in mobile ecosystems, increasing use of SDKs, and security/privacy risks associated with mobile data processing.
The document is intended to clarify how GDPR and ePrivacy rules apply in the context of mobile apps and to provide actionable recommendations for all players in the mobile app ecosystem—developers, publishers, SDK providers, OS vendors, app stores—to improve transparency, accountability, and user protection.
The document calls out very clearly the roles and obligations of each “actor” in the ecosystem, especially under GDPR rules: App Publishers, App Developers, SDK Providers, Operating System Vendors (e.g., Apple, Google, Huawei), App Store Providers.
What is CNIL
The Commission Nationale de l’Informatique et des Libertés (CNIL) is France’s independent data protection authority. It enforces laws related to data privacy and digital rights, most notably the General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés). CNIL operates under the authority of the French Parliament, but is independent.
Founded in 1978, CNIL is one of the oldest and most influential privacy regulators in the world, driving:
- Regulation & Enforcement: Enforces GDPR and ePrivacy rules in France and can investigate, audit, and fine public or private organizations or issue monetary penalties and public warnings.
- Guidance & Recommendations: Publishes best practice guidelines for compliance (like the mobile app recommendation).
- Policy: Participates in European forums like the European Data Protection Board (EDPB) and influences EU-wide privacy legislation and enforcement strategy.
In short, CNIL is a very powerful regulation authority and is considered one of the most technically competent and strict data protection authorities in Europe. CNIL played a key role in some landmark enforcement cases and frameworks (e.g., Google cookie fines, Schrems cases, AI regulation proposals).
In addition CNIL has legal powers to conduct onsite inspections, demand records and data, Issue urgent orders and even Impose fines of up to €20M or 4% of global revenue under GDPR.
The Scope of CNIL “Recommendation on Mobile Applications”
The guidelines are applicable to any mobile app made available to users in France, and not limited to French developers. “Made available” means offered on an app store in France or targeting French users or processing personal data of individuals located in France.
This of course is consistent with GDPR Article 3(2): The regulation applies to non-EU organizations if they offer goods/services to, or monitor behavior of, people in the EU.
How and When CNIL “Recommendations on Mobile Applications” will be Enforced
CNIL says: “From early spring 2025, the CNIL will deploy a specific investigation campaign on mobile applications to ensure compliance with the applicable rules. In the meantime, the CNIL will continue to deal with any complaints it receives, carry out any investigation it deems necessary and, if necessary, adopt any corrective measures required to effectively protect the privacy of mobile application users.”
In effect CNIL has the power to conduct audits and spot-checks on apps available in France, with a special focus on apps with high data processing volumes, targeting children, or using tracking SDKs. They mention specifically using traffic analysis to expose SDKs that send data to third parties, checking especially for lack of consent dialogs, non-functional "refuse all" options, or abuse of legitimate interest.
So you have been warned!
What Do The CNIL “Recommendations on Mobile Applications” Actually Say
The full recommendations in French are here Recommandation relative aux applications mobiles and the English translation of the document is here: Recommendation on mobile applications. Note that CNIL says that only the French version is legally binding.
The CNIL mobile apps recommendation is built around the idea that compliance is a shared responsibility across several “actors” in the ecosystem. Each one has a different role to play under GDPR and ePrivacy.
The document is just short of a hundred pages, so lets break down and summarize the key recommendations for each player in the mobile ecosystem:
- For App Publishers: The organization or brand that offers the app to end-users, usually the data controller in GDPR terminology. CNIL explicitly mentions that publishers must still ensure full compliance with GDPR and CNIL’s recommendations even when apps are side-loaded and not delivered via an app store.
- Design for Privacy by Default: Limit permissions, avoid collecting unnecessary data.
- Map All Third Parties & SDKs: Know who processes data and why.
- Obtain Valid Consent: Especially for cookies/trackers (e.g., advertising SDKs).
- Respect User Rights: Allow for easy access, rectification, and deletion of data.
- Maintain Compliance Throughout App Lifecycle: From development to decommissioning.
- For Developers: The party that actually builds the app:
- Implement Secure Coding Practices.
- Avoid embedding SDKs with unknown behavior.
- Provide guidance to publishers about security/privacy implications.
- Ensure end-to-end protection, especially during app updates or when integrating SDKs.
- For SDK Providers: Anyone who supplies software components integrated into apps.
- Disclose all data processing activities clearly.
- Provide privacy-compliant integration instructions.
- Avoid hidden collection of personal data without publisher/user awareness
- For OS Vendors: e.g., Apple iOS, Google Android, Huawei HarmonyOS.
- Ensure secure default settings.
- Provide tools for permission management.
- Offer platform-level support for user consent and rights enforcement.
