CCPA (California Consumer Privacy Act, effective January 2020) and its successor CPRA (California Privacy Rights Act, effective January 2023) are California's privacy laws — the most consequential US state-level privacy regulations for mobile apps. Together they regulate how businesses collect, process, sell, and share personal data of California residents. Like GDPR, "personal data" is defined broadly to include device identifiers (IDFA, GAID), behavioral data, IP addresses, location, and any identifier that can be linked to a person.
Opt-OUT model vs GDPR's opt-IN
This is the central design difference between US and EU privacy regulation. CCPA / CPRA defaults to "you can be tracked, but you have the right to opt OUT". GDPR defaults to "you can't be tracked unless you opt IN". For mobile apps, this means:
- Under GDPR: show consent dialog at first launch, user must affirmatively opt in.
- Under CCPA/CPRA: tracking can proceed by default, but you must provide an opt-out mechanism (typically a "Do Not Sell or Share My Personal Information" link in your settings or privacy policy).
Result: opt-out rates on CCPA/CPRA workflows are much lower than opt-in rates on GDPR workflows — users have to actively seek out the opt-out, while EU users have the choice at the front door.
Key CCPA / CPRA requirements for mobile apps
- Privacy notice at point of data collection — clearly explaining what data is collected, why, and who receives it.
- "Do Not Sell or Share My Personal Information" link — accessible to users, typically in app settings or privacy policy. Newer requirement (added by CPRA) — older "Do Not Sell" wording is being phased out in favor of "Do Not Sell or Share".
- Data subject rights: California residents can request access to their data, correction, deletion, opt-out of sale/sharing, limitation of use of "sensitive personal information" (a newer CPRA category).
- Privacy policy updated annually, disclosing categories of data collected, sources, purposes, and recipients.
- Service provider contracts — third-party vendors handling personal data must have contractual data-processing protections (similar to GDPR DPAs).
The Global Privacy Control (GPC) is a browser / device signal that automatically communicates a user's opt-out preference. Required to be respected by businesses subject to CCPA / CPRA as of 2022. For mobile apps, GPC-equivalent signals come through device-level privacy settings.
Other US state laws: California's CCPA / CPRA influenced subsequent state laws — Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and others. Each varies in detail but most follow the same opt-out model. As of 2026, ~10+ US states have passed comprehensive privacy laws, with more in pipeline. Federal privacy law has been debated for years but not passed as of mid-2026. Practical implication: most mobile apps designed for CCPA / CPRA compliance largely comply with other US state laws too. Build for the strictest (California) and you cover most.
Enforcement reality: California Attorney General (and the new California Privacy Protection Agency under CPRA) has been actively enforcing. Notable settlements: Sephora ($1.2M for selling data without disclosure), DoorDash (over selling consumer data), Sephora again. Most enforcement targets large companies; smaller mobile apps face lower direct enforcement risk but still need to comply.
CCPA / CPRA vs GDPR
| CCPA / CPRA (California) | GDPR (EU) | |
|---|---|---|
| Consent model | Opt-OUT (tracked by default) | Opt-IN (consent required first) |
| User action | "Do Not Sell or Share" link | Front-door consent dialog |
| Effect on tracking | Most users never opt out | Many users decline |
| Max penalty | $7,500 per intentional violation | Up to 4% of global revenue |
Build for California and you largely cover the 10+ other US state laws (Virginia, Colorado, Connecticut, Utah), which mostly follow the same opt-out model.