Exercising the CCPA Opt-out Right on Android: Legally Mandated but Practically Challenging

Many mobile apps’ business model is based on sharing user data with ad networks to deliver personalized ads. The California Consumer Privacy Act (CCPA) gives California residents a right to opt out. In two experiments we evaluate to which extent popular Android apps enable California residents to exercise their right. In our first experiment – manually exercising the right via app-level UIs – we find that only 48 out of 100 apps implement a respective setting, which suggests that CCPA opt-out right compliance on the Android platform is generally low. In our second experiment – automatically exercising the opt-out right by sending Global Privacy Control (GPC) signals – we find for an app dataset of 1,811 apps that GPC is largely ineffective. While we estimate with 95% confidence that 62%–81% of apps in our app dataset must respect the CCPA opt-out right, many apps do not do so. Our evaluation of disabling apps’ access to the AdID – which is technically not intended for exercising the CCPA opt-out right but could be practically effective – does not change our conclusion. For example, when sending GPC signals and disabling apps’ access to the AdID, 338 apps still had the ccpa status of the ad network Vungle set to opted_in while only 26 had set it to opted_out. Overall, our results suggest a compliance gap as California residents have no effective way of exercising their CCPA opt-out right on the Android platform; neither at the app nor at the platform-level. We think that re-purposing the Android AdID setting as an opt-out right setting with legal meaning under the CCPA and other laws could close this gap and improve users’ privacy on the platform significantly.

💡 Research Summary

The paper investigates how effectively California residents can exercise their California Consumer Privacy Act (CCPA) “opt‑out of sale or sharing” right on Android devices. The authors conduct two large‑scale experiments. In the first, they manually inspect the user interfaces of 100 popular Android apps to see whether each app offers a clear mechanism for a user to opt out. Only 48 apps (48 %) provide an explicit opt‑out setting; the remainder either lack any option or hide it deep within menus, indicating a substantial UI‑level compliance gap.

The second experiment evaluates the technical enforcement of the opt‑out via Global Privacy Control (GPC), a binary HTTP header (Sec‑GPC: 1) that the California Attorney General has mandated as a valid opt‑out signal since January 2021. The authors instrument a dynamic analysis platform that intercepts all outbound HTTP requests from 1,811 popular Android apps and injects the GPC header. They also test the effect of disabling the Android Advertising ID (AdID), a device‑level identifier that, while not legally defined for CCPA opt‑out, is used by Google to limit ad‑tracking when turned off.

Results show that GPC signals are largely ignored. Even when GPC is sent together with AdID disabling, the majority of ad‑network integrations (e.g., Vungle) continue to report a status of “opted_in”. Specifically, 338 apps still had Vungle’s ccpa status set to opted_in, while only 26 apps reported opted_out. This demonstrates that Android lacks a platform‑level mechanism to propagate or honor GPC, leaving compliance to individual app developers who often do not implement it.

Legal analysis estimates that 62 %–81 % of the apps in the dataset are subject to CCPA (based on self‑declared applicability and thresholds for data sales/sharing). Therefore, a large proportion of apps that are legally required to honor the opt‑out are failing to do so, creating a clear compliance gap.

The authors propose repurposing the existing Android AdID setting as a legally meaningful opt‑out toggle. Google already prohibits the use of AdID for personalized advertising when users disable it; aligning this technical control with the CCPA “Do Not Sell or Share My Personal Information” requirement would give users a single, platform‑wide mechanism to exercise their right, reduce developers’ implementation burden, and improve overall compliance. They also suggest that Android introduce native support for GPC (e.g., a system‑wide setting and API) to standardize signal propagation across apps.

In conclusion, the study reveals that while CCPA mandates an opt‑out right, Android users currently lack effective means—neither at the app UI level nor via platform‑level privacy signals—to exercise it. The paper’s empirical evidence highlights the need for platform providers, regulators, and app developers to collaborate on integrating legal opt‑out mechanisms into Android’s privacy architecture, with the repurposed AdID toggle offering a pragmatic interim solution.