Mobile Apps Do Not Use Cookies the Way Websites Do
Websites rely on HTTP cookies to remember visitors, track behaviour, and serve targeted advertising. Mobile apps operate differently. Native iOS and Android applications have direct access to device storage, advertising identifiers, and embedded software development kits (SDKs) that collect data without setting a single browser cookie.
This distinction matters because many app developers assume that the ePrivacy Directive only applies to cookies. It does not. Article 5(3) of the ePrivacy Directive covers any storage of information, or access to information already stored, on a user's terminal equipment. A smartphone qualifies as terminal equipment, and an SDK reading a device's advertising identifier counts as accessing stored information.
The legal obligations are broadly the same. The technical implementation is entirely different.
SDKs: The Mobile Equivalent of Third-Party Scripts
On a website, third-party tracking typically arrives through JavaScript tags - the Meta Pixel, Google Analytics snippet, or ad network scripts. Each drops cookies onto the visitor's browser. On a mobile app, the equivalent mechanism is an SDK embedded directly into the app's compiled code.
An analytics SDK like Firebase or Adjust initialises when the app launches and begins collecting data immediately unless the developer has configured it to wait for consent. Unlike a website script that can be conditionally loaded by changing its type attribute, an SDK is compiled into the app binary. Blocking it after the fact requires the developer to implement gate logic in code, checking consent status before any SDK method fires.
This is where many apps fail compliance checks. CNIL published a 98-page set of recommendations for mobile app privacy in September 2024 and launched an enforcement campaign in spring 2025 specifically targeting apps that initialise tracking SDKs before obtaining consent.
IDFA, GAID, and Advertising Identifiers
Two identifiers dominate mobile advertising. Apple assigns each iOS device an Identifier for Advertisers (IDFA), while Google assigns each Android device a Google Advertising ID (GAID). Both serve a similar purpose to third-party cookies on the web: they enable cross-app tracking and attribution.
There is a critical difference in how each platform handles consent for these identifiers.
Apple's App Tracking Transparency (ATT)
Since iOS 14.5, any app that accesses the IDFA must present Apple's ATT prompt. If the user declines, the IDFA returns a string of zeros, effectively disabling cross-app tracking. Global opt-in rates sit at roughly 50% as of 2025, though apps that display a pre-prompt explanation before the system dialog see 40-60% higher acceptance rates.
ATT is a platform requirement, not a legal one. It does not replace GDPR consent obligations. An app operating in the EU needs both a valid ATT authorisation and a separate GDPR-compliant consent mechanism covering all personal data processing, not just IDFA access.
Google's Approach on Android
Google has taken a less restrictive path. Android users can reset or delete their GAID through device settings, but there is no system-level consent prompt equivalent to ATT. Google's Privacy Sandbox for Android is in development, introducing the Topics API and Attribution Reporting API as alternatives to the GAID, but the advertising identifier remains available without a mandatory opt-in gate.
This does not mean Android apps can skip consent. Under GDPR and the ePrivacy Directive, accessing the GAID still constitutes accessing information stored on a user's device. The legal requirement exists regardless of whether the platform enforces it technically.
How In-App Tracking Differs from Website Tracking
The following table summarises the key differences between tracking on websites and native mobile apps.
| Aspect | Website | Mobile App |
|---|---|---|
| Primary tracking mechanism | HTTP cookies (_ga, _fbp) | SDKs, IDFA/GAID |
| Third-party code delivery | JavaScript tags loaded at runtime | SDKs compiled into app binary |
| Blocking before consent | Change script type attribute or use GTM triggers | Gate SDK initialisation in code |
| Cross-site/cross-app tracking | Third-party cookies (declining) | Advertising identifiers (IDFA/GAID) |
| Platform consent layer | None (CMP required) | ATT on iOS; none on Android |
| Storage covered by ePrivacy | Cookies, localStorage, sessionStorage | Device storage, keychain, shared preferences |
| Consent banner format | Cookie banner overlay | In-app consent dialog or onboarding screen |
ePrivacy and GDPR: Both Apply to Mobile Apps
Article 5(3) of the ePrivacy Directive does not mention the word "cookie" at all. It refers to "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user." A smartphone running your app is terminal equipment. Any SDK that reads the GAID, writes data to shared preferences, or accesses the device's keychain falls within scope.
