The EU Digital Markets Act (external eu-dma-2022-1925) grants EU users new rights around alternative payment processing on iOS as of 2024, creating new technical requirements and App Store review processes for apps targeting EEA users. Apps with existing GDPR consent flows also face ongoing obligations: GDPR Art.30 requires a Records of Processing Activities (RoPA), Art.37 may require a Data Protection Officer for apps processing data at scale, and Art.6 requires a documented legal basis for every processing activity. Undocumented legal bases are among the most common enforcement findings in GDPR audits.
Info because EU regulatory signals require awareness and documentation rather than immediate code changes, but undocumented processing activities create enforcement risk that grows with user volume.
Document the legal basis for each data processing activity (legitimate interest, consent, contract, legal obligation) in your privacy policy and internal Records of Processing Activities. Ensure a Data Processing Agreement is signed with all third-party processors — analytics providers, ad networks, cloud infrastructure providers.
Monitor Apple's DMA compliance updates for EU iOS distribution: alternative payment processing APIs are now available and may affect your App Store review process for EU builds. For GDPR consent flows already present in the codebase, verify the consent management platform records and stores consent in a format auditable by your legal team — a gdprConsentString in localStorage is not sufficient audit evidence on its own.
ID: app-store-privacy-data.risk-indicators.eu-dma-payment-rules
Severity: info
What to look for: Count all relevant instances and enumerate each. Look for signals that the app targets EU/EEA users: locale-specific code paths for de, fr, nl, es, it, pt, pl, or other EU language codes; GDPR consent flows (CMP integration, cookie consent, gdprConsentString); EU-specific pricing or VAT calculation; .eu domain references in API calls; any reference to "European Union", "GDPR", "EEA", "DMA" in comments or configuration. If EU targeting is detected, note that the Digital Markets Act (DMA) grants EU users rights related to in-app payment alternatives on iOS, and that Apple's compliance implementation (alternative payment processing, alternative browser engines) creates new technical requirements and review processes. Also note: the General Data Protection Regulation requires a Data Protection Officer designation for apps processing large volumes of EU personal data, a Data Processing Agreement (DPA) with all processors, and explicit legal basis declaration for each data processing activity. This is informational — note the signals without failing.
Pass criteria: Not applicable — this is an info-only check that surfaces EU Digital Markets Act signals for awareness. Result is always pass or skip only; never fail.
Fail criteria: Not applicable — info check. Use detail to note EU signals found.
Skip (N/A) when: No EU/EEA targeting signals detected in the codebase.
Detail on fail: Not applicable. Use detail: "GDPR consent flow detected — app targets EU users. DMA may grant users alternative payment rights on iOS. Ensure GDPR legal bases are documented for all data processing activities and a DPA is in place with all data processors."
Remediation: EU compliance for mobile apps is an evolving area with the DMA introducing new rights in 2024-2025.
Review the configuration in src/ or app/ directory for implementation patterns.