France: Data Protection Agency published recommendations for professionals designing mobile applications

On 14 January 2025, the Data Protection Agency (CNIL) published its recommendations to guide professionals in designing mobile applications that respect user privacy, with a focus on the role of permissions. Permissions in mobile applications allow users to control which features and data are accessible to each app, such as sensors or memory on their devices. These permissions are technical and do not regulate the purposes for which data is processed. The CNIL's recommendations emphasise that permissions are not the same as obtaining user consent under the General Data Protection Regulation (GDPR). Permissions help users block access to certain data, ensuring confidentiality, but they do not necessarily meet the requirements for free, specific, informed, and unambiguous consent. The CNIL advises operating system providers to design permission systems that allow app publishers to choose the scope of permissions as finely as possible, including the degree of data accuracy, the material scope, and the duration of authorisation. When both a consent management platform (CMP) and a permission request are presented to users, their articulation should be clear and not confusing.