Many mobile apps derive significant revenue from personalized advertising and share detailed data about their users with ad networks, data brokers, and other companies. This third-party tracking has widely been shown to lack transparency and user choice, even though it has been around for more than two decades. Since 2013, Android users can enable the AdID setting on their devices to opt out of interest-based ads. In addition, if applicable, the California Consumer Privacy Act of 2018 (CCPA) gives users an opt-out right from the selling and sharing of personal information, including ad tracking. Users can exercise this right via Global Privacy Control (GPC). Interestingly, prior literature has not studied whether either of these two privacy choice mechanisms - the Android AdID setting or GPC - actually limit tracking. Analyzing the network traffic of 1,811 top-free apps from the US Google Play Store, we find that neither the Android AdID setting nor GPC has substantial impact on apps' data selling and sharing practices. This is despite the fact that at least 70% of the apps we examine must respect the CCPA opt-out right via GPC. Additionally, the European General Data Protection Regulation (GDPR) has worldwide scope for certain apps. In this regard, we show that at least 15% of the examined apps must grant EU protections to people outside the EU, including the GDPR's consent and opt-out requirements relating to ads. We find a lack thereof and conclude that more action is needed to protect users' legally mandated opt-out rights, in both the EU and US.
View on arXiv