California to require businesses to develop or maintain settings that allow consumers to send an opt-out preference signal
On August 31, 2024, AB-3048 California Consumer Privacy Act of 2018, passed both houses of the California Legislature. The Legislature indicated that the intent of AB-3048 is to further the goals of the California Privacy Rights Act of 2020 by requiring businesses to maintain or develop browsers and mobile operating systems with settings that enable consumers to send an opt-out preference signal (OOPS) to businesses the consumer interacts with via the browser or mobile operating system. AB-3048 is now sitting on the Governor’s desk for approval or veto by September 30, 2024.
California joins a handful of other states that require OOPS, including, but not limited to, Colorado, Connecticut, Delaware, Montana, Oregon, Texas and more recently, New Jersey. The goal of these signals or mechanisms is to provide consumers a more standardized process to opt-out of certain data processing activities carried out by businesses such as sales and sharing of Personally Identifiable Information (PII). A user enables the opt-out mechanism on their browser or mobile operating system setting and a signal is then sent to online services or platforms that a consumer has requested to opt-out of the sale or share of their PII. Lawmakers often argue this standardized approach provides consumers a higher level of transparency and control over managing their privacy preferences across digital services and platforms. (Some states may use related terms to describe similar standardized opt-out processes in privacy laws, like OOPs, such as: Universal Opt-Out Mechanism (UOOM); Global Privacy Controls (GPC); Consumer Choice Mechanisms; Privacy Preference Tools and Global Opt-Outs.)
The requirement will first impact all browser providers, with the deadline for proposed implementation set for January 1, 2026. Browsers such as Safari, Edge and Chrome, which make up over 90% of the desktop market share, currently do not offer built-in OOPS signals. Consumers using these browsers have to use separately enabled plug-in extensions to submit opt-out preference signals. The requirements for mobile operating systems are still under consideration and will not go into effect until 6 months from adoption of regulation. Lawmakers will have to consider how requirements will work with device identifiers for advertisers such as the Android advertising ID or Google’s Advertising ID (GAID) program and Apple’s ATT framework. Further, it is unclear at this time whether OOPs will be required to be turned on or off by default.
To ensure compliance with consumer privacy laws, businesses should review their current OOPs processes and evaluate how they currently honor requests to opt out of sales and sharing of consumer’s PII. The push to prioritize OOPs implementation has been fueled by recent settlements like the California Attorney General’s settlement with Sephora, a cosmetics retailer that, allegedly, failed to process consumer opt-out requests. Businesses will likely also have to consider the potential impact of implementing OOPs on ad monetization. Because OOPs provides a standardized approach to opt-out, the mechanism arguably provides consumers an easier way to opt-out of sales and shares of PII that could in turn, decrease the ability of businesses to use consumer information for secondary purposes and lower the effectiveness of advertising campaigns.
Assuming the Governor signs off on the bill, the proposed deadline for implementation is January 1, 2026 for browsers. Mobile operating systems, however, will become operative 6 months from adoption of regulations that detail requirements and technical specifications for mobile implantation.
If you have questions about the opt-out preference signal requirement, about national privacy requirements, think you might have experienced a cybersecurity incident, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins' national Data Privacy and Cybersecurity team.