GDPR-Relevant Privacy Concerns in Mobile Apps Research: A Systematic Literature Review
Orlando Amaral Cejas, Nicolas Sannier, Sallam Abualhaija, Marcello Ceci, Domenico Bianculli
TL;DR
This systematic literature review analyzes 60 primary studies (2016–2023) on GDPR-relevant privacy concerns in mobile apps, mapping findings to a comprehensive GDPR reference model. It reveals a strong focus on direct data collection, third-party data sharing, and consent, while data subject rights and indirect data collection remain underexplored. The study identifies eight research themes, highlights a heavy reliance on Android-centric studies, and uncovers limited public sharing of research artifacts. By outlining concrete gaps—especially regarding legal bases beyond consent and implementable data-subject-right requirements—it provides a roadmap for advancing GDPR-compliant mobile app development and research.
Abstract
The General Data Protection Regulation (GDPR) is considered as the benchmark in the European Union (EU) for privacy and data protection standards. Since before its entry into force in 2018, substantial research has been conducted in the software engineering (SE) literature investigating the elicitation, representation, and verification of GDPR privacy requirements. Software systems deployed anywhere in the world must comply with GDPR as long as they handle personal data of EU residents. Mobile applications (apps) are no different in that regard. With the growing pervasiveness of mobile apps and their increasing demand for personal data, privacy concerns have acquired further interest within the SE community. Despite the extensive literature on GDPR-relevant privacy concerns in mobile apps, there is no secondary study that describes, analyzes, and categorizes the current focus. Research gaps and persistent challenges are thus left unnoticed. This article aims to provide a comprehensive overview of the existing research on GDPR privacy concerns in the context of mobile apps. To do so, we conducted a systematic literature review of 60 primary studies. Our findings show that existing studies predominantly address three key GDPR-related privacy concerns: (i) the direct collection of personal data from users, (ii) the sharing of personal data with external entities (e.g., third parties) beyond the mobile apps, and (iii) the analysis of user consent as a legal basis for collecting personal data. Our study highlighted research gaps, calling for further research to better understand: (i) the indirect collection of personal data, e.g., data exposed to mobile apps through, e.g., permission requests, (ii) the impact of legal bases beyond consent and how they may affect the development of mobile apps, and (iii) the required implementation details pertinent to data subject rights.