On January 27, 2023, Rob Bonta, the California AG, declared that mobile apps that fail to comply with the CCPA are being investigated.
He further noted that this ‘investigative sweep’ focuses on apps in the retail, travel, and food service industries that don’t comply with:
Opt-out requests (the sale or share of data and more)
Under the CCPA, consumers have the right to opt-out of the
Businesses are also required to honor universal opt-out signals, such as the Global Privacy Control (GPC).
NOTE: GPC is still not available for mobile apps, but it is important for businesses to note universal opt-out signals when complying with opt-out requirements.
The CCPA (amended by the CPRA), has a well-defined set of instructions for covered businesses to follow to ensure compliance with opt-out requirements.
Organizations need to make sure that their mobile apps have the right mechanisms in place to provide consumers with information on their rights and the ability to opt out.
Consumer requests via an authorized agent
Along with the opt-out rights mentioned above, consumers also have the following rights they can exercise under the CCPA.
These rights can be exercised by the consumer directly, or via an authorized agent.
Who qualifies as an authorized agent?
An authorized agent is defined as an entity that submits requests on behalf of consumers. These are tools that scrape an individual’s email inbox and send out emails in bulk to organizations requesting data access, deletion, or correction.
Given the CCPA’s 45-day response timeline for consumer rights requests, organizations need to monitor their inbox for authorized agent requests and have workflows in place to deal with consumer rights requests via this channel.
This includes verifying the requestor’s
Employees that handle consumer rights requests may require additional training to learn how to handle requests via an authorized agent.
What this means for your organization
If your organization has a mobile app and has users that are California residents, then you need to ensure the following is in place in your application.
How OneTrust can help
With OneTrust, your organization can operationalize CCPA compliance and go beyond, getting the most done with the least manual effort while providing your users with the best privacy-first experience.
OneTrust Mobile App Consent audits your app for any tracking technologies and identifiers present while mapping consent options based on your organization’s regulatory requirements. It also handles syncing user preferences across multiple devices and continuously monitors consent receipts to demonstrate compliance and optimize accordingly.
OneTrust Privacy Rights Automation ensures your privacy rights fulfillment center can handle authorized agent requests, with integration workflows that can be configured to
You can also see what type of data requests your organization is receiving, how many, and where they’re coming from with detailed reporting and customizable dashboards.
Learn more about how OneTrust Mobile App Consent and Privacy Rights Automation can help your organization with by requesting a demo or a free trial today.