Home Resources Articles California's Privacy Scrutiny: What Should App Publishers Prepare For?

California’s Privacy Scrutiny: What Should App Publishers Prepare For?

California regulators have set their sights on mobile app compliance with CCPA in 2023, and app makers with users in the Golden State need to be prepared. In this article, we cover what legislators are looking at and how you can turn this threat into an opportunity with optimized consent management.
by Usercentrics
May 31, 2023
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free app audit now!

Does your business currently or plan to:

  • Have a gross annual revenue of over $25 million?
  • Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices?
  • Derive 50% or more of their annual revenue from selling California residents’ personal information?

You’re going to want to ensure you’re keeping an eye on—and adhering to—the changes to the rules and regulations outlined in the CCPA.


California Attorney General Rob Bonta’s investigative sweep ahead of Data Privacy Day has generated much attention toward apps not honoring users’ opt-out requests. The sweep primarily targeted apps in the retail, food service, and travel industries that failed to comply with legislation that gives users the right to opt out of data sales.


It also alerted app makers that don’t process opt-out requests from CCPA-authorized agents such as Permission Slip, a Consumer Reports app that lets consumers send opt-out requests to delete personal information.


This app scrutiny is raising app-maker eyebrows, especially at a time when mobile ad spend is set to hit $362B in 2023. The State of Mobile Gaming Report 2023 by also shows that 1419 apps and games generated over $10 million in revenue in 2022 alone.


App makers must hop on board with user-enabled global privacy controls or risk missing out on a ton of revenue. In this article, you’ll learn what to be aware of as app makers and how you can optimize user consent management for complete compliance.

California legislators have all eyes on mobile in 2023

Mobile apps add to users’ convenience with on-the-go capabilities, but user consent has typically been an afterthought for apps. Organizations cross all the Ts and dot all the Is when it comes to web properties, but apps aren’t treated with the same precaution—and legislators are cracking down on it. Users shouldn’t have to sacrifice privacy or sensitive information to enjoy the convenience of mobile apps bring; California legislators have their eyes on mobile apps in 2023.


And this isn’t the first time CCPA regulations have been enforced, either. General Bonta’s first CCPA enforcement action in 2022 resulted in a $1.2 million settlement with Sephora, Inc. (Sephora), a French multinational personal care and beauty products retailer. Sephora sold customers’ personal information without their knowledge and failed to honor opt-out requests. To make matters worse, the multinational retailer also failed to address the violations within the CCPA’s 30-day notice period.


User consent violations hit you where it hurts the most—your wallet. CNIL, the French Data Protection Agency, slapped Voodoo with a € 3 million fine for using an advertising identifier in their apps without user consent. This advertising identifier collected users’ browsing habit data for advertising purposes, even when users didn’t opt in.


So, how do you avoid these financial penalties as an app maker? Keep reading.

What should app makers be aware of?

The CCPA regulations require organizations to be transparent about how they collect, share, and use consumers’ personal information. It also mandates that companies must explain their privacy practices with certain notices and respond to and respect consumer opt-out requests.


Here’s how you can stay on top of privacy regulations.

Focus on consumer rights


Before anything else, app developers must review existing processes for handling consumer rights requests, even if they aren’t based in California. This process review reveals your technical ability to manage consumer requests.


You must review and streamline workflows for fulfilling consumers’ data access or deletion requests. You should also consider creating a process for users to request a copy of their data, as they are entitled to under CCPA regulations.

Respect universal opt-out mechanisms


The need to honor universal opt-out mechanisms has been a recurring theme in both the Sephora enforcement and this year’s investigative sweep. Mobile app environments—unlike websites or desktop environments—can’t create a browser setting to remember and enforce users’ privacy preferences.


It’s for this reason that the Attorney General’s Office urged technology providers to implement global privacy controls that users can access globally on mobile operating systems.


While there are no global privacy controls for mobile operating systems, app makers should watch for new standards and help mobile app ecosystem stakeholders in developing new opt-out mechanisms.

