This study empirically evaluates the real-world effectiveness of Android’s Advertising ID (AdID) deprecation and the Global Privacy Control (GPC) signal in constraining third-party advertising tracking. Method: Leveraging network traffic analysis, we conducted a large-scale measurement across 1,811 top free U.S. apps from Google Play and developed a framework to assess compliance with CCPA and GDPR requirements. Contribution/Results: We provide the first systematic evidence that both AdID disabling and GPC signals are widely ineffective in mainstream applications: over 70% of CCPA-covered apps ignore GPC signals, and more than 15% of apps subject to GDPR—yet serving non-EU users—fail to implement mandatory opt-out mechanisms for behavioral advertising. These findings reveal a substantial enforcement gap between privacy regulations and technical implementation, highlighting a critical disconnect between legal mandates and on-device privacy practice.

Many mobile apps derive significant revenue from personalized advertising and share detailed data about their users with ad networks, data brokers, and other companies. This third-party tracking has widely been shown to lack transparency and user choice, even though it has been around for more than two decades. Since 2013, Android users can enable the AdID setting on their devices to opt out of interest-based ads. In addition, if applicable, the California Consumer Privacy Act of 2018 (CCPA) gives users an opt-out right from the selling and sharing of personal information, including ad tracking. Users can exercise this right via Global Privacy Control (GPC). Interestingly, prior literature has not studied whether either of these two privacy choice mechanisms - the Android AdID setting or GPC - actually limit tracking. Analyzing the network traffic of 1,811 top-free apps from the US Google Play Store, we find that neither the Android AdID setting nor GPC has substantial impact on apps' data selling and sharing practices. This is despite the fact that at least 70% of the apps we examine must respect the CCPA opt-out right via GPC. Additionally, the European General Data Protection Regulation (GDPR) has worldwide scope for certain apps. In this regard, we show that at least 15% of the examined apps must grant EU protections to people outside the EU, including the GDPR's consent and opt-out requirements relating to ads. We find a lack thereof and conclude that more action is needed to protect users' legally mandated opt-out rights, in both the EU and US.