GDPR, CCPA, and Cookie Law: What They Mean for You and Your Mobile App

Q: Why choose Adalo over other app building solutions?

Adalo is the visual AI builder designed to get you from idea to the App Store and Google Play with a single build that works across web, iOS, and Android. Build web and native mobile apps with a built-in database, view all your app's screens on a single visual canvas, preview how your app looks on any device, and visually direct the AI rather than relying on chat-only prompts. Starting at $36/month with truly unlimited usage, Adalo is the most affordable way to publish native apps to the app stores.

Q: What's the fastest way to build and publish an app to the App Store?

With Adalo's no-code app builder, use Magic Start to generate your entire app—database, screens, and user flows—from a description. Then see your entire app laid out on one visual canvas, preview on any device form factor, and visually instruct the AI by pointing at what you want changed. Adalo manages the app store submission for you, so you can get from concept to a live app in the App Store in days, not months.

September 8, 2020

For app developers using Adalo—a no-code app builder for database-driven web apps and native iOS and Android apps, with one version across all three platforms published to the Apple App Store and Google Play—understanding these legal requirements is essential before launching any application that collects user data.

This guide covers everything you need to know about privacy compliance for mobile apps, from US and EU regulations to practical implementation steps.

General Legal Requirements for Mobile Apps

Privacy laws worldwide share common requirements for apps that process personal data. You must:

Make disclosures about your data processing activities via a comprehensive privacy policy
Ensure effective security measures protect personal data
Implement methods for receiving user consent or facilitating its withdrawal

Consent refers to the informed voluntary agreement of an individual to engage in a particular event or process. It may be acquired using any method that requires the user to take an affirmative and verifiable action—checkboxes, text fields, toggle buttons, or sending a confirmation email.

In general, users need to be informed of:

App owner details and contact information
The effective date of your privacy policy
Your notification process for policy changes
What data is being collected and why
Third-party access to their data (who the third-parties are and what data they're collecting)
Their rights regarding their data, including access, correction, and deletion

These requirements apply regardless of how you build your app. Whether you're using Adalo's AI-assisted building tools or traditional development methods, the legal obligations remain the same.

US, EU, International: How to Determine Your Law of Reference

Generally, the laws of a particular region apply if:

You base your operations there
You use processing services or servers based in the region
Your service targets users from that region

This effectively means that regional regulations may apply to you and/or your business whether you're located in the region or not. For that reason, it's always a good idea to handle your data processing activities with the strictest applicable regulations in mind.

Here's a simple rule of thumb:

Law of reference: Comply with the laws of the country in which you base your operations, as well as those of the country your app targets
Language of your documents: Your legal documents must be written in the same language as your app so your users can understand them

With over 3 million apps created on Adalo and users spanning global markets, most app builders need to consider both US and EU regulations. Let's examine the main requirements for each.

US Law: CalOPPA and CCPA

In the US, there is currently no single comprehensive national body of data regulations. Various state-level laws, industry guidelines, and specific federal laws create a patchwork of requirements. Since online app activity is rarely limited to just one state, it's always best to adhere to the strictest applicable regulations—like those implemented by California.

California Online Privacy Protection Act (CalOPPA)

CalOPPA was the first state law to make privacy policies mandatory. It applies to any person or company whose website or app processes personal data of California residents. In addition to the generally required disclosures above, CalOPPA requires that you:

Post your privacy policy on the homepage of your website/app
Include a description of the process by which users can request changes to personal data (if such a process exists)
Include a statement on how "Do Not Track" requests are handled
Notify affected users in the occurrence of security breaches that impact their data

Regarding consent, US law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving "sensitive data"—health information, credit reports, student data, or personal information of children under 13. In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action.

California Consumer Privacy Act (CCPA)

The CCPA complements but does not replace CalOPPA—both still apply. Fully enforceable since July 1st, 2020, the CCPA enhances consumer privacy rights for California residents.

