Skanopy
FRLet's talk
All articles

The CNIL mobile app recommendation, explained for publishers

June 10, 2026 · 4 min read

The CNIL, France’s data protection authority, published its recommendation on mobile applications in September 2024 and lightly revised it in April 2025. Since spring 2025 it has been running dedicated inspections. For publishers the framework is now set, and it is the strictest in Europe. Compliance is no longer presumed, it is demonstrated.

A text written for the whole ecosystem

The recommendation distinguishes five roles: publisher, developer, SDK provider, operating system provider and app store. The publisher carries most of the obligations. They choose the SDKs, trigger the collection and answer to the user.

The CNIL states that a publisher bears at minimum joint controllership for trackers used by any SDK embedded in their app. Outsourcing analytics or monetization does not outsource responsibility.

What the regulator expects in practice

The text keeps returning to the same fundamentals: valid consent before any SDK read or write, a privacy policy available before download and inside the app, and a refusal as easy as acceptance.

Add permission minimization, data security, for which the text cites the OWASP MASTG, and partner audits. Every point can be verified technically, and that is exactly what inspectors will do.

Enforcement is real

The announced inspections happened. The CNIL made mobile apps a 2025 priority, focusing on SDK configuration and access to phone data through permissions. Its 2025 enforcement report mentions the first formal notices against app publishers, notably on age verification.

The rest of Europe is on the same path. Norway’s authority had its Grindr fine upheld on appeal, over data shared through the app’s advertising SDKs, and Italy’s authority fined the publisher of the Replika app.

Where to start

Three workstreams deliver most of the result: map the SDKs actually embedded in the app, because declarations are not enough, verify what the app transmits before consent and after refusal, and cut permissions down to what is strictly necessary.

That is the order in which an inspector will look at your app. Better to follow it first.