Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Exercising the CCPA Opt-out Right on Android: Legally Mandated but Practically Challenging

Sebastian Zimmeck, Nishant Aggarwal, Zachary Liu, Sage Altman, Konrad Kollnig

TL;DR

This study investigates the California CCPA opt-out right on Android by evaluating two mechanisms: app-level UI opt-out controls and Global Privacy Control (GPC) signals across large Android app datasets. It finds a substantial compliance gap: only 48 of 100 popular apps provide a dedicated opt-out UI, and GPC signals have little practical effect on curbing ad-tracking practices, even when AdID is disabled. The results suggest that platform-level support is necessary, advocating repurposing the Android AdID as a universal opt-out setting to better enforce privacy rights across apps. The work highlights the need for regulatory guidance and platform design changes to realize effective opt-out rights on mobile devices.

Abstract

Many mobile apps' business model is based on sharing user data with ad networks to deliver personalized ads. The California Consumer Privacy Act (CCPA) gives California residents a right to opt out. In two experiments we evaluate to which extent popular Android apps enable California residents to exercise their right. In our first experiment -- manually exercising the right via app-level UIs -- we find that only 48 out of 100 apps implement a respective setting, which suggests that CCPA opt-out right compliance on the Android platform is generally low. In our second experiment -- automatically exercising the opt-out right by sending Global Privacy Control (GPC) signals -- we find for an app dataset of 1,811 apps that GPC is largely ineffective. While we estimate with 95% confidence that 62%--81% of apps in our app dataset must respect the CCPA opt-out right, many apps do not do so. Our evaluation of disabling apps' access to the AdID -- which is technically not intended for exercising the CCPA opt-out right but could be practically effective -- does not change our conclusion. For example, when sending GPC signals and disabling apps' access to the AdID, 338 apps still had the ccpa status of the ad network Vungle set to opted_in while only 26 had set it to opted_out. Overall, our results suggest a compliance gap as California residents have no effective way of exercising their CCPA opt-out right on the Android platform; neither at the app nor at the platform-level. We think that re-purposing the Android AdID setting as an opt-out right setting with legal meaning under the CCPA and other laws could close this gap and improve users' privacy on the platform significantly.

Exercising the CCPA Opt-out Right on Android: Legally Mandated but Practically Challenging

TL;DR

This study investigates the California CCPA opt-out right on Android by evaluating two mechanisms: app-level UI opt-out controls and Global Privacy Control (GPC) signals across large Android app datasets. It finds a substantial compliance gap: only 48 of 100 popular apps provide a dedicated opt-out UI, and GPC signals have little practical effect on curbing ad-tracking practices, even when AdID is disabled. The results suggest that platform-level support is necessary, advocating repurposing the Android AdID as a universal opt-out setting to better enforce privacy rights across apps. The work highlights the need for regulatory guidance and platform design changes to realize effective opt-out rights on mobile devices.

Abstract

Many mobile apps' business model is based on sharing user data with ad networks to deliver personalized ads. The California Consumer Privacy Act (CCPA) gives California residents a right to opt out. In two experiments we evaluate to which extent popular Android apps enable California residents to exercise their right. In our first experiment -- manually exercising the right via app-level UIs -- we find that only 48 out of 100 apps implement a respective setting, which suggests that CCPA opt-out right compliance on the Android platform is generally low. In our second experiment -- automatically exercising the opt-out right by sending Global Privacy Control (GPC) signals -- we find for an app dataset of 1,811 apps that GPC is largely ineffective. While we estimate with 95% confidence that 62%--81% of apps in our app dataset must respect the CCPA opt-out right, many apps do not do so. Our evaluation of disabling apps' access to the AdID -- which is technically not intended for exercising the CCPA opt-out right but could be practically effective -- does not change our conclusion. For example, when sending GPC signals and disabling apps' access to the AdID, 338 apps still had the ccpa status of the ad network Vungle set to opted_in while only 26 had set it to opted_out. Overall, our results suggest a compliance gap as California residents have no effective way of exercising their CCPA opt-out right on the Android platform; neither at the app nor at the platform-level. We think that re-purposing the Android AdID setting as an opt-out right setting with legal meaning under the CCPA and other laws could close this gap and improve users' privacy on the platform significantly.
Paper Structure (43 sections, 14 figures, 3 tables)

This paper contains 43 sections, 14 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Dynamic Analysis of Mobile Apps' Data Practices and Privacy Compliance
  4. Opting Out of Ad Tracking in Mobile Apps
  5. Privacy Preference Signals
  6. Legal Background
  7. The CCPA Opt-out Right
  8. Methods for Opting Out
  9. Opting Out via GPC
  10. Opting Out via GPC on Mobile Apps
  11. Methodology
  12. App Dataset
  13. Measuring Opt-out Effects
  14. UI Opt-out Evaluation
  15. GPC Opt-out Evaluation
  16. ...and 28 more sections

Figures (14)

  • Figure 1: The TuneIn Radio: Music & Sports app TuneIn allows California residents to opt out of the selling and sharing of personal information per the CCPA.
  • Figure 2: Exercising the opt-out right via GPC. 1. An HTTP request from the user's device is sent with a GPC header. By sending this header the user is exercising the opt-out right. 2. The HTTP response contains a script for setting a privacy flag client-side. By identifying such a privacy flag and its value we determine whether the opt-out has been respected. App operators can implement the logic for processing privacy flags themselves or use the library of a CMP. 3--4. A third-party ad network queries the privacy flag via its ad tag that the app operator integrated in its app. 5. The flag may be attached to ad requests from the user to the ad network, which is the second point that we use to determine whether the opt-out has been respected. The ad network can also act directly upon receiving GPC signals, which are attached to all requests as headers. 6. The ad network responds to ad requests from opted out users with an ad not based on sold or shared personal information.
  • Figure 3: Overview of our dynamic analysis setup for capturing app network traffic. Appendix \ref{['Dynamic-Analysis-Details']} contains a comprehensive description of our dynamic analysis for the UI and GPC opt-out evaluation.
  • Figure 4: Example UIs of three apps: Leafly: Find Cannabis and CBDLeafly with just a privacy policy link (top left), Vivid Seats | Event TicketsVividSeats with an opt-out right form (top right), and Pure Sniper: Gun Shooter GamesPureSniper with a generic/SDK/cookie opt-out setting (bottom). Figure \ref{['fig:opt-out-right-screenshot']} shows an example UI of a dedicated opt-out right setting.
  • Figure 5: For 29/33 (88%) of the most prevalent ad tracking domains in our app dataset their privacy policies allow the "Selling" or "Sharing"/"Buying" or "Collecting" of personal information per the CCPA.
  • ...and 9 more figures