LaunchTrust
Log inStart trial

Jurisdiction guides

EU App Compliance Requirements: An Indie Developer's Overview

A practical map of EU/EEA digital rules for indie apps: GDPR, cookies, AI Act, accessibility, minors, consumer withdrawal, and imprint signals.

Updated 2026-06-19eu app compliance requirementsSignals, not a verdict
Run free scanStart trial

If you ship an app or web product and anyone in the European Union or wider EEA can use it, a handful of EU rules apply to you — even if you're a solo developer in another country, with no company in Europe. EU digital law follows the user, not your registration, so "I'm not an EU business" is rarely a reason a rule won't reach you.

This is a practical, launch-time map of the main areas an EU/EEA audience triggers: GDPR, ePrivacy/cookies, the EU AI Act, accessibility, protections for minors, consumer withdrawal rights, and the "imprint" duty. It is non-exhaustive by design — it points at the areas most likely to matter for a small product and the LaunchTrust signals that help you spot gaps, not a complete legal analysis. For your situation, talk to a qualified professional.

The areas an EU/EEA audience triggers

1. Data protection — GDPR

The General Data Protection Regulation (GDPR) applies if you process personal data of people in the EU/EEA — emails, account info, device identifiers, analytics, IP addresses — regardless of where you're based. The practical core: a real privacy policy, a lawful basis, honored data-subject rights (access, deletion), and no undisclosed tracking. The most visible signal is a privacy policy that's present and linked. → privacy policy detector, the GDPR checklist for indie apps, and account & data deletion.

2. Cookies and tracking — ePrivacy

Cookie consent is governed mainly by the ePrivacy Directive (the "cookie law"), read with GDPR's consent standard. The widely-applied rule: non-essential cookies and trackers — analytics, advertising, embedded third-party scripts — generally need prior, informed, opt-in consent before they load; pre-ticked boxes and "by using this site you agree" banners are commonly treated as insufficient. LaunchTrust can surface whether a consent mechanism is present and whether known trackers appear to fire. → cookie consent banner and third-party tracking.

3. AI transparency — the EU AI Act

If your product is a chatbot, AI "companion," or generates text, images, audio, or video, the EU AI Act is written for you. Article 50 sets transparency duties: tell people when they're interacting with an AI (unless it's already obvious), and mark or disclose AI-generated and AI-manipulated content where the Act specifies. The Act applies in phases; the transparency duties are widely treated as near-term — confirm current dates against the official text rather than a quoted deadline. The most checkable signal is an in-context AI disclosure a logged-out visitor can see. → AI interaction disclosure and the EU AI Act Article 50 checklist.

4. Digital accessibility

The European Accessibility Act (EAA) brings accessibility requirements to many consumer-facing digital products and services in the EU, with WCAG-aligned standards. Whether it applies to your product depends on type and scale (there are carve-outs, including for some microenterprises) — check your category rather than assuming. Several baseline signals are cheap to verify on a public page: a declared page language, a meaningful title, image alt text, form-input labels, and not disabling pinch-zoom. → page language, image alt text, form input labels, zoom not disabled, and the European Accessibility Act checklist.

5. Protections for minors — DSA and GDPR

If minors can use your product, GDPR sets a baseline age for a child to consent on their own (it varies by member state, commonly 13–16) — below it you generally need a parent's involvement. The Digital Services Act (DSA) adds duties around protecting minors, including not profiling children for ads and offering age-appropriate experiences. A visible age-gate or age-assurance step is the public signal most often expected. → age-gate / assurance. AI companion products attract extra scrutiny here — see the Article 50 checklist.

6. Consumer withdrawal rights

If you sell to EU consumers, EU consumer protection law gives buyers a withdrawal ("cooling-off") right — commonly framed as a 14-day window — with specific exceptions for digital content and services (for example, where the consumer agrees to immediate performance and acknowledges losing the right). You're generally expected to disclose this before purchase, alongside clear pricing and cancellation terms. The public signals are a discoverable refund/cancellation policy and honest auto-renewal disclosure. → refund & cancellation policy and subscription auto-renewal disclosure.

