Lessons in VCR Repair: Compliance of Android App Developers with the   California Consumer Privacy Act (CCPA)

Nikita Samarin; Shayna Kothari; Zaina Siyed; Oscar Bjorkman; Reena; Yuan; Primal Wijesekera; Noura Alomar; Jordan Fischer; Chris Hoofnagle and; Serge Egelman

arXiv:2304.00944·cs.CR·April 4, 2023·1 cites

Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA)

Nikita Samarin, Shayna Kothari, Zaina Siyed, Oscar Bjorkman, Reena, Yuan, Primal Wijesekera, Noura Alomar, Jordan Fischer, Chris Hoofnagle and, Serge Egelman

PDF

Open Access

TL;DR

This study examines Android app developers' compliance with the CCPA by analyzing network traffic, privacy policies, and developer responses, revealing gaps between disclosed and collected data and suggesting regulatory improvements.

Contribution

It provides an empirical analysis of CCPA compliance among Android apps, highlighting discrepancies and proposing enhancements to the regulation to improve developer adherence.

Findings

01

Most developers responded to data requests with specific information

02

Many apps collected undisclosed personal data, including identifiers and geolocation

03

Significant compliance gaps were identified in data disclosure practices

Abstract

The California Consumer Privacy Act (CCPA) provides California residents with a range of enhanced privacy protections and rights. Our research investigated the extent to which Android app developers comply with the provisions of the CCPA that require them to provide consumers with accurate privacy notices and respond to "verifiable consumer requests" (VCRs) by disclosing personal information that they have collected, used, or shared about consumers for a business or commercial purpose. We compared the actual network traffic of 109 apps that we believe must comply with the CCPA to the data that apps state they collect in their privacy policies and the data contained in responses to "right to know" requests that we submitted to the app's developers. Of the 69 app developers who substantively replied to our requests, all but one provided specific pieces of personal data (as opposed to only…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsPrivacy, Security, and Data Protection · Advanced Malware Detection Techniques · Mobile Health and mHealth Applications