
App permissions do not satisfy the requirements for valid consent for the purpose of GDPR because they lack sufficient detail and granularity, according to the Commission Nationale de l’Informatique et des Libertés (CNIL).
This is important for U.S. companies, because the same logic applies regarding the use of app permissions for “Do Not Sell” or consent for sensitive information (e.g. precise location, biometrics) under the U.S. privacy laws. You may need your own supplemental disclosure/consent if you cannot edit the permissions’ text.
Key points:
- Permissions are only intended to give or block access to the protected resources and information of the mobile device, regardless of the purposes pursued by the publisher of the application.
- You can use them when consent is not necessary (e.g. collection of location data to make a navigation app work).
- When consent IS required, a simple request for permission is sufficient only in limited cases. (For example, if the permission relates to a single processing, a single purpose and a single recipient of the data.)
- In most cases, it is necessary to use a consent management platform in addition to the permission request.
- CNIL recommends to OS vendors to give controllers flexibility regarding structuring permissions.
- Controllers using both a CMP and a request for permission must present them in a way that is not confusing for the user.
- Consent can be obtained either before or after the request for permission, but the user must understand what’s going on.