7. Imprint / provider identification

Several EU rules (rooted in the e-Commerce regime and consumer law) require commercial online services to make basic provider-identification easy to find: who you are, a way to contact you, and — for traders — certain business details. In some member states this is the "Impressum"/imprint duty; for an indie it usually means a reachable contact route and clear identity. → contact / imprint detector.

What LaunchTrust checks (and what it doesn't)

LaunchTrust passively fetches your public URL and reports signalsdetected, not detected, or unable to determine — for the surfaces above. "Detected" means the wording, link, or marker is present in the HTML an anonymous visitor receives; it does not confirm a document is adequate, a consent flow is valid, or that you meet any EU rule. "Not detected" flags a gap worth a human look; "unable" means the page couldn't be assessed. It does not crawl private areas, does not read your backend, and never issues a verdict, score, or "EU-ready" rating. No scanner can. It's a fast way to find missing trust signals before a user, regulator, or app reviewer does.

A concrete example

A cookie-consent signal LaunchTrust reads as detected is a recognizable consent script that loads before non-essential trackers:

<script src="https://cdn.example.com/consent.js" data-cmp></script>

A not detected result is a page where analytics or ad scripts clearly fire but no consent prompt precedes them — exactly the ePrivacy gap an EU reviewer flags. As always, "detected" is a signal that something is there, not a judgment that the consent is lawful.

How to address EU requirements before launch

  1. Publish a real privacy policy and link it from your footer, app store listing, and any signup screen — see the GDPR checklist.
  2. Add prior-consent cookie handling so non-essential trackers don't load until the user opts in. → cookie consent banner
  3. Show an in-context AI disclosure if your product is conversational or generative. → Article 50 checklist
  4. Cover accessibility basics — page language, title, alt text, form labels, no disabled zoom. → accessibility checklist
  5. Add an age step if minors can reach the product, and avoid profiling children. → age-gate / assurance
  6. State withdrawal, refund, and auto-renewal terms clearly before purchase. → refund & cancellation policy
  7. Expose contact/imprint details so users (and regulators) can reach you. → contact / imprint
  8. Offer account and data deletion in-product. → account & data deletion
  9. Re-scan and confirm each gap flips to detected, then verify each surface yourself in a logged-out browser.

Check this in 30 seconds

Run your URL through LaunchTrust's free scanner. It fetches your live page and reports whether your privacy policy, cookie consent, AI disclosure, accessibility basics, and contact/imprint are detected, not detected, or unable to determine — so you can close obvious EU-facing gaps before you point European traffic at your app. No signup, no private-page crawling: it reads the same public HTML your visitors get.

FAQ

Do EU rules apply to me if I'm a solo developer outside the EU? Often, yes. GDPR, the AI Act's transparency duties, ePrivacy consent, and EU consumer law are generally written to reach products used by people in the EU/EEA, regardless of where the developer is located. If EU users can sign up, buy, or chat, you're commonly in scope.

Which EU rule should an indie tackle first? Usually a present privacy policy, prior-consent cookie handling, and — if you're conversational or generative — an in-context AI disclosure, since those are the most visible signals. Accessibility, minors, withdrawal rights, and imprint follow based on your product and audience.

Is this a complete list of EU compliance requirements? No — this overview is non-exhaustive by design. Other rules (sector-specific laws, the Digital Markets Act for large gatekeepers, national variations) may also apply to you.

Does passing these checks mean my app meets EU requirements? No. LaunchTrust reports observable signals on your public pages; it does not confirm your documents, consent flows, or practices satisfy any EU rule, and it issues no verdict, score, or certification. It is a compliance aid, not legal advice. For your situation, consult a qualified professional.

Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.