In 2023, a mid-size European retailer had its Apple Wallet pass-signing certificate revoked overnight. Not for a security breach. Not for a hack. For silently collecting location data through their loyalty pass without proper disclosure. Their digital loyalty program stopped working for days. Hundreds of thousands of passes failed at checkout. Customer support lines lit up. The estimated cost ran into the hundreds of thousands of euros in lost loyalty redemptions alone.
Here is the broader problem. Apple Wallet and Google Wallet together reach a global user base in the billions. Both report significant Wallet adoption. Yet most businesses build pass programs with limited awareness of overlapping compliance obligations from GDPR, CCPA, and the platform providers themselves.
This gap creates real risk because wallet passes sit at a unique intersection. They live on a user's personal device. They can trigger location-based notifications. They carry personally identifiable information in encoded fields. They update dynamically via server callbacks. Apple and Google also hold a kill switch on your signing credentials.
This article maps the compliance landscape, gives you a concrete checklist framework, and shows you how to build a wallet pass program that is both effective and resilient.
Why Wallet Passes Are a Compliance Blind Spot
Wallet passes do not fit neatly into existing compliance categories. They are not apps, so App Store privacy nutrition labels do not apply directly. They are not emails, so CAN-SPAM frameworks miss them. They are not cookies, so cookie consent banners are irrelevant.
This ambiguity leads most teams to assume no special compliance work is needed. That assumption is wrong.
Consider the personal data that flows through a wallet pass lifecycle:
- Issuance: Name, email, membership ID, and often a device-linked token are transmitted when a user adds a pass.
- Dynamic updates: Server-to-device callbacks reveal usage patterns, update frequency, and engagement signals every time your backend pushes new pass data.
- Location triggers: Geofencing data appears when passes show on a lock screen near a store, revealing precise user location.
- Redemption tracking: Purchase behavior, timestamps, and device metadata flow back to your systems when a pass is scanned.
Even seemingly simple fields can become personally identifiable. A serialized pass ID combined with a barcode payload is just a string of characters on its own. Link it to a CRM record and it becomes personal data. Encoded fields in a .pkpass bundle or a Google Wallet JWT are not hidden from a regulatory standpoint. Regulators do not care that the data is base64-encoded or buried in a JSON structure.

One more layer. Apple and Google both act in the data processing chain. Apple's APNs (Apple Push Notification service) handles your update pushes. Google's Smart Tap and save infrastructure processes your pass delivery. Each platform adds its own set of obligations on top of whatever regional privacy law applies to your users.
GDPR and Wallet Passes: Right to Erasure Meets a Pass on Someone's Phone
Here is the core GDPR tension. Article 17 grants users the right to erasure and requires you to delete their personal data on request. But you cannot remotely delete a pass from a user's Apple or Google Wallet. The pass file physically persists on their device.
Regulators take a practical view. Your obligation is to delete all server-side data and invalidate the pass. That means voiding it, zeroing out PII fields through an update push, and ensuring your backend no longer retains any linked personal data. You are not required to reach into someone's phone.
Lawful basis matters. Most wallet pass programs rely on legitimate interest or contract performance as their lawful basis for processing. That works for the core pass functionality. Location-triggered notifications often require explicit consent under GDPR, though. If your loyalty pass pings a user's lock screen when they walk past your store, you need a consent mechanism for that specific processing activity. This should be separate from the general pass issuance.
Data minimization is your friend. Only encode the minimum PII necessary on the pass itself. Store richer profile data server-side and reference it through a serial number. This limits your GDPR exposure. If a pass file is extracted, shared, or screenshotted, the exposed data stays minimal.
Cross-border transfers add another wrinkle. If your wallet pass update server sits in the US but you issue passes to EU residents, you need a valid transfer mechanism. Standard Contractual Clauses or a recognized adequacy decision must cover the callback data that flows between your server and the user's device.
Practical tip: Build a GDPR erasure endpoint in your pass management system. When triggered, it should push a final update to the pass that strips all personal fields and replaces them with a generic "Pass Deactivated" message. Then delete the server-side record. This is clean, auditable, and aligned with GDPR obligations.