Under the CCPA, businesses that target Californian consumers must include specific disclosures in their privacy policies:

Descriptions of consumer rights
Processing partners and their purposes
Data sources and categories collected
Information about data sales or sharing

Californian users need to be informed of the possibility of their data being sold. You can think of "sold" here as "shared with third parties for any profit, monetary or otherwise." The disclosure needs to be visible from the homepage and must include an opt-out (DNSMPI) link.

You can read more about the CCPA here.

The GDPR specifies how personal data should be lawfully processed and can apply to you whether your company is based in the EU or not. If your app can be used by EU users (or you're based in the EU), the GDPR applies to you.

Compared to US regulations, the GDPR is more strict when it comes to consent. Consent under the GDPR must be "explicit and freely given." This means the mechanism for acquiring consent must be unambiguous and involve a clear "opt-in" action. The regulation specifically forbids pre-ticked boxes and similar "opt-out" mechanisms.

You can read more about the GDPR here.

EU users need to be informed about cookie use and given the option to consent or decline. The ePrivacy Directive requires users' informed consent before storing cookies on a user's device and tracking them. If your app (or any third-party service used by your app) uses cookies, you must obtain valid consent prior to installation.

This applies to apps built on any platform. When you publish your Adalo app to the App Store and Google Play, these cookie consent requirements follow your app into both stores.

Privacy Policy Requirements

Under most countries' laws, it's mandatory that you disclose details related to privacy and your data processing activities. Mobile apps are no exception—they're required to provide a privacy policy and, if they use cookies and similar tracking technologies, a cookie policy.

To be compliant, your policy must be:

Up-to-date with current data practices
Understandable in plain language
Unambiguous about what data you collect and why
Easily accessible throughout the app

You may be further responsible for making additional disclosures to users, third-parties, and supervisory authorities depending on your law of reference.

Without a Privacy Policy, You Risk App Store Rejection

Both the Apple App Store and Google Play require apps to have a valid privacy policy and to follow applicable law. Failure to do so can result in massive fines, app store rejection, leave you open to litigation, and negatively affect the credibility of your app.

This is particularly important for builders using platforms like Adalo that publish directly to both app stores from a single codebase. Your privacy policy needs to satisfy both Apple and Google's requirements simultaneously.

iOS App Privacy Requirements

App Store Connect requires a privacy policy for all new apps and app updates. Article 5.1 of Apple's App Store Review Guidelines provides an overview of Apple's privacy guidelines and grounds for rejection where these conditions are not met.

Article 5.1.1 on Data Collection and Storage specifies:

(i) Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner. The privacy policy must clearly and explicitly:

Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data
Confirm that any third party with whom an app shares user data—such as analytics tools, advertising networks, and third-party SDKs, as well as any parent, subsidiary, or other related entities—will provide the same or equal protection of user data as stated in the app's privacy policy
Explain data retention/deletion policies and describe how a user can revoke consent and/or request deletion of their data

Your app's privacy policy link or text will only be editable when you submit a new version of your app. With Adalo's unlimited app updates on paid plans, you can revise and republish whenever your privacy practices change.

Read more about Privacy Policy for iOS Apps.

Android App Privacy Requirements

Google Play explicitly requires that a link to a privacy policy be visible on your app's store listing page and within your app in cases where:

Your app handles personal or sensitive user data, as defined in the user data policies (including personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data, and sensitive device data)
Your app is in the "Designed for Families" program (regardless of access to sensitive permissions or data)

However, it's critical to note that platform requirements aside, under the vast majority of legislations—particularly California's CalOPPA, CCPA, and the GDPR—privacy notices are legally required regardless of Google's specific mandates.

If your Android app processes personal data for reasons unrelated to its functionality, you're required to make additional, easily visible disclosures about this usage and collect user consent where required.

Read more about Privacy Policy for Android Apps.

Cookies, Trackers, and Similar Technologies

Many app developers use cookies either in-app or via their app's website for everything from usage statistics to remarketing ads. If you use non-exempt cookies (statistical, advertising, or profiling cookies) and you have EU-based users, you're required by law—and by law-abiding third-parties such as Apple and Google—to comply with legal requirements under the ePrivacy Directive and the GDPR.

