On the eve of Data Privacy Day, the California Attorney General announced a new investigative focus for compliance with the California Consumer Privacy Act (CCPA) on mobile applications, specifically popular apps in the retail, travel, and food service industries. The Attorney General sent letters to businesses with mobile applications that have allegedly failed to comply with consumer opt-out requests, do not offer any mechanism for consumers who want to stop the sale of their data, or failed to process consumer requests submitted via an authorized agent, including via third-party applications such as Permission Slip.

The Attorney General stated this new focus on mobile application compliance comes due to the wide array of sensitive information applications can access on an individual’s mobile device.

Under the CCPA, businesses that receive notices have 30 days to fix the alleged violations before an enforcement action may be initiated by the state.

This announcement of further potential enforcement actions comes only four months after the state’s first enforcement action and settlement under the CCPA, which resulted in a settlement of $1.2 million in penalties, as well as injunctive relief.

Businesses with mobile applications should review compliance requirements and whether their mobile applications are following these and other CCPA requirements, including the changes made by the California Privacy Rights Act (CPRA).

If you have questions about compliance with the CCPA or related issues, contact a Jackson Lewis attorney or the CCPA Team.

Tags: CCPA, CPRA, Mobile Apps, mobile device, sensitive information
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Privacy blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Read more about Jason C. Gavejian
Show more Show less
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Related Posts
New CCPA Regulations Go Into Effect, Updated FAQs Summarize Key Compliance Requirements
January 22, 2026
Understanding California’s New CCPA Cybersecurity Audit Requirements
December 8, 2025
The CCPA and Automated Decision-Making Technologies (ADMT)
November 25, 2025