Privacy

    GDPR and CCPA basics for mobile apps

    A 2026 view of a mobile app applying GDPR and CCPA basics: a clear privacy policy, consent and opt-out controls, deletion support, and data minimization

    If your mobile app has users in the EU or California, two privacy laws apply to you regardless of where your company is: the GDPR and California's CCPA, as amended by the CPRA. They are not just website concerns; an app that collects personal data owes users transparency, rights over their data, and a lawful reason to process it. The good news is that the practical steps overlap a lot, and many align with what app stores already require. This is a high-level overview to orient you, not legal advice; the specifics for your app warrant a professional.

    Short answer

    The GDPR (European Union) and the CCPA, as amended by the CPRA (California), are data privacy laws that apply to mobile apps based on where users are, not where the developer is. Per the GDPR and California's privacy framework, they require you to be transparent about the personal data you collect, have a lawful basis or honor opt-outs, and give users rights such as accessing and deleting their data. For an app, that means a clear privacy policy, consent or opt-out mechanisms, honoring data-subject and consumer rights, minimizing and securing the data you collect, and agreements with the vendors that process it. This is general information, not legal advice; consult a professional for your specifics.

    What you should know

    • They apply by user location: EU or California users, not your location.
    • Transparency is required: a clear privacy policy and honest disclosures.
    • Users have rights: access, deletion, and opt-outs over their data.
    • Lawful basis or opt-out: GDPR needs a basis; CCPA centers on opt-out.
    • Minimize and secure data: collect less and protect what you keep.

    What do GDPR and CCPA require?

    At a high level, transparency, a basis for processing, user rights, and data protection. The GDPR requires that you have a lawful basis to process personal data, such as consent or another permitted ground, that you tell users clearly what you collect and why, and that you honor data-subject rights including access, correction, deletion, and portability, along with principles like data minimization and privacy by design, and obligations like breach notification and agreements with your data processors. The CCPA and CPRA give California consumers rights to know what is collected, to delete it, and to opt out of the sale or sharing of their personal information, plus protection from discrimination for exercising those rights, with the well-known "Do Not Sell or Share My Personal Information" mechanism. They differ in framing, GDPR is consent and lawful-basis oriented, CCPA is disclosure and opt-out oriented, but both demand that you know and control your data practices.

    GDPR versus CCPA at a glance

    The two overlap in spirit and differ in mechanics. The table compares them.

    AspectGDPR (EU)CCPA / CPRA (California)
    Applies toProcessing data of people in the EUPersonal info of California consumers, with thresholds
    Basis to processRequires a lawful basis, such as consentAllowed with disclosure; consumers can opt out
    Core user rightsAccess, correction, deletion, portabilityKnow, delete, opt out of sale or sharing
    ConsentRequired for non-essential processing and trackingOpt-out model for sale or sharing
    Hallmark mechanismConsent and clear noticeDo Not Sell or Share My Personal Information

    The practical overlap is large: both require honest disclosure of what you collect, both give users a way to access and delete their data, and both reward minimizing what you collect in the first place. Building to the stricter requirements, generally the GDPR's, tends to cover much of the CCPA as well.

    What does it mean for your app?

    Concrete, overlapping steps you can build toward. Provide a clear, accurate privacy policy that states what data you collect, why, and who you share it with, and keep it consistent with your App Privacy label and Google Play Data safety form. Implement the consent and opt-out mechanisms the laws expect, consent for non-essential tracking under the GDPR, including App Tracking Transparency on iOS, and an opt-out path for sale or sharing under the CCPA. Build the ability to honor user requests to access and delete their data, since both laws grant deletion rights and Apple separately requires in-app account deletion. Minimize what you collect, since the least risky data is the data you never gather, and secure what you do keep with proper storage and transport. Put agreements in place with the vendors and SDKs that process personal data on your behalf. None of this is legal advice; it is the practical shape of compliance you should confirm with a professional.

    What to watch out for

    The first trap is assuming the laws do not apply because your company is elsewhere, when they apply based on where your users are. The second is a privacy policy or app behavior that does not match your actual data practices, which is both a compliance and an app-store problem. The third is collecting more data than you need, which increases both risk and obligations. Compliance is largely a legal and process matter, so it sits beyond a security scan, but a pre-submission scan such as PTKD.com (https://ptkd.com) reads your binary against OWASP MASVS and surfaces what data your app collects and sends and whether it is protected, which supports the data-minimization and security side of these laws. The legal sufficiency of your compliance needs a qualified professional, since this is not legal advice.

    What to take away

    • The GDPR and CCPA apply to mobile apps based on where users are, not where the developer is, whenever the app handles those users' personal data.
    • They require transparency, a lawful basis or honored opt-outs, user rights like access and deletion, data minimization, and securing the data.
    • Build a clear privacy policy aligned with your App Privacy label and Data safety form, consent and opt-out mechanisms, deletion support, and vendor agreements.
    • A pre-submission scan such as PTKD.com supports the data-minimization and security side by showing what your app collects and protects; consult a professional for legal sufficiency, since this is not legal advice.
    • #gdpr
    • #ccpa
    • #cpra
    • #privacy
    • #compliance
    • #data-protection
    • #mobile

    Frequently asked questions

    Do GDPR and CCPA apply to my mobile app?
    They apply based on where your users are, not where your company is. The GDPR covers processing the personal data of people in the EU, and the CCPA, as amended by the CPRA, covers California consumers' personal information above certain thresholds. So an app based anywhere can be subject to them if it has EU or California users and handles their personal data. This is general information, not legal advice, so confirm how they apply to your app with a professional.
    What do GDPR and CCPA require at a high level?
    Transparency, a basis for processing or honored opt-outs, user rights, and data protection. The GDPR requires a lawful basis to process personal data, clear disclosure, data-subject rights like access and deletion, data minimization, and processor agreements. The CCPA and CPRA give consumers rights to know, delete, and opt out of the sale or sharing of personal information, with the Do Not Sell or Share mechanism. Both require you to know and control your data practices, and to disclose them honestly.
    How do GDPR and CCPA differ?
    Mainly in framing. The GDPR is consent and lawful-basis oriented, requiring a permitted ground to process data and consent for non-essential processing and tracking. The CCPA and CPRA are disclosure and opt-out oriented, allowing collection with notice while giving consumers the right to opt out of sale or sharing. They overlap heavily in spirit, both require honest disclosure, access, and deletion, so building to the stricter GDPR requirements tends to cover much of the CCPA too.
    What practical steps does my app need?
    Provide a clear privacy policy consistent with your App Privacy label and Data safety form; implement consent and opt-out mechanisms, including App Tracking Transparency on iOS and an opt-out for sale or sharing; build the ability to honor access and deletion requests, which also aligns with Apple's account-deletion requirement; minimize what you collect; secure what you keep; and put agreements in place with vendors and SDKs that process personal data. Confirm the specifics with a professional, since this is not legal advice.
    How does a security scan relate to privacy compliance?
    Compliance is largely legal and process, so it sits beyond a security scan, but a scan supports the data-minimization and security parts. A pre-submission scan such as PTKD.com reads your binary against OWASP MASVS and surfaces what data your app collects and sends and whether it is protected, which helps you minimize and secure data and keep your disclosures accurate. The legal sufficiency of your compliance still needs a qualified professional, since a scan is not a compliance assessment and this is not legal advice.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free