The Cookie Law requires users' informed consent before storing cookies on a user's device and/or tracking them. If you have EU-based users and your app (or any third-party service used by your app) uses cookies, trackers, and similar tracking technologies:

You must inform users about your data collection activities and give them the option to choose whether it's allowed
You must obtain informed consent prior to the installation of those cookies

You'll need to:

Provide a cookie policy
Show a cookie banner at the user's first access
Block non-exempt cookies before obtaining user consent (and release them only after informed consent has been provided)

This generally means having a valid cookie policy and cookie consent management solution in place.

The cookie policy must:

Indicate the type of cookies installed (statistical, advertising, etc.)
Describe in detail the purpose of installation of cookies
Indicate all third-parties that install or could install cookies, with links to their respective policies and any opt-out forms
Be available in all languages in which the service is provided

The cookie banner should:

Inform users of any cookies that your app uses
Ask for the user's consent before running those cookies (and clearly state which action will signify consent)
Be sufficiently conspicuous to be noticeable
Link to a cookie policy that explains the purpose of various cookie categories and third-parties involved

Because informed opt-in or prior consent is required under the GDPR and ePrivacy, you need a mechanism that blocks non-exempt cookies until the user has given consent via an affirmative action such as clicking an "Accept" button. Prior to consent, no cookies—except for exempt cookies—can be installed.

Additionally, if you monetize your app or its content by running third-party ads, you should consider meeting industry standards by utilizing IAB's Transparency and Consent Framework—which allows users to set advertising preferences and communicates consumer consent across participating ad networks. Failure to do so can result in limited ad network access and, ultimately, a decrease in ad revenue.

Special Requirements for Apps Used by Children

If your app is knowingly collecting, using, or disclosing personal information from children under 13, there are special guidelines you're legally required to follow under the vast majority of legislations, including both US and EU law.

US: COPPA Requirements

The Children's Online Privacy Protection Act (COPPA) is a United States federal law protecting the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13 (or which have actual knowledge that they are collecting personal information from children under 13) must:

Give notice to parents
Get verifiable consent before collecting, using, or disclosing personal information
Keep secure the information they collect from children

"Verifiable" means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult—for example, control questions or credit card verification.

A central requirement of this Act is having a COPPA-compliant privacy policy in place.

Under EU GDPR, consent is one of the lawful bases for processing children's data. If using this basis for processing data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service.

You must make reasonable efforts (using available technology) to verify that the person giving consent actually holds parental responsibility for the child. Furthermore, if you target children over the age of 13, you must write clear and age-appropriate privacy notices so they understand what they're consenting to.

Learn more about legal requirements for apps used by children.

How to Make Your App Compliant in Minutes

Creating a privacy policy and handling cookie consent for your app can be a serious headache. iubenda's solutions can help: Their Privacy Policy Generator and Cookie Management Solution make complying with multiple laws and app platform requirements easy.

Their solutions are:

Affordable for independent developers and small teams
Drafted by an international legal team
Fully customizable to your specific data practices
Available in 8 languages
Always up-to-date with main global legislations like COPPA, CCPA, GDPR, and others

Visit iubenda.com/en/mobile to generate your privacy policy and manage cookie consent to meet GDPR, CCPA, ePrivacy, and major app store requirements.

Building Privacy-Compliant Apps with Adalo

Ada, Adalo's AI builder, lets you describe what you want and generates your app. Magic Start creates complete app foundations from a description, while Magic Add adds features through natural language.

Adalo's AI-powered app builder makes it straightforward to integrate privacy compliance into your app from the start. With Magic Start, you can generate complete app foundations from descriptions—including user authentication flows that support consent management. Magic Add lets you describe features you need, like "add a privacy policy acceptance screen," and the platform generates the necessary components.