- For App Stores: Apple App Store, Google Play, Huawei AppGallery, or third-party alternative stores). It is important to note that these obligations apply regardless of whether the store is operated by Apple/Google or by a third-party/alternative provider.
- Analyze app submissions for baseline privacy compliance.
- Offer transparent app review processes.
- Enable user reporting mechanisms for non-compliant apps.
Key points worth noting:
- The recommendations cover both GDPR (for personal data) and ePrivacy (for device access/trackers).
- The document recommends distinguishing between data processing under legitimate interest, contractual necessity, and consent.
- Misuse of SDKs and mobile identifiers is seen as a recurring issue and gets special attention. Collection and analysis of user behavior tracking data in particular is flagged as an issue.
- The document strongly promotes minimization, purpose limitation, and user control.
How Approov can Help You Comply with The CNIL “Recommendations on Mobile Applications”
Here's how Approov directly supports compliance with the CNIL guidelines:
1. Data Minimization and Security by Design (Article 5.5 & 5.6 of the CNIL Recommandation)
CNIL Expectation:
- Minimize permissions.
- Implement security controls during design.
- Protect sensitive interactions with the OS and APIs.
Approov Contribution:
- Enforces device and app integrity checks before any sensitive API call is permitted.
- Uses dynamic certificate pinning to prevent Man-in-the-Middle (MitM) attacks on communications, reducing risk during API access.
- Provides runtime secrets protection, so secrets (e.g., API keys) are only injected into apps that pass attestation—avoiding local storage and reducing leakage risk.
2. Verification of Legitimate App and Device (Attestation)
CNIL Expectation (implicit in Sections 5.4, 6.4, and 7.1):
- Ensure that SDKs, apps, and devices are not modified or operating in a compromised environment.
- Secure API access by verifying authenticity.
Approov Contribution:
- Approov offers robust mobile app attestation with cryptographically signed short-lived tokens that verify:
- The app is unmodified and official.
- The app is running on a secure, uncompromised device.
- Each API access originates from a valid instance of the app.
- Approov can detect rooted/jailbroken devices, instrumentation frameworks (e.g., Frida, Xposed), and emulators.
3. SDK Governance & Transparency (Section 7)
CNIL Expectation:
- SDKs must not perform hidden data processing.
- SDK providers must document processing, maintain transparency, and provide security guarantees.
Approov Contribution:
- Unlike many third-party SDKs, Approov does not collect PII or behavioral data.
- Approov provides clear SDK documentation and has no dependency on external system libraries for integrity checks.
- All integrity measurements are performed in self-contained, hardened native code, resistant to tampering.
4. Third-Party Data Sharing & Consent (Sections 5.3 & 7.3)
CNIL Expectation:
- Editors must understand and control SDKs' behavior.
- SDKs must not leak data to unauthorized third parties.
Approov Contribution:
- Ensures zero trust architecture: API secrets and tokens are only accessible after successful attestation.
- The SDK cannot exfiltrate sensitive data since it does not handle or transmit personal data.
5. Support for Accountability & Lifecycle Management (Sections 5.4, 6.5, 8.4)
CNIL Expectation:
- Ensure traceability, maintainability, and support through the lifecycle of the app.
Approov Contribution:
- Approov includes tools for:
- Audit trails and metrics on attestation results and device interactions.
- Pin rotation and key management without app updates, aiding continuous compliance and reducing operational risk.
- Approov provides a CLI and admin roles with role-based access and password protection for secure operational use.
6. App Store Submission and Distribution Controls (Section 9.1-9.4)
CNIL Expectation:
- App stores must assess app behavior against baseline privacy/security rules.
Approov Contribution:
- Enables apps to pass security-focused validation with higher confidence due to built-in attestation and secure API enforcement.
- Can distinguish between traffic from official vs. repackaged apps, which app store validation mechanisms often miss.
Conclusion - It Makes Sense to Comply
If your app is deployed worldwide, you need to track evolving regulations in the countries you operate in and make sure you ensure you are always in compliance. France is a key market for mobile apps and the latest CNIL Recommendations on Mobile Apps will be enforced so you must comply if your app touches French user-data.
In addition, the recommendations make sense, signalling a more proactive enforcement posture, especially around mobile tracking, SDK usage, and user rights management.
And here is a final observation: Many years ago I was the product manager for a communications product intended for public telecoms networks. One of our first customers was France-Telecom and we had to pass multiple hurdles to qualify the product for French deployment. This effort was well spent however because no other market was as rigorous - we ended up with a product that sailed through qualification tests for any other operator. So investment in complying with CNIL Recommendations on Mobile Apps may well prepare you well not just for GDPR markets but for any regulatory environment in which you plan to deploy your app.
Approov helps mobile app stakeholders conform to regulatory expectations in specific and meaningful ways. We are experts in mobile and API security, and would love to discuss your specific needs in a call.