CCPA and State-Level Privacy: The "Sale" Question and Location Data
CCPA and its CPRA amendment apply to wallet passes if you issue passes to California residents and meet the revenue or data thresholds. The key obligation is clear. You must provide a clear mechanism for users to refuse the sale or sharing of their personal information.
Here is where it gets specific. If you share location-triggered pass engagement data with a third-party analytics provider, that likely qualifies as sharing under CPRA for cross-context behavioral purposes. It does not matter that you call it analytics. The law looks at what the data actually does in practice.
Location-based notifications are a flashpoint. When a user's wallet pass triggers a lock-screen notification near your store, you are using precise geolocation data. Under CCPA, this must be disclosed in your privacy policy. Under CPRA's sensitive personal information category, precise geolocation requires you to offer a "Limit the Use of My Sensitive Personal Information" link.
The practical challenge is UI. Unlike a website where you can show a consent banner, wallet passes have no native UI for consent management. You have a few options:
- Link to a preference center from the pass's back fields (the flip side of the pass).
- Honor preferences set through your app or website and sync them to your pass update server.
- Use the pass's relevance and location fields conditionally and activate them only for users who have given permission through another channel.
The US privacy patchwork is expanding. Virginia's VCDPA, Colorado's CPA, and Connecticut's CTDPA introduce similar requirements. Building for CCPA and CPRA compliance usually gives you a strong baseline for these laws. You still need to track state-specific details around sensitive data categories and cure periods.
Apple and Google Platform Policies: The Rules That Can Actually Shut You Down
Regional privacy laws can fine you. Platform policies can shut you down overnight. That distinction matters.
Apple Wallet / PassKit. Apple requires that passes provide a clear benefit to the user and explicitly prohibits using passes primarily for advertising or push-notification spam. Apple reviews pass-signing certificate usage and can revoke your certificate if you violate their policies. A revoked certificate can render every pass you have ever issued non-functional, not just new ones. Apple's developer agreement and the Wallet Human Interface Guidelines describe specific restrictions around content, design, and functionality.
Google Wallet API. Google requires passes to have a clear and relevant purpose, prohibits misleading pass content, and mandates that issuers maintain a valid privacy policy URL in their issuer account. Google reserves the right to suspend issuer accounts for policy violations. Their review process leans more automated, but enforcement can still be sudden.

Often-overlooked rules:
- Apple prohibits passes that replicate existing Apple features. You cannot create a pass that functions as a generic payment instrument.
- Apple limits push-update notification frequency. Excessive updates can trigger throttling or a manual review.
- Location-relevant triggers must correspond to a genuine relevance. You cannot blanket a city with hundreds of geofences and call each one relevant.
- Google restricts the number of geofence locations and requires that pass content match the pass type classification.
Certificate hygiene is critical. Both platforms require that your signing credentials are securely stored, never shared with unauthorized parties, and used only for their declared purpose. If you use a third-party wallet pass provider like PassMint, make sure the provider's certificate management practices are documented and covered in your contract. Your compliance posture is only as strong as the weakest link in your signing chain.
When Compliance Failures Hit Real Wallet Pass Programs
These are not hypothetical scenarios. They are patterns that have played out across the industry. The following anonymized examples are representative of what can go wrong.
The European retailer referenced in the introduction deployed aggressive geofencing across more than 200 store locations without a GDPR-compliant consent mechanism for location processing. A customer complaint to a Data Protection Authority triggered an investigation. Apple was notified during the inquiry and revoked the signing certificate during the review period. Result: more than a week offline, hundreds of thousands of non-functional passes, and significant lost loyalty redemptions.
A US event ticketing company shared wallet pass scan data, including entry times, venue location, and device type, with a third-party sponsor analytics platform. They never disclosed this as sharing under CCPA. A consumer rights group filed a complaint. This led to legal demands and a settlement. The company had to implement a full preference mechanism and reissue active passes with updated privacy disclosures on the back of each pass.
