Most engineering teams treat GDPR as a legal problem. For mobile apps, it is also an implementation problem, and it shows up in one specific place: SDK initialisation order.
Here is the gap that catches most teams out. Firebase Analytics, the Facebook SDK, AppsFlyer and Google AdMob are all commonly set to initialise on app launch, before any consent prompt has been shown or answered. That single default is enough to put you in breach, because GDPR requires a legal basis before processing starts, not after.
The fix is a consent gate. Split SDK calls into two groups and only initialise the second group once your consent layer confirms an opt-in for that specific purpose:
// Non-compliant: fires on launch regardless of consent
FirebaseAnalytics.getInstance(context)
FacebookSdk.sdkInitialize(context)
AppsFlyerLib.getInstance().start(context)
// Compliant: gated behind purpose-specific consent
if (consentManager.hasConsent(Purpose.ANALYTICS)) {
FirebaseAnalytics.getInstance(context)
}
if (consentManager.hasConsent(Purpose.ADVERTISING)) {
FacebookSdk.sdkInitialize(context)
AppsFlyerLib.getInstance().start(context)
}
This applies separately on iOS and Android, and separately again per purpose, not as one blanket toggle.
You also need a data map: every SDK, what personal data it touches (device ID, IP, GPS, IDFA/AAID, contact lists), where that data goes, and the legal basis you are relying on. This becomes your Article 30 record and your answer when a user requests access to their data.
Consent itself needs to be logged, not just collected: timestamp, user identifier, the exact version of the consent text shown, and the choice made. That log is what you produce if a regulator asks for proof.
Data minimisation cuts your compliance surface further. If a feature doesn't need GPS-level location, request approximate location instead. Fewer permission requests at first launch also tends to improve activation, since users aren't stopped by a wall of prompts before they've even used the app.
Seers has published a detailed mobile app GDPR checklist covering consent gating, SDK auditing and breach response in more depth: https://seers.ai/blogs/how-to-make-a-mobile-app-gdpr-compliant/
#gdpr #privacy #mobiledev #compliance
Top comments (0)