Europe: Mobile gaming apps rarely compliant with basic EU data protection consent rules

By Patrick Van Eecke and Anthony Cornette

Mobile gaming apps may, and frequently do, have access to a lot of personal information. This personal information can include one’s contact list, location, calendar and photos. Through social network integration, this includes access to even more information.

Mobile gaming app providers, however, tend to forget applying some basic principles of European data protection legislation, such as asking the customer for informed consent before downloading the app.

Research on attitudes conducted by the European Commission shows that a majority of consumers are concerned about how companies use their personal information. Such attitudes have been cited by the Commission in its reform towards new EU data protection rules.

For mobile gaming app publishers, which includes many consumer facing companies who offer mobile apps for their customers, complying with current EU data protection law poses a significant challenge. European data protection law imposes that a data subject gives unambiguous consent to the processing of his or her personal information by a mobile app, since other grounds for legitimate processing under the law (e.g. in the performance of a contract) are usually not applicable. Such consent must be given freely, be explicit and informed, rather than assumed.

When considering to download a mobile gaming app, it is usually arduous to learn how data will be processed by the app. Some apps require the creation of an account, which usually includes the agreement to terms of service and a privacy policy. Signing up for an account creates in such cases the possibility to learn how personal data will be processed before agreeing. For other apps however, the options available to someone who is concerned about how personal information will be processed are usually limited. One option is to identify the app publisher’s website and hunt for the applicable privacy policy, if available. Another option is to download the app first, to see if the app contains additional privacy related information on how information is processed, or to be more precise, was processed after the fact.

Mobile app stores enable app publishers to provide a privacy policy when submitting an app. The Apple App Store even requires a privacy policy for certain apps, according to its Developer Guide, namely for those apps that offer auto-renewable or free subscriptions. However, for most apps on the Google Play store and the Apple App Store, submitting a privacy policy is optional and few apps do.

The current practice for app publishers on mobile applications stores is mostly not to provide a privacy policy. Depending on the type of personal information collected and the purposes of the processing, such an approach may be questioned from a compliance point of view to European data protection law, especially in light of the forthcoming new EU data protection regulation. On the other hand, currently accepted practices in the mobile app market do not tend towards providing privacy policies in app descriptions. It therefore remains to be seen how accepted market practices for mobile app publishers will evolve in the near future.


Should you have any further questions regarding the above, please contact Patrick Van Eecke (Patrick.vaneecke@dlapiper.com) or Anthony Cornette (anthony.cornette@dlapiper.com) .