A fintech startup used Apple Wallet generic passes to deliver promotional offers disguised as coupons. They pushed multiple updates per week with rotating marketing messages. Apple flagged the behavior as advertising misuse, revoked their pass type ID, and required a full re-application with a detailed content plan. The reinstatement process took several weeks with no wallet pass functionality.
The common thread across all three cases is stark. Compliance failures in wallet pass programs do not only produce fines. They produce operational shutdowns. The platform providers hold ultimate control over your pass-signing credentials, and they will exercise that control.
The Wallet Pass Compliance Checklist Framework
Here is a structured checklist organized into four categories. Use it as a starting point for your internal compliance review.
Category 1: Data Privacy and GDPR
- [ ] Have you documented a lawful basis (consent, legitimate interest, or contract performance) for each type of personal data processed through your wallet passes?
- [ ] Have you applied data minimization to your pass design, encoding only the minimum PII necessary on the pass itself?
- [ ] Have you completed a Data Protection Impact Assessment (DPIA) for any location-based features in your pass program?
- [ ] Is a cross-border data transfer mechanism (SCCs or adequacy decision) in place if your update server is outside the EU?
- [ ] Have you implemented a server-side erasure endpoint that strips PII from the pass payload and pushes a deactivated update upon a GDPR deletion request?
- [ ] Is your privacy policy linked from the pass's back fields so users can access it directly from their wallet?
- [ ] Do you have a separate, explicit consent mechanism for location-triggered notifications?
Category 2: CCPA and US State Laws
- [ ] Does your privacy policy explicitly disclose wallet pass data collection, including what data is collected and how it is used?
- [ ] Does your Do Not Sell or Share mechanism cover pass engagement data shared with third-party analytics providers?
- [ ] Have you implemented a sensitive personal information restriction mechanism for precise geolocation from pass triggers?
- [ ] Does your internal data inventory include all wallet pass fields and their classification?
- [ ] Do your vendor agreements with pass analytics providers include CCPA and CPRA compliant data processing terms?
Category 3: Apple Wallet Platform Policies
- [ ] Does each pass provide clear utility to the user beyond marketing messaging?
- [ ] Do your location triggers correspond only to venues where the pass is genuinely relevant?
- [ ] Is your update frequency reasonable and driven by meaningful content changes, not promotional rotation?
- [ ] Does your pass design follow Apple's Human Interface Guidelines for Wallet?
- [ ] Is your pass-signing certificate stored securely with documented access controls?
- [ ] Have you verified that no pass content is primarily advertising in nature?
Category 4: Google Wallet Platform Policies
- [ ] Does your issuer account have a valid, accessible privacy policy URL?
- [ ] Does your pass type classification accurately match the actual pass content?
- [ ] Is your geofence count within Google's platform limits?
- [ ] Is all pass content accurate, current, and not misleading?
- [ ] Is your issuer account in good standing with a regular internal review cadence?

PassMint provides a downloadable PDF version of this checklist, pre-configured for teams to use in their compliance review process. You can find it in the resources section of our website and share it with your legal and engineering teams.
Build Pass Programs That Last
Wallet passes are one of the strongest direct-to-device engagement channels available today. They sit on a user's home screen, surface at the right moment, and update in real time. Their unique position creates a wide compliance surface area, though. They live on a personal device, carry PII, trigger location-aware notifications, and depend on platform-controlled signing credentials. Most teams underestimate this.
The companies that succeed with wallet passes at scale treat compliance as a trust-building feature, not just a legal checkbox. When a user adds your pass to their wallet, they grant you a level of access to their daily life that few other channels offer. Respecting that access through clear data practices and policy adherence is legally required. It is also good business.
PassMint is designed to support GDPR-friendly data minimization in pass design and platform-policy-aligned update management. Our API and SDK handle key parts of the compliance infrastructure so your team can focus on building great pass experiences.
Ready to get started? Download the latest version of the compliance checklist from our resources page or contact the PassMint team through our website to discuss how compliance fits into your wallet pass architecture.