In the years since the General Data Protection Regulation (GDPR) came into force in 2018, there have been some dramatic headlines about fines levied on companies for violating its requirements. <\/p>\n\n\n\n
For the most part these headlines have involved influential tech platforms with potentially billions of users. However, organizations of all sizes have been penalized for not adequately obtaining user consent for processing personal data, not meeting the requirements of their chosen legal basis, experiencing a data breach, or other issues.<\/p>\n\n\n\n
Apps developers and publishers haven\u2019t been in the news as much, even though our research showed that 90 percent of apps available in the EU<\/a> that we looked at were not compliant with the GDPR. One exception was France\u2019s data protection authority CNIL, which fined Apple and Voodoo Games in 2023<\/a> for using an advertising identifier without users\u2019 consent.<\/p>\n\n\n\n There have been other fines levied by data protection authorities around Europe for apps\u2019 GDPR violations. That regulation and other laws do not distinguish between websites and apps with regards to compliance requirements. We take a look at several examples to explore what happened, what the penalties were, and how to do business compliantly.<\/p>\n\n\n\n The GDPR<\/a> applies to organizations that process the personal data of EU residents, whether or not the company is located in the EU. That processing could be to enable apps to function, to deliver personalized advertising, or to provide analytics data to improve performance, for example. <\/p>\n\n\n\n Companies need to abide by \u201clawfulness of processing\u201d, i.e. meet the requirements of a relevant legal basis to justify their collection and processing of personal data.<\/p>\n\n\n\nWhat are the requirements for legal data processing under the GDPR?<\/h2>\n\n\n\n