Keywords:  Public Policy, Privacy, IoT,

2021

Investigating the Compliance of Android App Developers with the California Consumer Privacy Act (CCPA)

Nikita Samarin, PhD Student, EECS, UC Berkeley
Chris Hoofnagle, Professor of Law in Residence and Adjunct Professor, School of Information, UC Berkeley
Jordan Fischer, Professor of Law and Lecturer, School of Information, UC Berkeley and Drexel University School of Law
Primal Wijesekera, Staff Research Scientist, International Computer Science Institute, UC Berkeley

The United States lacks a comprehensive federal privacy regulation and instead relies on industry-specific or state-specific discrete privacy laws. On the state level, the California Consumer Privacy Act (CCPA)—which came into effect on January 1, 2020, and became enforceable on July 1, 2020— was enacted to provide enhanced privacy protections and rights for California residents. Our proposed project aims to investigate the extent to which Android app developers comply with the provisions of the CCPA that require them to provide consumers with accurate privacy notices and respond to consumers’ “request to know” by disclosing personal information that they have collected, used or shared about them for a business or commercial purpose. In doing so, we aim to answer two fundamental questions regarding the efficacy of CCPA in enhancing privacy protections for California residents with respect to personal information collected by mobile app developers. First, is the information provided by developers in response to “right to know” requests complete and accurate, and does the response accurately explain how this data has been collected, used, and shared? Second, are consumers able to successfully request, obtain, and interpret the information provided by the app developers in response to a “right to know” request? The results of this work will be of particular interest to policymakers and regulators both on the state and the federal level, as well as outside of the US, who are currently enacting or considering passing similar privacy regulations in their jurisdictions.