Ensuring CCPA Compliance in Mobile Applications
CCPA (California Consumer Privacy Act) and CPRA update — California law that became de-facto US standard. If app works with California residents and business exceeds thresholds ($25M annual revenue, or 100K+ consumers, or 50%+ income from data sales), CCPA is mandatory.
Key difference from GDPR: CCPA doesn't require consent before collection. It requires right to opt-out of data sales and deletion right. This changes implementation architecture.
"Data Sale" — Broader Than It Seems
CCPA defines "sale" very broadly: any third-party data transfer for "valuable consideration" — including ad networks, analytics platforms with behavioral data, data brokers. Transferring data to Facebook SDK for ad purposes — "sale" by CCPA.
This means: most apps with ad monetization technically "sell" data and must provide opt-out right.
"Do Not Sell or Share My Personal Information" — Technical Implementation
Button must be prominent — App Store won't accept it hidden in 5th settings tab. Practically — main profile settings menu.
// CCPA opt-out status storage
class CCPAManager {
private let defaults = UserDefaults.standard
private let optOutKey = "ccpa_do_not_sell"
var isOptedOut: Bool {
get { defaults.bool(forKey: optOutKey) }
set {
defaults.set(newValue, forKey: optOutKey)
updateThirdPartySDKs(optOut: newValue)
syncToServer()
}
}
private func updateThirdPartySDKs(optOut: Bool) {
// Meta Audience Network
Settings.shared.isAdvertiserDataCollectionEnabled = !optOut
// Google AdMob — limited data processing
let extras = GADExtras()
extras.additionalParameters = ["npa": optOut ? "1" : "0"]
// Adjust
if optOut {
Adjust.disableThirdPartySharing()
}
}
}
Important: opt-out must persist between sessions and sync to server — so on app reinstall setting restores.
Global Privacy Control
Browsers started supporting Global Privacy Control (GPC) — signal "don't sell" via HTTP header Sec-GPC: 1. CPRA (2023 update) requires operators respect GPC. In mobile no browser GPC, but IAB's Global Privacy Platform (GPP) for mobile fills gap — stores consent string in NSUserDefaults / SharedPreferences per standard keys that all compatible SDKs read automatically.
Consumer Rights Under CCPA
| Right | SLA | Technical Implementation |
|---|---|---|
| Right to Know | 45 days | "My Data" screen + export |
| Right to Delete | 45 days | Delete account workflow |
| Right to Correct | 45 days | Edit profile + sync |
| Right to Opt-Out | Immediate | "Do Not Sell" toggle |
| Right to Portability | 45 days | Data export as JSON/CSV |
"Right to Know" — not just category list in Privacy Policy. On request must provide specific user data from last 12 months. Means backend API able to aggregate data by userId.
Request Verification
CCPA forbids deletion requests without identity verification — otherwise attacker deletes someone else's data. Acceptable methods: email verification (link), re-authentication in app, SMS OTP.
For registered users re-authentication sufficient. For unregistered requests (email or phone) — two-step verification needed.
Limited Processing of Sensitive Data (CPRA)
CPRA added "sensitive personal information" category with right to limit processing. Includes: SSN, financial data, precise geolocation, biometrics, health data, children's data. For these separate "Limit the Use of My Sensitive Personal Information" button needed.
Privacy Notice at Collection
CCPA requires "notice at collection" — notification at data collection moment. For mobile app: before location permission request — brief explanation why and how long geolocation stored. Before contacts request — same.
Timeline: basic implementation (opt-out, deletion/export rights, notice at collection): 2–3 days. With GPP/IAB integration and full backend workflow: 4–6 days.