CNIL: Mobile Apps Must Ensure User Privacy via Technical Permissions
Mobile apps often process personal data that users provide or is collected directly when the app accesses resources in smartphones and tablets, French data protection agency CNIL said Tuesday, according to an unofficial translation.
Sign up for a free preview to unlock the rest of this article
In the latter case, the app requires the user's agreement via a permission system made available by the operating system. OS permissions, or authorizations, allow users to choose which functions and data are accessible to each of their mobile apps. Users can choose to allow applications such as sensors, photo lenses or memory. Most permissions are intended to allow or block technical access to certain protected resources, without considering the purposes for which the app requests authorization.
The CNIL made several recommendations concerning these "technical" permissions that don't regulate the uses for which information may or may not be processed. Technical permissions are useful for privacy, it noted, because they let users block access to certain data, a "simple and direct means of safeguarding their privacy."
By accepting or refusing permissions, users clarify they will share with the app. However, CNIL said permissions aren't designed for collecting user consent within the meaning of the EU General Data Protection Regulation (GDPR) and France's Information Technology and Freedoms Act.
Permissions may therefore be needed in situations where regulations don't require user consent. Even where consent is required, "a simple request for permission does not always allow free, specific, informed and unequivocal consent" under the GDPR, CNIL said. Permissions are sufficient only in limited cases, such as if they concern a single processing of data, a single purpose and a single recipient of the data. In most cases, a consent management platform is needed in addition to the request for permission.
The regulator listed several best practices for OS providers. In particular, it encouraged them to design permissions systems to allow app publishers to choose the scope of the permissions as precisely as possible. An ideal permission system would let the publisher choose such things as how exact the data provided must be to achieve the purpose for which it's collected (such as for more or less precise location); and the limits of the authorization (such as whether it's for selected photos rather than for the whole media gallery). The system should also set the permission's duration.
"The purpose of permission is to allow people to have their hands on their data," the CNIL said. Consent management platforms and requests for permission shouldn't confuse users, it said. Consent can be obtained before or after a request for permission, but the CNIL recommended that a developer, in conjunction with the app publisher responsible, ensure that the user is clear about the distinction between consent and permission.