Skip to content 
56% of Apps May Be Violating GDPR. Here’s What Developers Need to Know
A large-scale academic study analysed more than 10,000 free Android apps and found that over half may be violating GDPR privacy rules. The findings suggest many developers are still overlooking key requirements, even years after the regulation came into force.
A Widespread Compliance Gap
A research team from the IMDEA Networks Institute and the University of Lausanne examined 10,080 free Android apps and discovered that 56% were potentially non-compliant with GDPR, particularly regarding cross-border data transfers and user-consent management.
The study, published in 2021 under the title “GDPR and the Lost Generation of Mobile Apps,” found that many developers either failed to request proper consent for data tracking or transferred user data outside the European Union without adequate legal safeguards.
Researchers also noted that some apps used analytics or advertising tools that automatically collected identifiers, making users’ personal information accessible to third-party companies in other regions.
“Our findings show that many apps continue to process European user data without meeting basic GDPR standards,” said one of the study’s authors. “In many cases, the issue isn’t bad intent, but lack of awareness.”
Why This Matters for Developers
GDPR applies not only to companies based in Europe but to any developer or publisher whose app is available to users in the EU.
If an app collects analytics, displays ads, or allows user registration, it is considered to be processing personal data under the regulation.
That means even developers based in the United States, the Middle East, or Asia are expected to comply when their apps are distributed through Google Play or the App Store in EU markets.
Many app makers are still unaware that GDPR compliance goes beyond privacy policies. It includes rules about data transfers, user rights, and representation inside the EU.
The Overlooked Rule: Appointing a GDPR Representative
Under Article 27 of the GDPR, every non-EU business that offers services to EU residents or monitors their behaviour must appoint a local GDPR Representative.
This person or organisation serves as the point of contact for both regulators and users in the EU.
Failing to appoint one is considered a separate violation, even if the app itself is otherwise compliant.
In one case, the Dutch Data Protection Authority fined a non-EU website €525,000 for missing this requirement, confirming that the rule applies across all digital sectors.
Appoint Your GDPR Representative in the
EU and UK
Avoid fines and stay compliant with Article 27.
Specialist GDPR Representative services help organisations meet local contact requirements and maintain audit-ready compliance.
Appoint Your GDPR Representative in the
EU and UK
Avoid fines and stay compliant with Article 27.
Specialist GDPR Representative services help organisations meet local contact requirements and maintain audit-ready compliance.
How GDPR Representation Works
Discover how Euverify connects your business with EU and UK regulators -fast, compliant, and transparent.
See how simple it is to appoint your GDPR Representative and meet Article 27 obligations.
What Developers Should Check
To stay compliant, app developers targeting EU users should:
• review consent and privacy prompts to ensure they meet GDPR requirements;
• verify that analytics and ad-network SDKs do not transfer data unlawfully;
• review data-processing agreements with third-party partners; and
• appoint an EU and UK GDPR Representative if they have no European presence.
Specialist GDPR Representative services can handle communications with regulators, maintain processing records, and help document compliance in case of an inquiry.
The Bigger Picture
Privacy enforcement in Europe continues to expand.
According to the DLA Piper GDPR Fines Report 2025, regulators issued over €1.2 billion in fines last year, and experts expect closer scrutiny of app developers next.
Many of the most common GDPR issues, such as missing consent forms, excessive permissions, and unclear data transfers, can be fixed with relatively small technical and legal updates.
Developers who take proactive steps now will avoid potential fines and build user trust at the same time.
Transparent GDPR Representative Pricing
Stay compliant without hidden costs. Euverify offers flat annual rates for full EU & UK representation - designed for startups to global enterprises.
The Takeaway
The numbers tell the story: more than half of mobile apps tested were not fully GDPR-compliant.
For developers outside Europe, the message is simple.
If your app collects data from EU users, you are already subject to GDPR. It is your responsibility to ensure compliance before regulators come calling.
Ready to Appoint Your GDPR Representative?
Euverify helps global businesses stay compliant with full EU & UK representation.
Sources
Information in this article is based on the academic study “GDPR and the Lost Generation of Mobile Apps” (IMDEA Networks Institute and University of Lausanne, 2021), data from the DLA Piper GDPR Fines and Data Breach Survey 2025, and enforcement analyses from CMS Law and the International Association of Privacy Professionals (IAPP).
How GDPR Representation Works
Discover how Euverify connects your business with EU and UK regulators -fast, compliant, and transparent.
See how simple it is to appoint your GDPR Representative and meet Article 27 obligations.
Transparent GDPR Representative Pricing
Stay compliant without hidden costs. Euverify offers flat annual rates for full EU & UK representation - designed for startups to global enterprises.
Share this article
Related News
