New CNIL Guidelines Clarify Data Privacy Responsibilities For Mobile App Developers and SDK Providers

France Issues New Guidelines for SDK Integration in Mobile Apps

On 21 January 2025, France’s Data Protection Authority (CNIL) published comprehensive guidelines on the integration of software development kits (SDKs) into mobile applications.

This new framework aims to strengthen compliance with the General Data Protection Regulation (GDPR) and enhance user privacy.

With mobile apps handling vast amounts of personal data daily, these guidelines place clear responsibilities on SDK providers, app developers, and publishers to safeguard user information.

Clarifying Responsibilities in Data Processing

The CNIL’s guidelines focus on clarifying the roles of key stakeholders involved in SDK integration.

SDKs—pre-built tools that developers use to add features like analytics, payment gateways, or advertising—often process personal data without users being fully aware.

This has raised concerns about transparency and data security, especially as many SDKs transmit information to third parties.

Applications mobiles : comment intégrer des SDK et respecter la vie privée des utilisateurs ?

Le terme de SDK désigne un ensemble d’outils utilisés pour faciliter ou accélérer le développement d’une application. Par exemple, un développeur pourrait décider de coder lui-même un système d’affichage et d’interaction avec une carte au sein de son application, mais il lui est beaucoup plus facile d’intégrer dans son code un SDK d’affichage de carte qu’il pourra configurer selon ses besoins.

Accueil

According to the guidelines:

• SDK providers must clearly define their role as data controllers or processors, depending on how they handle user data. They are required to offer transparent documentation outlining how data is collected, processed, and shared.
• Developers and publishers are tasked with ensuring that SDKs integrated into their applications comply with GDPR standards. They must evaluate the data processing practices of SDK providers and confirm that user data is handled lawfully.

This clarity is crucial because, in the past, many app publishers believed that data protection responsibilities rested solely with SDK providers. CNIL’s stance makes it clear that all parties involved share accountability.

Strengthening Consent and Security Requirements

A central pillar of the new guidelines is the requirement for explicit user consent before an SDK can access personal data.

This aligns with GDPR’s core principles, where consent must be freely given, specific, informed, and unambiguous.

The guidelines specify that:

• Consent must be obtained directly from the user before an SDK starts processing personal data, particularly for purposes like targeted advertising, behavioural analytics, or location tracking.
• SDKs must be designed to support granular consent options, allowing users to selectively agree to different types of data processing.
• Developers should provide clear, accessible information explaining how SDKs process data, ensuring that users are not left in the dark.

In addition to consent, security is another critical focus. SDK providers are now required to implement robust technical safeguards, including:

• Data encryption both in transit and at rest
• Secure key management practices
• Mechanisms to detect and respond to data breaches

Developers and publishers are expected to conduct regular audits of SDKs, ensuring that security measures remain effective as apps are updated.

Failure to meet these security requirements could expose organisations to GDPR penalties, including hefty fines for non-compliance.

Ensuring Transparency and Ethical Data Practices

Users must be fully informed about how their data is being processed, who is processing it, and for what purposes. To achieve this, the guidelines recommend:

• Including detailed privacy notices within mobile apps that cover SDK-related data processing activities
• Providing easy-to-access settings where users can modify their consent preferences at any time
• Minimising data collection, ensuring that only data necessary for app functionality is gathered

The CNIL also encourages developers to adopt a “privacy-by-design” approach, integrating data protection considerations from the very beginning of the app development process. This proactive stance not only reduces the risk of GDPR violations but also builds user trust in mobile applications.