Exercising the CCPA Opt-out Right on Android: Legally Mandated but Practically Challenging

The business model of many mobile apps is based on generating revenue from sharing user data with ad networks and other companies to deliver personalized ads. The California Consumer Privacy Act (CCPA) gives California residents a right to opt out of the selling and sharing of their personal information. In two experiments we evaluate to which extent popular apps on the Android platform enable California residents to exercise their CCPA opt-out right. In our first experiment -- manually exercising the opt-out right via app-level UIs for a set of 100 apps -- we find that only 48 apps implement the legally mandated setting, which suggests that CCPA opt-out right non-compliance is a broader issue on the platform. In our second experiment -- automatically exercising the opt-out right at the platform-level by sending Global Privacy Control (GPC) signals -- we find for an app dataset of $1,811$ apps that GPC is largely ineffective. While we estimate with 95% confidence that 62%--81% of apps in our app dataset must respect the CCPA's opt-out right, many apps do not do so. Disabling apps' access to the AdID, which is not intended for exercising the CCPA opt-out right but could have practical effect in this regard, does not lead to a different result. For example, when sending GPC signals and disabling apps' access to the AdID, 338 apps still had the ccpa status of the ad network Vungle set to opted in while only 26 had set it to opted out. Overall, our results suggest a compliance gap as California residents have no effective way of exercising their CCPA opt-out right on the Android platform; neither at the app- nor at the platform-level. We think that re-purposing the Android AdID setting as an opt-out right setting with legal meaning could resolve this compliance gap under the CCPA and other laws and improve users' privacy on the platform overall.