A week following his signature enacting artificial intelligence legislation, Gov. Gavin Newsom, D-Calif., signed a trio of new privacy-focused bills into law 8 Oct.
Two of the bills Newsom signed are California Assembly Bill 656, which requires social media companies to put easier cancellation mechanisms in place for users that automatically delete their personal data upon their decision to cancel their account, and Senate Bill 361, which strengthens the state data broker registration law by providing consumers with more information about the personal information data brokers collect.
Of the three bills, however, Assembly Bill 566, or the California Opt Me Out Act, will likely cause the greatest ripples in advertising technology circles. The new law amends the California Consumer Privacy Act to help state residents better exercise their right to opt out of the sale of their browsing data by requiring companies that develop or maintain a web browser to create an opt-out preference signal within their browser so consumers can opt out in a single instance, instead of having to opt out of data sales on every website they visit.
"Every Californian deserves control over their personal information without having to jump through countless hoops," CCPA Executive Director Tom Kemp said in a statement. "This law puts the power back in consumers' hands and makes exercising your privacy rights at scale as simple as clicking a button in your browser."
"This law recognizes privacy rights are meaningless if they're too difficult to use," CPPA Deputy Director of Policy and Legislation Maureen Mahoney said. "California is once again leading the nation in protecting consumers' digital privacy."
The new law compels browser companies to inform consumers how the opt-out preference signal works within the browser and grants liability protection for browser companies that maintain the new browser-based opt-out preference signal functionality when sending the signal to a website operator who then fails to comply with the stated preference.
AB 566 is scheduled to enter into force 1 Jan. 2027 and authorizes the California Privacy Protection Agency "to adopt regulations as necessary to implement and administer those provisions."
AB 556's potential impact
Greenburg Traurig Shareholder Darren Abernethy, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, PLS, said in comments to the IAPP that a possible consequence of the law once it enters into force is that it may create a scenario where a flood of opt out requests will be sent to businesses that drastically impact their web marketing efforts depending how the OOPS mechanism is configured.
"It will almost certainly lead to an increase in the sending of browser-based opt-out of sell/share requests, which CCPA in-scope businesses must then honor, potentially impacting retargeting and other marketing efforts," Abernethy said. "One thing I'll be looking out for is whether the major browser developers give an indication in the near-term as to whether they intend to have the configurable native OOPS functionality be turned on or off by default, or how prominent the control will be within the browser settings, as this could have a big impact on the volume of opt-out requests businesses receive and must honor."
Loeb & Loeb Chief Privacy and Security Partner Jessica Lee, CIPP/E, CIPP/US, CIPM, said the effectiveness of AB 556 will come down to implementation. She said the law does not specify what type of specific opt-out mechanism the browser developer must utilize, unlike in Colorado, for instance, where the state Attorney General's Office maintains a public list of universal opt-out mechanisms. Currently, the Global Privacy Control is the only approved opt-out mechanism under the Colorado Privacy Act, according to Lee.
Lee said, "there is no easy button for opt-outs." She said a critical aspect of implementation will entail properly informing consumers of how the universal OOPS mechanism will work "so that they understand that they may need to do more than just send the signal from a browser on one device if they really want to be opted-out.
"If browsers adopt and send multiple opt-out signals it will become hard for website operators to discern which signals are valid," Lee said in comments to the IAPP. "It would be great to see alignment on one standard so operators can build their sites to respond to a predictable set of signals."
Questions of jurisdictional authority?
Additionally, AB 556, as constituted, raises potential questions regarding scope and potential jurisdictional conflict, some of which may be assuaged by the fact many of the world's preeminent browser developers are based in California.
"Luckily for the regulator, the world's largest browser developers by market share do happen to be based in the Golden State," Abernethy said. "My guess is that if the browser developer is an in-scope business, then it is a matter of the CPPA or California Attorney General exercising the extraterritorial nature of the law against such an entity doing business in-state and that meets the other eligibility criteria."
Lee said jurisdictional issues are less of a concern because "any company that meets the definition of a business under the CCPA will be subject to the law.
"The determining factor is the collection of data from California residents, not where the company is based," she added.
Mobile browsers excluded?
Abernethy said one area missing from law's text are provisions governing how the OOPS mechanism will work for mobile web browsers. He recommended advertising technology stakeholders should stay abreast of regulatory developments with respect to mobile browser OOPS requirements over the next year-plus before the law goes into effect.
Additionally, he said that AB 556 may create a further ripple effect stretching beyond California residents who seek to exercise opt-out rights to where other states' citizens will follow their lead unless browser developers create methods for de-activating the embedded OOPS tool for non-California residents.
"The law as written does not make reference to mobile environments, but as the definition of 'browser' in the statute does not seem to exclude mobile web browsers, or web browsers embedded in mobile applications," Abernethy said. "This is an example of how a change enacted for one state can actually, in practice, functionally have an effect on an international level, as a feature requirement imposed on the market-leading browser developers would seemingly be available to all users of the browser, at least on a national or regional level—raising awareness to such opt-out rights and tools, unless the developer de-activated it for non-California residents."
Alex LaCasse is a staff writer for the IAPP.
