Pitfall 1: Forgetting MAC addresses are persistent identifiers
Many teams treat Bluetooth MAC addresses as transient session data. In reality, under GDPR, a MAC address is a quasi-identifier that persists across sessions. When combined with app behavior (e.g., connection timestamps, which users pair which devices), it becomes directly identifiable.
Why it happens: React Native BLE exposes MAC addresses in the scan/connect callbacks without flagging their sensitivity. Developers assume "it's just a Bluetooth thing."
Consequence: If you don't mention MAC address collection in your privacy policy and don't obtain explicit consent (not just app permissions), you violate GDPR Article 13 transparency obligations. Regulators may treat this as unlawful processing of personal data. CCPA fines apply; GDPR fines reach €20M or 4% of annual revenue.
Pitfall 2: Conflating OS-level Bluetooth permission with lawful data processing consent
Getting the user to tap "Allow Bluetooth" in the OS prompt does not satisfy GDPR Article 7 or CCPA consent. The OS permission is a technical gate; legal consent requires a clear, informed affirmative action *before* data collection.
Why it happens: React Native BLE's permission request looks like consent. Teams ship without a pre-connection disclosure explaining what GATT data will be read or where it flows.
Consequence: You lack a valid lawful basis for processing. After-the-fact privacy policies don't retroactively validate past collection. Audits will flag "consent was never obtained." Users can exercise deletion rights (GDPR Article 17) and request compensation.
Pitfall 3: Health data mishandling without appropriate DPA or BAA
If your app collects heart rate, SpO2, steps, or other health metrics via BLE sensors, those are health data under GDPR Article 9 (sensitive personal data). If you partner with a cloud backend or analytics vendor, you need a Data Processing Agreement (DPA) that explicitly lists health data flows. If you operate in the US and serve HIPAA-regulated users, you need a Business Associate Agreement (BAA).
Why it happens: Teams assume "we just read the sensor and log it locally" avoids regulatory burden. But if that data leaves the device—to a database, logging service, or cloud backup—you've transferred health data to a processor without a DPA.
Consequence: GDPR fines; HIPAA penalties (up to $1.5M per violation category); state data breach laws trigger mandatory notification. App Store rejects or removes the app for violating Health category policies.
