Although cookies are typically associated with websites, the Danish Cookie Order also applies to apps that use data tracking mechanisms. This article explores some of the technical considerations for ensuring compliance, even though apps don’t store cookies in the traditional web-based sense.
What are cookies within the app domain?
The concept of “cookies” in the app domain doesn’t translate directly from what happens on websites. Apps don’t store cookies in the traditional sense, but they still collect similar types of data such as unique identifiers, device information, and user behavior through tools like SDK (Software Development Kits) or analytical platforms.
These data points are used to improve the app, personalize user experience, track engagement, or support targeted advertisement.
The Danish Cookie Order and GDPR regulation aren’t restricted only to traditional web-based cookies but applies broadly to any mechanisms that track or store data on the users’ devices, which include mobile apps.
Therefore, it’s important to understand that even though your app doesn’t store cookies in the web-based sense, if it collects data, it is likely to fall under the legislation that applies to cookies.
* The contents of this article should be seen as guiding principles, and you should always seek legal advice to make sure your app is compliant in your business context.
What are the guiding principles for a compliant app?
- Ensure valid consent: Make sure your users are given a freely, specific, informed and unambiguous consent.
- Explain the tracking technologies used: Ensure you provide clear information on the tracking technologies used, including their purpose, provider, duration, and names. This information should be accessible within the app, either through a privacy policy, a cookie policy or a dedicated tracking screen.
- Allow users to refuse and withdrawal of consents: Your users need to have the ability to refuse being tracked and the choice to withdraw their consents later. This requires a process where your users are always able to access their consent preferences, so they can update their consents at any given time. It should be as easy to withdraw your consent as it was to give.
- Offer consent customization: It’s not necessary to collect individual consent for each and all tracking technologies used in your app, but you must collect consent for each category of tracking (e.g. functional, statistical, marketing). Your users must be able to choose which tracking purposes they consent to, and the consent options must never be pre-ticked.
- Keep tracking information up to date: Ensure your tracking information is kept up to date. If new tracking technologies are introduced or the purpose of existing technologies are changed, you need to re-prompt the users for an updated consent.
What is the technical process when making your app compliant?
This step requires some technical insights into the app, as the correct consent flows might be in place, but if the app itself overrides the user’s preferences and still tracks everything, the app is not compliant.
So, the first step is to document the current state of the app – from both a UI and a technical perspective.
If your app has an existing consent flow, document the flow, when and how are users prompted for consent? What options do they have? Can the consent be updated at a later stage?
Once the UI has been documented, the next step is to document when and how the app tracks the users and what tracking services are used. This can either be done by a developer or a tech-savvy person using proxy tools to map out what data is being sent out of the app.
(Tools like Proxyman or Charles Proxy can be used)
At this stage, you should have all the information needed to assess whether the current state is compliant, or tweaks need to be made.
What are you allowed to track?
Now that you have a clearer idea on how to ensure a compliant app, let’s address a common question: What are you allowed to track in the app?
In short, you can break tracking down into 4 different categories: Necessary, Functional, Statistical and Marketing Tracking.
- Necessary Tracking: This covers the necessary stuff - the data needed for core app functions, like logging in, saving items in a shopping cart, or maintaining app settings. Essentially, it’s the data the app must track to work as expected.
You are not required to ask for consent for necessary cookies as this data is needed to make the app function properly. It is however always a good idea to inform the user of this tracking. A brief mention in your privacy policy is a good way to be transparent.
Data that is tracked through tracking technologies categorized as “necessary” can only be used for that purpose. You can therefore not use data collected through “necessary cookies” for e.g., marketing purposes without a consent. If you want to use this data for purposes beyond app functionality, you must obtain the user’s consent. - Functional Tracking: Functional tracking is about personalization, remembering choices that make the app more user-friendly, like language settings or layout preferences. These aren’t essential for the app to run but help make it a more enjoyable experience.
Since functional tracking isn’t strictly necessary, users need to give their consent for you to track these data. Be sure to explain how this tracking makes the app more tailored to the user, allowing the user to make an informed choice. - Statistical Tracking: This type of tracking gathers data on user behavior, such as most visited screens or how long users stay on certain pages. It helps you understand user interactions and improve the app over time.
A rule of thumb is that explicit consent is required here. Users should know that this tracking is used for analytics only, not for identifying them personally. A clear explanation on how this data helps improve the app’s performance can encourage users to opt in. - Marketing Tracking: Marketing tracking is all about personalized advertising. It collects data on user preferences to serve targeted ads, often in partnership with third-party advertising platforms. Consent from the user is needed for marketing tracking.
Users should have easy access to information about what data is collected, how it is used, and who it is shared with, reinforcing transparency and trust.
It's important to note that for Apple devices you also need to receive the user's permission through the AppTrackingTransparency (ATT) framework in order to track them or access their device's advertising identifier.
Off the shelves approach or do it yourself?
There are several vendors in the consent management platform market that can ease the process of making your app compliant, although there’s several factors to consider before selecting a CMP provider or choosing to implement your own custom solution.
A key consideration is the evolving EU User Consent Policy and its impact on personalized ads via services like Google AdSense, Ad Manager or AdMob.
If you need to use ad services like these, you are required to use a certified CMP vendor or get your custom solution certified.
The list of certified CMP providers can be found here.
Another aspect to consider is whether your app is a part of a larger digital eco-system where you need CMP’s implemented several places. In these cases, a great use-case of the CMP providers is the ability to manage consents across several digital solutions.
An added benefit to consider is that many CMP providers also offer SDK scanning software. These tools can help you categorize the different tracking SDKs implemented in you app. A key part to consider here is if your app is based on a cross-platform solution like React Native, the accuracy of the scanner can differ, due to the plugin architecture of React Native. These tools can assist in identifying tracking SDKs, but due to the architecture of React Native, a developer should manually review and categorize the results before relying on them.
Lastly, there’s the pricing aspects. You you’re in need of a very basic consent setup, a custom solution can be preferred to avoid having monthly costs to a CMP provider, as the price can be greater over time, compared to the time spend on the custom solution.
Not sure what direction to go with?
Ensuring compliance in apps involves both technical and strategic considerations - from understanding tracking categories to implementing a compliant consent flow. Whether you choose to build your own solution or work with a CMP provider, the right approach depends on your business needs, technical setup, and long-term goals. If you’re unsure about the best approach, our app team at Merkle has a decade worth of experience and can help guide you through the process. Feel free to reach out to Anders Grandjean-Thomsen for more information.
