On August 27, 2024, the California Senate passed AB 3048, amending the California Consumer Privacy Act to require all browser and mobile operating system providers to enable consumers to send an opt-out preference signal ("OOPS"), like Global Privacy Control, to a business with which the consumer interacts. Once passed by the assembly as expected, the bill will go to the governor's desk, who has until September 30 to veto.
What is an opt-out preference signal?
An OOPS – often called a "universal opt-out mechanism" – is a user-enabled technical specification that automatically sends a signal to an online site or service that a consumer requests to opt out of the sale or share of their personal information. The most widely recognized OOPS is Global Privacy Control. 12 state privacy laws currently require an online business to honor a consumer's opt out through an OOPS.
Businesses began to prioritize OOPS recognition following the California Attorney General's settlement with cosmetics retailer Sephora. The AG alleged that Sephora failed to process user requests to opt out of sale signaled by the Global Privacy Control.
Currently, only smaller browsers like DuckDuckGo and Brave offer built-in support for OOPSs, while Chrome, Safari, and Bing do not. Consumers using more popular browsers must rely on extensions to send opt-out signals. On mobile, no operating systems currently offer built-in functionality to opt out of app's sale/share of personal information.
What does AB 3048 do?
The bill requires businesses that develop or maintain browsers or mobile operating systems to provide a setting that enables the consumer to send an OOPS. It expands the definition of an OOPS to now also include a consumer's request to limit the use of their sensitive personal information. The law enters into effect on January 1, 2026, but the mobile OS provisions will only become operative 6 months following adoption of regulations by the CPPA that detail requirements and technical specifications for mobile implementation.
Takeaways
Requiring browsers to integrate opt-out preference signals will have a considerable impact on ad monetization. This will allow consumers to more easily opt-out of sales and shares, which could dramatically reduce the effectiveness of advertising campaigns and the ability of businesses to use personal information for secondary purposes. We expect this change will further drive businesses to alternative solutions, such as contextual advertising or first-party data.
The added compliance wrinkle for an OOPS to signal a request to limit the use of a consumer's sensitive personal information – an obligation not previously found in any CCPA regulations, but included in the statute – will require revision of current OOPS processes designed to effectuate a request to opt out of sale or sharing only. This raises questions of how online businesses will honor requests to limit in light of California's expansive and growing definition of sensitive personal information, which includes, among other things, precise geolocation and the content of communications.
The CPPA's regulations will be key in assessing AB 3048's impact on the data sharing ecosystem. OOPS do not currently work in mobile app environments, but the CPPA is required to adopt regulations outlining the requirements for use by a mobile operating system. The design of choice screens or opt-out pop-ups and how these settings would interplay with Apple's ATT framework or Google's Advertising ID program will be fundamental in determining the bill's impact.
In theory, a browser or mobile operating system could decide to turn OOPS on by default, which would fundamentally disrupt the advertising ecosystem. We find it unlikely, although not impossible, that California would choose such a path, as other states have required OOPS to be off by default.
Based on the rate at which the CPPA promulgates regulations, we do not expect the portions of this bill applying to mobile operating systems to take effect until 2027, giving businesses plenty lead time to prepare for yet another limitation on targeted advertising. Browser providers will have a shorter runway with an effective date coming at the beginning of 2026.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.