The platform's modular infrastructure scales to serve apps with millions of monthly active users, with no upper ceiling on database records for paid plans. This means your privacy consent records, user preferences, and compliance logs can grow without hitting storage limits—a common constraint on other platforms.

Unlike platforms that charge based on usage or database records, Adalo's paid plans include unlimited usage with no bill shock. You won't face unexpected charges as your user base grows and generates more consent records.

Want to take your app to new heights but don't know where to start? Get help from a world-class team of Adalo experts who can help you build, debug, and ensure your app meets compliance requirements. You can even get 1:1 coaching from an expert to help you solve your problems—learn more.

Key Takeaways

Privacy policies are mandatory for app store approval and legal compliance in most jurisdictions
Follow the strictest applicable law—if you target both US and EU users, GDPR's opt-in requirements should be your baseline
Cookie consent requires prior blocking—non-exempt cookies cannot run until users actively consent

FAQ

Why choose Adalo over other app building solutions?

Adalo is an AI-powered app builder that creates true native iOS and Android apps. Unlike web wrappers, it compiles to native code and publishes directly to both the Apple App Store and Google Play Store from a single codebase—the hardest part of launching an app handled automatically. Paid plans include unlimited database records and no usage-based charges.

What's the fastest way to build and publish an app to the App Store?

Adalo's drag-and-drop interface and AI-assisted building tools let you go from idea to published app in days rather than months. Magic Start generates complete app foundations from descriptions, and the platform handles the complex App Store submission process so you can focus on features instead of certificates and provisioning profiles.

Can I easily make my app legally compliant with privacy laws?

Yes. Adalo integrates with solutions like iubenda to help you generate privacy policies and manage cookie consent, ensuring your app meets requirements for GDPR, CCPA, CalOPPA, and app store guidelines without needing legal expertise.

Do I need a privacy policy for my mobile app?

Yes, both the Apple App Store and Google Play require apps to have a valid privacy policy. Beyond platform requirements, laws like CalOPPA, CCPA, and GDPR legally mandate privacy policies for apps that collect personal data. Without a compliant privacy policy, you risk app store rejection, legal fines, and damage to your app's credibility.

What's the difference between US and EU privacy law requirements?

US laws like CalOPPA and CCPA generally require opt-out consent mechanisms and specific disclosures about data practices. EU's GDPR is stricter, requiring explicit opt-in consent through clear affirmative actions like checking boxes. If your app targets users in both regions, follow the stricter GDPR requirements to ensure compliance everywhere.

If your app uses cookies, trackers, or similar technologies and has EU-based users, you must comply with the ePrivacy Directive (Cookie Law) and GDPR. This means displaying a cookie banner, obtaining informed consent before installing non-exempt cookies, and providing a detailed cookie policy explaining what data you collect and why.

What special requirements apply if my app is used by children?

If your app collects data from children under 13, you must comply with COPPA in the US and GDPR provisions in the EU. Both require obtaining verifiable parental consent before collecting children's data, using methods that can't easily be faked by a child. You'll also need a COPPA-compliant privacy policy and age-appropriate privacy notices.

How long does it take to make an app privacy compliant?

Using tools like iubenda's Privacy Policy Generator, you can create a compliant privacy policy in minutes. Implementing cookie consent management takes slightly longer but can typically be completed in an afternoon. The key is starting early—building compliance into your app from the beginning is easier than retrofitting it later.

What happens if my app isn't privacy compliant?

Non-compliance can result in app store rejection, preventing your app from reaching users entirely. Beyond that, GDPR violations can result in fines up to €20 million or 4% of annual global turnover. CCPA violations carry fines of $2,500 per unintentional violation and $7,500 per intentional violation. The reputational damage from a privacy breach can be equally costly.

Do privacy requirements differ between web apps and native mobile apps?

The legal requirements are essentially the same—GDPR, CCPA, and other privacy laws apply regardless of platform. However, native mobile apps published to the App Store and Google Play face additional platform-specific requirements. Apple and Google both mandate privacy policies and have their own guidelines about data collection disclosures that must be met for approval.