CNIL's Mobile App Privacy Guidelines | Why France is scaling their app enforcement.
Mobile apps carry 60% of global internet traffic. They often also collect more sensitive data than websites, we're talking real-time location, photos, contact lists, often through third-party components that even the app publisher doesn't fully understand. That's the problem. And CNIL (Commission Nationale de l'Informatique et des Libertés), France's data protection authority, has noticed.
In spring 2025, CNIL published an extensive set of recommendations signaling a clear shift: mobile app enforcement is scaling up. These recommendations aren't just for app publishers. They target the entire ecosystem. From developers, SDK providers, operating system providers, to app stores.
Here's what you need to know about CNIL's Mobile Privacy expectations as an app publisher
1. Map your data and data flows
CNIL expects you to know what personal data your app collects, where it goes, and whether adequate security measures are in place. If you can't answer these questions today, you have a problem.
2. Map processing activities and purposes
Every dataset needs a defined purpose. Is processing based on consent, contractual necessity, or legitimate interest? If it's unclear, it's non-compliant under CNIL’s mobile privacy guidelines.
3. Map and assess your third-party building blocks.
This is where most companies get caught. You are legally responsible for every third-party block, known as SDKs (software development kits) embedded in your app — even the ones your developer added without telling you. CNIL recommends to build a registry. Document what each SDK processes. Audit regularly because these little buggers can have a life "of their own".
4. Review your permission mechanisms
Does your app request access to the microphone, camera, or location? Make sure every permission serves a legitimate, documented purpose — and that your privacy policy reflects what actually happens.
5. Ensure consent mechanisms are present and working
It's not enough to have a consent banner. It needs to work. CNIL's mobile privacy guidelines require that consent mechanisms work continuously, and are audited regularly. Broken consent flows are a big no-no, and makes you liable.
6. Integrate privacy-by-design throughout the app lifecycle
CNIL emphasizes integrating data minimization, processing rules and deletion policies — these can't be afterthoughts. Privacy professionals and privacy tech need to be involved from the design stage, not called in after launch to clean up.
7. Maintain up-to-date compliance documentation
Records of Processing Activities (RoPA), Data Protection Impact Assessments (DPIA), retention policies and their justifications, all of it needs to be current, not collecting dust from two years ago. CNIL’s audits are checking for updated documentation.
CNIL's Mobile App Privacy enforcement as of late 2025—over a million in fines and counting
As “promised”, CNIL started to scale enforcement on mobile privacy in the second half of 2025. Big players with strong app-based presence, like Google and Shein were the center of news with a record fine of €475 million in total for violating consent and cookie rules.
Consent and cookies, together with data security were the biggest theme for sanctions. Around €980.000 in fines were given out for companies conducting data broker practices. This is signaling that CNIL has recognized a core issue: data brokers collect, retain and/or transfer data without consent and in many cases without the knowledge of app publishers. This unlawful behavior is usually conducted through built-in SDKs and cookies in the case of mobile apps.
Moreover, there were two cases where the companies were centering their business around mobile application development. Their total fine was €287.000 and it was imposed for lack of data security and lack of consent mechanisms for data collection.
CNIL is well aware of mobile privacy issues and after releasing the guidelines, they are showing a tendency to audit mobile app-related entities.
Don't know where to start with app compliance?
If reading this list feels overwhelming, you're not alone. Most privacy professionals we talk to struggle with one fundamental issue: they can't independently verify what their apps actually do under the hood. And it would take them days to go back and forth with the right stakeholder and developer, to open up the apps and figure out what they do. But that seldom gives them the full picture.
That's exactly what our autonomous app auditor was built for. We automate the visibility that CNIL expects you to have — mapping personal data, data flows, SDKs, permissions, and consent mechanisms — and translate technical findings into compliance language you can act on.
No more relying on developers to self-report. No more blind spots.
Also read: Privacy Enforcement in Norway