📝 SummarXiv

Abstract

Many mobile apps' business model is based on generating revenue from sharing user data with ad networks and other companies to deliver personalized ads. The California Consumer Privacy Act (CCPA) gives consumers a right to opt out of the selling and sharing of their personal information. In two experiments we evaluate to which extent popular apps on the Android platform enable users to exercise their CCPA opt-out right. In our first experiment -- manually opting out via app-level UIs for a set of 100 apps -- we find that despite this legal requirement, only 48 apps implement such legally mandated setting suggesting a broad level of non-compliance. In our second experiment -- opting out by sending Global Privacy Control (GPC) signals and disabling the AdID -- we automate a dynamic analysis for an app dataset of 1,811 apps to evaluate whether platform-level opt-out settings are effective to exercise the CCPA opt-out right. While we estimate with 95% confidence that 62%--81% of apps in our app dataset must honor the CCPA's opt-out right, many apps do not do so. For example, when sending GPC signals and disabling apps' access to the AdID, 338 apps still had the `ccpa status` of the ad network Vungle set to `opted in` while only 26 had set it to `opted out`. Overall, our results suggest a compliance gap as Android users have no effective way of exercising their CCPA opt-out right; neither at the app- nor at the platform-level. We think that re-purposing the Android AdID setting as an opt-out right setting with legal meaning could resolve this compliance gap and improve users' privacy on the platform overall.