Limits in sharing personal data


The CCPA regulations now allow users to opt out of not only the personal data sale, but also the release, disclosure, dissemination, or availability of their data to other parties. So, app makers must follow these rules in their vendor contracts and how they handle things internally.


Some consent management platforms (CMPs) use ‘strictly necessary cookies’ as the default classification for everyone, because that’s more in line with the EU’s GDPR than the CCPA. For example, unlike the GDPR, the CCPA requires third-party integrations for analytics and functionality purposes to offer opt-out choices. Choosing CMPs offering complete compliance and third-party cookie opt-out options is the best way to deal with this.


Also, consider consulting with privacy professionals to understand the opt-out policies your third-party software development kits should have.

Consumer requests from authorized agents


The CCPA puts the onus on app makers to verify and respond to consumers’ personal information deletion requests via agents. Now, that’s a challenge with so many emerging services trying to help users with data requests. While this is a developing area, app creators must find a way to verify the legitimacy of these agent requests.


Now that you know how to adhere to the consent opt-out rules, let’s see how it can benefit you.

Seeing data privacy as an obstacle to business growth is a mistake. User consent can be every app maker’s secret weapon in beating the competition.


Let’s look at the benefits you can get from robust consent management.

Greater opportunities for outcome-based marketing


The days of spending hundreds of ad dollars for random impressions and clicks are over. Mobile marketing ROI gets way better when you use user consent to drive outcome-based marketing—the process of showing targeted ads based on user behavior and desires.


Using a CMP to seamlessly integrate user consent transactions across processes enables you to improve ROI with personalized marketing content.

Increase brand loyalty from consumers


Consumers’ sentiments and perceptions around data privacy deeply impact their loyalty to your brand. A 2021 KPMG study surveying U.S adults and business leaders shows that 40% don’t trust companies to ethically use their data, and 30% are unwilling to share personal data for any reason.


However, if consumers do trust your brand to securely manage their data, they’re more likely to share it with you. The UK Data & Marketing Association found a 100% increase in users’ willingness to share personal data—highlighting the importance consumers place on data security and protection. This is echoed by a number of other studies, too:

  • 80% of consumers say they’re more likely to purchase from companies they believe protect client’s data (Cisco Report)
  • 84% of consumers are more likely to be loyal to a company if they have strong data security controls (Adobe)
  • Over 66% of consumers have said they would stop supporting a company if their data was breached or shared without permission (Salesforce Research)

When you’re upfront about the data you collect, share, use, and share, people know what they’re getting into and can say yes or no more easily. This data transparency results in consumers trusting and sticking to your brand.

Optimized user lifecycle management


Building customer trust is also key to streamlining user acquisition and retention. If you want to store user data in the CRM, you must have customer consent. When there’s no data in CRM, you can’t target potential leads with remarketing campaigns.


Efficient user consent collection and management not only helps you comply with data privacy regulations and avoid hefty penalties, but it also ensures you’ve got access to your customers throughout the user lifecycle.


Today’s regulatory environment needs you to be agile in protecting user privacy, while business needs still require you to focus on maximizing revenue. With app SDKs, this challenging task becomes much easier.


One such solution is Usercentrics’ apps SDK, the most preferred choice for apps for CCPA, LGPD, and GDPR compliance.


This fully customizable consent management solution lets you build a trustworthy experience for privacy-centered monetization. You can easily install and configure the solution for all apps and devices, including Android, iOS, tvOS, Android TV, and Unity SDK—ensuring you’re abiding by all user data regulations.


Start optimizing mobile app user consent with an expert consultation today.

Related Articles

California Privacy Rights Act (CPRA) and the future of privacy law

California Privacy Rights Act (CPRA) enforcement is starting: what you need to know

The California Privacy Rights Act (CPRA) has been in effect since January 1, 2023. CPRA enforcement was delayed due...

DMA Marketer

Implementing consent for Google ads personalization: A comprehensive guide to the Google Ads compliance alert

Google Ads’ notification to "implement consent for ads personalization" isn't just a policy change.