Cookie Consent for Mobile Apps: GDPR and CCPA Compliance Guide
When we talk about cookie consent, websites get all the attention. But mobile apps process just as much — often more — personal data than websites. And the rules apply equally. GDPR does not distinguish between a website cookie and an app SDK that collects device IDs, location data, or advertising identifiers.
How Mobile Consent Differs from Web
Websites use cookies. Apps use SDKs, device identifiers (IDFA/GAID), local storage, and API calls. The technology is different, but the legal requirement is the same: you need informed, freely-given consent before collecting personal data for non-essential purposes.
- Websites: Cookie banners, Consent Mode, TCF strings
- Apps: In-app consent dialogs, ATT prompts (iOS), SDK initialisation gates
- Both: Must obtain consent before tracking, must allow withdrawal, must keep records
Apple ATT vs GDPR Consent
Apple's App Tracking Transparency (ATT) is not the same as GDPR consent. ATT is Apple's platform requirement — it controls IDFA access. GDPR is a legal requirement — it controls all personal data processing. You need both. An ATT opt-in does not satisfy GDPR, and GDPR consent does not bypass ATT.
What Needs Consent in Mobile Apps
- Advertising SDKs — AdMob, Meta Audience Network, AppLovin
- Analytics SDKs — Firebase Analytics, Mixpanel, Amplitude
- Attribution SDKs — Adjust, AppsFlyer, Branch
- Device identifiers — IDFA (iOS), GAID (Android)
- Location data — GPS, IP-based geolocation
- Push notification tokens — when linked to user profiles
Implementation Best Practices
- Show consent before SDK initialisation — do not load tracking SDKs until the user consents
- Provide granular choices — analytics and advertising should be separate toggles
- Support consent withdrawal — users must be able to change their mind from app settings
- Store consent records — keep server-side logs with timestamps and consent scope
- Handle ATT and GDPR separately — ATT opt-in alone is not sufficient for GDPR
CCPA for Mobile Apps
California's CCPA/CPRA applies to apps that collect data from California residents. Unlike GDPR, CCPA uses an opt-out model — users can request that their data not be sold or shared. Your app needs a "Do Not Sell or Share My Personal Information" mechanism.
FlexyConsent for Mobile
FlexyConsent's lightweight JavaScript works in hybrid apps (Cordova, Ionic, React Native WebView) and mobile web. For native apps, our consent API provides the same TCF 2.3 and Consent Mode V2 signals that power the web solution.
FlexyConsent — Google Certified CMP.
Start Free Trial