From the About page for ACT | The App Association:

"The App Association represents more than 5,000 app makers and connected device companies in the mobile economy, a $950 billion ecosystem led by U.S. companies. Organization members leverage the connectivity of smart devices to create innovative solutions that make our lives better. The App Association is the leading industry resource on market strategy, regulated industries, privacy, and security.

App Association members are located across the United States – in all 435 congressional districts – and around the globe, showing that with coding skills and an internet connection, an app maker can succeed from anywhere. Because of low barriers to entry, the app marketplace has seen high growth in areas which have not been traditional tech hubs. In the United States, more than 83 percent of app companies."

Summary from Adam Greene of MobileHealthNews:

California passed the most comprehensive privacy law in the U.S. on June 28, 2018, with a compliance date of January 1, 2020. For mobile health app developers, that date may seem far away, but the California law will require significant and challenging operational changes. It is unclear whether the law will apply to protected health information of mobile health app developers who are business associates under HIPAA. But for more consumer-focused apps that fall outside of HIPAA, the California law will certainly require significant changes, ranging from updating privacy policies to implementing a consumer right of erasure. The law will affect most businesses that do business in California and have information about California residents, even if the business is located outside of California.

The CCPA governs all “personal information,” whether collected online or offline. Unlike most state breach notification laws, the CCPA’s definition of personal information is not limited to sensitive categories of information, but rather includes any information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household and that is not publicly available. It does not include de-identified or aggregated consumer information; however, the definition of what constitutes de-identified or aggregated data is limited. Accordingly, if a mobile health app developer has any information about a consumer or household that is not publicly available, it may fall under CCPA, unless it has been de-identified (either a de-identified individual record or part of a de-identified aggregate data set).

The CCPA governs all for-profit companies that do business in California that meet one of the following criteria:

• Gross revenue (not limited to California) of more than $25 million;
• Annually handles personal information of 50,000 or more California residents, households, or devices; or
• Derives 50% or more of its annual revenue from selling California residents’ personal information.