What California’s CCPA investigative sweep means for your mobile applications

The California Attorney General (AG) recently announced that an ‘investigative sweep’ of businesses with mobile apps that aren’t compliant with the California Consumer Privacy Act (CCPA)

Alex Cash
Director of Strategy, OneTrust Consent and Preferences
February 1, 2023

Closeup photo of customer using phone for sales transaction

On January 27, 2023, Rob Bonta, the California AG, declared that mobile apps that fail to comply with the CCPA are being investigated. 

He further noted that this ‘investigative sweep’ focuses on apps in the retail, travel, and food service industries that don’t comply with:

  1. Consumer opt-out requests 
  2. Mechanism for consumers to stop the sale of their data 
  3. Processing consumer requests via an authorized agent


Opt-out requests (the sale or share of data and more)

Under the CCPA, consumers have the right to opt-out of the

  • Sale and share of their data 
  • Unnecessary use of their sensitive personal information (SPI)

Businesses are also required to honor universal opt-out signals, such as the Global Privacy Control (GPC). 

NOTE: GPC is still not available for mobile apps, but it is important for businesses to note universal opt-out signals when complying with opt-out requirements.

The CCPA (amended by the CPRA), has a well-defined set of instructions for covered businesses to follow to ensure compliance with opt-out requirements. 

  • Consumers must be notified that personal information is being sold or shared and that they have the right to opt out 
  • Clear and conspicuous ‘Do Not Sell or Share My Personal Information’ and ‘Limit the Use of Sensitive Personal Information’ links (or one link that combines both) must be visible on the homepage and any other page that collects information 
  • Consumers should not have to create an account to exercise their right to opt out 
  • Consumers must be informed of their right to opt in an online privacy policy that also has a ‘do not sell or share’ link 
  • Opt out decisions must be respected for a minimum of 12 months before asking consumers to authorize the sale or share of personal information or use of SPI again 
  • Adequate training to employees responsible for handling consumer privacy rights inquiries and processing opt-out requests

Organizations need to make sure that their mobile apps have the right mechanisms in place to provide consumers with information on their rights and the ability to opt out. 

Consumer requests via an authorized agent

Along with the opt-out rights mentioned above, consumers also have the following rights they can exercise under the CCPA. 

  • The right to know what personal information a business collects about them and how it is used and shared 
  • The right to delete personal information collected from them (with some exceptions) 
  • The right to non-discrimination for exercising their CCPA rights 
  • The right to correct inaccurate personal information that a business has about them

These rights can be exercised by the consumer directly, or via an authorized agent. 

Who qualifies as an authorized agent?

An authorized agent is defined as an entity that submits requests on behalf of consumers. These are tools that scrape an individual’s email inbox and send out emails in bulk to organizations requesting data access, deletion, or correction. 

Given the CCPA’s 45-day response timeline for consumer rights requests, organizations need to monitor their inbox for authorized agent requests and have workflows in place to deal with consumer rights requests via this channel. 

This includes verifying the requestor’s

  • Identity 
  • Residence (ensuring it is California) 
  • Other requests submitted to your organization

Employees that handle consumer rights requests may require additional training to learn how to handle requests via an authorized agent. 

What this means for your organization

If your organization has a mobile app and has users that are California residents, then you need to ensure the following is in place in your application. 

  1. A mechanism for consumers to submit opt-out requests with a unified preference center or a privacy rights intake form 
  2. A clear “Do Not Sell or Share My Personal Information” link on all app pages that collect information – this link can also be geolocated or deployed universally 
  3. Workflows in place that ensure consumer rights requests via an authorized agent are being processed in the 45-day timeline


How OneTrust can help

With OneTrust, your organization can operationalize CCPA compliance and go beyond, getting the most done with the least manual effort while providing your users with the best privacy-first experience. 

OneTrust Mobile App Consent audits your app for any tracking technologies and identifiers present while mapping consent options based on your organization’s regulatory requirements. It also handles syncing user preferences across multiple devices and continuously monitors consent receipts to demonstrate compliance and optimize accordingly. 

OneTrust Privacy Rights Automation ensures your privacy rights fulfillment center can handle authorized agent requests, with integration workflows that can be configured to 

  • Scan corporate inboxes for access or deletion request emails  
  • Enroll in the appropriate consumer request workflow 
  • Ensure proper documentation specifies the authorized agent details 

You can also see what type of data requests your organization is receiving, how many, and where they’re coming from with detailed reporting and customizable dashboards. 

Learn more about how OneTrust Mobile App Consent and Privacy Rights Automation can help your organization with by requesting a demo or a free trial today. 

You may also like


Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more


Privacy Automation

US privacy laws on the horizon: Which states will be next?

Join our live webinar as OneTrust DataGuidence and privacy experts examine new privacy legislation in Indiana, Montana, Tennessee, Florida, and Texas.

June 15, 2023

Learn more

Regulation Book

Privacy Management

Colorado Privacy Act law book

The Colorado Privacy Act (CPA) comes into force on July 1. Get the law's official text right at your fingertips.

May 30, 2023

Learn more