Just about this time last year, we wrote about a landmark privacy bill in California and examined some of the specious arguments that the tech industry used to try to kill it. That bill, A.B. 3048, would’ve required browsers and mobile operating systems to support universal opt-out signals, making it far easier for consumers to exercise the rights already granted to them by the California Consumer Privacy Act (CCPA).
Sadly, A.B. 3048 was ultimately vetoed by Governor Newsom, who expressed particular concern about the bill’s applicability to operating systems like iOS or Android, writing that “[n]o major mobile OS incorporates an option for an opt-out signal.” We were disappointed with the outcome, especially given that the entire point of the bill was to require legally binding privacy controls where OS developers had failed to act voluntarily, but we vowed to continue work on the bill and build support for it.
Well, here we are again. Earlier this year, Assembly member Josh Lowenthal reintroduced a version of the legislation (A.B. 566, now known as the California Opt Me Out Act), and in partnership with the CPPA and civil society organizations like ours, continued to work with the legislature to address the concerns of the Governor and other interested parties. Last Thursday, we were pleased to see that the Legislature approved A.B. 566 by an overwhelming majority—sending it back to Governor Newsom for another round of consideration.
We continue to believe that this legislation is critical to fulfilling the promise of the CCPA, and could help consumers take more control of their data nationally if it is passed. So what is actually in this legislation this time around and what are our old pals in the tech industry saying about it?
What Does This Bill Do and What Are the Key Changes?
A.B. 566 is primarily intended to make consumer opt-out rights easier to use. Under CCPA, businesses are already required to respond to consumer opt-out requests sent via universal opt-out mechanisms, which are signals (like the Global Privacy Control [GPC]) that automatically communicate the consumer’s preference not to have their information sold or shared with third-parties to all of the businesses that a consumer interacts with across a given platform. So when a consumer is using a browser (like Google Chrome, Apple Safari, or Microsoft Edge), a universal opt-out signal would send the consumer’s opt-out request to each website that the consumer visits. This saves consumers from the tedious, time-consuming process of completing an opt-out form on each individual website—an arrangement that very likely suppresses consumers’ privacy preferences from being expressed the way they would be if the opt-out process was easy.
Unfortunately, none of the above-named browsers actually support opt-out signals themselves. If a user wants to send an opt-out preference signal on Chrome or Edge, they need to download a third-party extension to do so, while those on Safari and all mobile platform users cannot configure their device to send an opt-out preference signal at all—hence the need for government intervention.
The primary difference between this year’s legislation and last year’s is that—recognizing the Governor’s veto message from last year—legislators removed mobile operating systems from the bill’s scope. This year’s legislation also creates liability protections for browsers, so that if a website fails to honor a consumer’s opt-out signal, the liability for that violation is clearly assigned to the website and not the browser itself. The legislature also chose to delay the implementation date to January 1, 2027, providing more time for implementation.
Together, these amendments were intended to balance reasonable business concerns while preserving the basic concept of the bill. If proven a success in the browser context, it’ll produce strong evidence we can use to push for future expansions of the law to other contexts to provide more comprehensive protections for people (especially if mobile OSs continue to deny universal opt-out functionality).
What Does Industry Have to Say about it?
The main opponents of the bill at this stage are the California Chamber of Commerce, along with a coalition of advertising trade associations. Many of the arguments they’ve shared with lawmakers are either recycled from last year or rendered moot by the removal of operating systems from the scope of the bill. If you’d like to read about those, check out our post from last year.
What is new this year is a recent report commissioned by the Cal Chamber, entitled “AB 566 Threatens California’s Economy, Consumers, and Small Businesses.” The report raises significant concerns about the bill, but it relies on a number of highly questionable assumptions and projections. Its conclusion—that the bill would severely harm the California economy, particularly small businesses—rests on a set of arguments that merit closer scrutiny.
Let’s take a closer look at some of their key arguments.
The Chamber’s central claim is that if consumers were able to more easily opt out from businesses selling or sharing their personal data, businesses would cut back on their ad spending to the tune of $3.6 billion. (Notably, the report never specifies the time period over which this ad-spend recession is supposed to occur, denying readers a rather crucial input for evaluating its significance). This decline in ad-spend would allegedly result in the loss of thousands of jobs, billions in labor income, and hundreds of millions in state and local tax revenues.