GDPR then applies on top of this whenever personal data is processed. Advertising identifiers qualify as personal data under Recital 30 of the GDPR, which explicitly mentions "cookie identifiers, Internet protocol addresses" and "other identifiers such as radio frequency identification tags" as examples of online identifiers that can be used to create profiles.
The practical result: your mobile app needs opt-in consent before initialising any non-essential tracking, just as a website does. The only exemption is for processing that is strictly necessary to provide the service the user explicitly requested.
What Regulators Check in Mobile Apps
CNIL's 2025 enforcement campaign uses network monitoring and SDK decompilation to verify whether apps actually honour consent choices. Regulators are not simply reading your privacy policy - they are running your app through proxy tools to observe which network requests fire before and after consent is given.
Twenty-one entities were sanctioned by CNIL in 2025 for tracker-related breaches, including storage without consent, insufficient information, and failure to honour consent withdrawal. CNIL's total fines in 2025 reached approximately 487 million euros, nearly nine times the 55 million euros issued in 2024.
CNIL is not alone. The Irish DPC, the ICO, and the EDPB have all signalled increased attention to mobile app compliance. The dark patterns that regulators target on cookie banners - hidden reject options, pre-ticked consent - are equally problematic in app onboarding flows.
Practical Steps for Mobile App Consent
Gate SDK Initialisation
Do not call Firebase.initialize(), Adjust.start(), or any analytics SDK method until the user has granted consent. This requires moving SDK initialisation out of your AppDelegate or Application.onCreate() and into a consent callback.
Separate ATT from GDPR Consent
On iOS, the ATT prompt covers IDFA access specifically. Your GDPR consent mechanism must cover all processing activities, including analytics, crash reporting with personal data, and behavioural profiling. Present your GDPR consent screen before the ATT prompt so users understand the broader context.
Maintain Consent Records
Store a timestamped record of each consent decision, including which version of your consent text was shown. DPA investigations will request evidence that consent was freely given, specific, informed, and unambiguous - the same standard that applies to cookie banners on websites.
Audit Your SDKs Regularly
Third-party SDKs update frequently, and a new version may introduce additional data collection. Run a periodic audit of every SDK in your app, documenting what data each collects and whether it fires before or after consent. Apple's App Privacy Report (Settings > Privacy > App Privacy Report) can help identify which domains your app contacts.
Cross-Platform Consistency
If your product has both a website and a mobile app, users expect their consent choices to carry across. A visitor who rejects marketing cookies on your website should not find themselves tracked by the same ad network through your app.
Syncing consent across devices requires an authenticated consent model. When a user logs in, their consent preferences load from your server and apply to the current session, whether that session runs in a browser or a native app.
This approach also helps with the record-keeping obligations under GDPR Article 7(1), which requires controllers to demonstrate that consent was given.
Frequently Asked Questions
Do mobile apps need cookie consent if they do not use cookies?
Yes. The ePrivacy Directive covers all storage and access on a user's device, not just cookies. SDKs that read advertising identifiers or write to device storage require the same opt-in consent as cookies on a website.
Is Apple's ATT prompt enough for GDPR compliance?
No. ATT only covers access to the IDFA for cross-app tracking. GDPR requires consent for all non-essential personal data processing, including analytics, crash reporting, and behavioural profiling that ATT does not address.
Do Android apps need a consent prompt even though Google does not require one?
Under GDPR and the ePrivacy Directive, accessing the GAID or storing non-essential data on a user's device requires opt-in consent regardless of platform requirements. Google's lack of a system-level prompt does not remove the legal obligation.
How do I block an SDK from firing before consent?
Move SDK initialisation out of your app's launch sequence and into a consent callback. Only call SDK start or initialise methods after the user has granted permission through your consent mechanism.
Can I use legitimate interest instead of consent for mobile app analytics?
For analytics that involve accessing device storage or identifiers, the ePrivacy Directive requires consent regardless of which GDPR legal basis applies. Legitimate interest may cover server-side processing, but the initial access to the device triggers the consent requirement.
What fines have been issued for mobile app tracking violations?
CNIL sanctioned 21 entities in 2025 for tracker-related breaches. Total CNIL fines in 2025 reached approximately 487 million euros, with enforcement increasingly targeting apps that initialise tracking before obtaining valid consent.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
