Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA)

Authors: Nikita Samarin (UC Berkeley and ICSI), Shayna Kothari (UC Berkeley), Zaina Siyed (UC Berkeley), Oscar Bjorkman (UC Berkeley), Reena Yuan (UC Berkeley), Primal Wijesekera (UC Berkeley and ICSI), Noura Alomar (UC Berkeley), Jordan Fischer (UC Berkeley and Drexel Kline School of Law), Chris Hoofnagle (UC Berkeley), Serge Egelman (UC Berkeley and ICSI)

Volume: 2023
Issue: 3
Pages: 103–121
DOI: https://doi.org/10.56553/popets-2023-0072

Download PDF

Abstract: The California Consumer Privacy Act (CCPA) provides California residents with a range of enhanced privacy protections and rights. Our research investigated the extent to which Android app developers comply with the provisions of the CCPA that require them to provide consumers with accurate privacy notices and respond to "verifiable consumer requests" (VCRs) by disclosing personal information that they have collected, used, or shared about consumers for a business or commercial purpose. We compared the actual network traffic of 109 apps that we believe must comply with the CCPA to the data that apps state they collect in their privacy policies and the data contained in responses to "right to know" requests that we submitted to the app's developers. Of the 69 app developers who substantively replied to our requests, all but one provided specific pieces of personal data (as opposed to only categorical information). However, a significant percentage of apps collected information that was not disclosed, including identifiers (55 apps, 80%), geolocation data (21 apps, 30%), and sensory data (18 apps, 26%) among other categories. We discuss improvements to the CCPA that could help app developers comply with "right to know" requests and other related regulations.

Keywords: privacy, enhancing, technologies, compliance

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.