Taking a step back from the breathless catastrophizing, there’s a couple glaring problems with the Chamber’s analysis here. For one, the report completely fails to mention the alternatives to third-party targeted advertising, such as contextual advertising, cohort-level advertising, or first-party data strategies that businesses would likely turn to if greater numbers of consumers turn off third-party tracking (and that have supported online since the dawn of the internet). The truth is that the advertising marketplace has been in flux for years in response to both industry and policy-driven changes to the treatment of personal data, and there is growing recognition amongst advertisers that these alternatives are going to make up a much larger portion of ad-spend moving forward.
In fact, we’ve already been through one round of (ultimately overblown) panic when Apple announced App Tracking Transparency (ATT) a few years back. Similar in concept to A.B. 566, ATT gives consumers the ability to block apps from sharing data with third-parties—a control that users overwhelmingly took advantage of (estimates range from 65-93 percent of users choosing to block tracking). Despite those enormous numbers (which, incidentally, gives us a strong indication that consumers desire these types of privacy protections), the app marketplace has not collapsed and many businesses seem to have found alternative ways to advertise or otherwise monetize their products.
Furthermore, Google recently agreed to settle a class action lawsuit against them that will also require them to create a new privacy control, dubbed the Real Time Bidding (RTB) Control. The new control will allow consumers to remove their personal information from ad-auctions that Google runs on behalf of publishers and advertisers on many websites—auctions that currently send consumer data to hundreds of third-parties billions of times daily. The advertising industry is just beginning to grapple with this news, but early indications are that it will also significantly speed the movement away from traditional third-party targeted advertising.
So while it is clear that both policy and marketplace forces are already driving major changes to ad-driven business models, these dynamics go completely undiscussed in the report. What we get instead is one vague sentence that their prediction for a $3.6 billion drop in ad-spend, is “[b]ased on specific assumptions about reallocations of ad spending by small and larger firms” — assumptions that are never divulged in the report. This makes it virtually impossible to assess the central claims of the report, as well as the second and third-order impacts to jobs and the economy at large that are based on this figure.
Were the current alternatives to third-party targeted advertising factored in? How about future alternatives? Did the Chamber consider whether businesses might innovate or create new solutions in the advertising space that might mitigate some of these harms? Did the Chamber simply assume that many businesses would stop advertising altogether if this bill passes? Without any meaningful information about how the Chamber arrived at its conclusions it is impossible to answer any of these questions and for claims as grandiose as the ones proffered here, we shouldn’t be guessing. Tossing methodology-free “research” into the world is reckless and it’s a textbook example of fear-mongering for political gain.
But there is actually something else insidious here beyond mere shoddy economic analysis, and that’s that the Chamber is essentially admitting that they don’t believe in consumer choice after all. The concept of consumer choice is something that industry groups like the Chamber have touted for years in response to privacy laws—a huge reason why CCPA is structured as an opt-out bill in the first place, instead of one that simply bans unwanted data sharing practices, is that they argued that consumers should have the “choice” to allow companies to surveil them or sell their data. They are so committed to the concept that they even have the hubris to say that they “support user choice” in their letter asking the Legislature to oppose this bill and block users from getting more of it.
However, the key findings in this report are all based on the hypothetical scenario of 25 percent of users choosing to opt-out. While to you and me this might seem like a relatively modest portion of consumers actually exercising their choice in the marketplace, to them, this apparently marks a point of no return beyond which the principle of consumer choice must be rejected and consumers saved from themselves. But what was the point of passing a privacy law at all if it’s only acceptable for a tiny fraction of consumers to actually use it? And isn’t the point of a market economy that consumers “vote with their feet” so that unwanted products and services eventually get replaced with stuff that people actually want? Why should businesses that sell our personal data be exempt from this logic? Our strongest defenders of the free market should understand these dynamics more than anyone, so it’s curious why they’ve ignored them in this case.
Conclusion
A.B. 566 doesn’t create new data rights or even put any new obligations on most businesses—it simply makes existing rights easier to use. That’s what the Chamber is fighting against, and their message is loud and clear: “You can have privacy rights—just don’t use them.”
