Last week marked the end of the hectic California legislative session, with hundreds of bills receiving decisive action in the legislature during a series of marathon voting sessions. Now that the dust has cleared and the list of still-active bills has been whittled down significantly, we’re tracking several pieces of legislation with potentially game-altering implications for the internet, which are now headed to Governor Newsom’s desk for his final decision.
Chief among those is A.B. 3048, supported by CR’s Tech and Privacy Team, which has the potential to supercharge the privacy rights already afforded in California by requiring browsers and mobile platforms to support universal opt-out signals (e.g. an opt-out choice that applies to all businesses that the consumer encounters on the platform). While California consumers already enjoy the right to communicate their desire to universally opt-out of the sale or sharing of their personal information under the CCPA, major browsers like Chrome, Safari, and Edge, as well as the Android and iOS mobile platforms, have suppressed usage of this right by denying it functionality on their services. Today, if a user wants to send an opt-out preference signal on Chrome or Edge, they need to download a third-party extension to do so, while those on Safari and all mobile platform users cannot configure their device to send an opt-out preference signal at all.
Unsurprisingly, businesses that make money from surveilling and monetizing their users’ data prefer the current arrangement and have leapt into action lobbying against A.B. 3048, potentially threatening its chances of being signed into law. A recent letter spearheaded by the California Chamber of Commerce and signed by a number of advertising and tech trade associations representing some of the largest players in the digital economy lays out a number of their concerns, many of which deserve greater scrutiny. The coalition raises a laundry list of arguments in the hopes of convincing lawmakers that the concept of universal opt-out signals is simply too confusing, despite the fact that businesses are already required to honor them by law.
What About the Voters, Man?
The Chamber begins its letter by invoking Proposition 24 (the ballot initiative establishing California’s current privacy law), arguing that voters effectively already made their decision relative to universal opt-outs when they approved a framework that “provides businesses the option [to support universal opt-out functionality] and requires regulations around that voluntary use” [emphasis added].
Of course, the notion that voters rendered their final judgment on the topic of universal opt-outs when they approved Proposition 24 in 2020 is dubious on its face. Good public policy dictates that lawmakers return to their work, especially when addressing issues as rapidly evolving as technology policy. In fact, one of the key components approved by voters in Prop 24 was a provision that ensured that CCPA could only be strengthened by future legislative amendment, ensuring that the statute’s intent to protect Calfiornians’ privacy would always be reflected in the law.
Indeed, the California legislature has approved numerous strengthening amendments to the CCPA since 2020, including the landmark Delete Act — another piece of legislation championed by CR — which allows individuals to universally delete their information held by data brokers. Contrary to the Chamber’s implication, Proposition 24 was not intended to be the final word on privacy in California and amending the CCPA to mandate universal opt-outs falls squarely in line with an already-emergent trend.
The Chamber also argues that A.B. 3048 will “upend the balanced approach taken by voters” by removing flexibility for the California Privacy Protection Agency (CPPA) to create rules to implement any “requirements and specifications” for universal opt-outs. CPPA is the primary sponsor of the legislation, so it would be quite strange of them to attempt to undercut their own authority about such a critical provision of the CCPA. In reality, A.B. 3048 does nothing to remove existing rulemaking power from the CPPA, and in fact includes additional rulemaking authorities for the Agency to “adopt regulations as necessary to implement and administer” the law. Of course, the only thing A.B. 3048 upends — which is what the Chamber actually opposes — is the status quo where major tech companies can hide universal opt-outs controls from users that they are otherwise required to honor.
Ignore Consumer Groups, Trust Us!
In arguing against the broader availability of opt-out choices, the Chamber and its allies seek to position themselves as the true champions of consumer choice. They write that A.B. 3048 “does not permit consumers to reverse their decision and opt-back in if they so choose,” as if there is something inherent to the concept of universal opt-outs that prevents consumers from changing their preference. In fact, many current implementations of the universal opt-out — for example, EFF’s Privacy Badger browser extension — allow users to turn the signal off on a site-by-site basis.
The Chamber continues that consumers might not “understand the implications” of sending so many opt-out requests and that the bill fails “to promote informed choices… by authorizing businesses to notify consumers of both the benefits and consequences of opting-out and the use of cookies.” Even ignoring the idea that there are “consequences” of opting-out of the sale of one’s personal information worth considering, it is hard to imagine that consumers would actually prefer to be constantly badgered to whitelist companies when they already must navigate a thicket of pop-ups and consent management platforms in order to access content. The entire point of a universal opt-out is to allow consumers with a generalized preference not to have their personal information sold or shared with third-parties for targeted advertising to easily express that preference. Aside from directly undercutting the spirit of the law, contending with dozens of “But We’re the Good Guys, Allow Us to Track You!” interstitials each browsing session will only annoy consumers.
The Chamber then argues that if businesses downstream of browsers and mobile platforms fail to honor the opt-out signal, consumers might get angry which “will unnecessarily erode consumer trust in browsers and operating systems.” True, if many businesses choose to ignore the law and disregard consumers’ opt-out preferences it is safe to assume that folks won’t be very happy. But this exact scenario already exists: for years, mobile platforms like Apple have employed non-legally binding opt-out signals (e.g. the “Ask App Not To Track” setting) intended to propagate to downstream business that they have done virtually nothing to enforce. Ironically, A.B. 3048 might actually solve the trust problem for platforms since it’ll no longer be up to them to monitor the status of opt-outs sent to third-party businesses — that’ll fall to the Attorney General and CPPA.
Hiding Under the Patchwork Quilt
In its last tranche of concerns, the Chamber cites supposed jurisdictional conflicts that, in its view, make universal-opt outs just too tricky to provide. For example, the Chamber points out that the meaning of the term “opt-out” differs amongst states with privacy laws and it is therefore unclear how a “browser or operating system can or should properly communicate an opt-out preference signal in a way that is made clear to a consumer.” And even worse, according to the Chamber, any changes to the law over time would then make it “impossible to communicate to the user what their choice affects and how changes by geography and time would affect their digital experience.”
True, the scope of each state’s opt-out depends on the definitions of terms like “sale” or “targeted advertising” or “profiling,” which tend to have slight differences amongst states. Yet these supposedly insurmountable differences don’t seem to be a problem for businesses’ ability to provide traditional opt-outs across the handful of states with active state privacy laws — many of which enjoyed healthy industry support — so this should not suddenly be a problem now. The truth is that businesses already collect information like IP addresses in order to determine the location of users for other compliance purposes, so it shouldn’t actually be “impossible” for businesses, if they so choose, to provide additional context tailored to residents of different states explaining the legal effect of their opt-out choice. In all likelihood though, consumers won’t be too concerned about the minor differences in legal effects of their opt-out across state lines — they just don’t want to be tracked.
Finally, the Chamber argues that it is “unclear how an opt-out mechanism browser setting would need to intersect with other privacy related user settings which control similar functionality,” such as individual consent decisions a consumer may have made on a website. The CCPA Regulations already directly answer this question, stating that businesses are allowed to notify consumers in the event of a conflict “and provide the consumer with an opportunity to consent to the sale or sharing of their personal information.” And, as with many of the other pseudo-issues raised in the letter, if businesses continue to truly believe there is ambiguity here, the bill provides the ability for the CPPA to address it in follow-up rulemaking, which will allow groups like the Chamber and its allies to advocate their perspective about the finer points of the law.
But the reality is that tech businesses don’t want things to advance that far. There are 11 other state laws with universal opt-out provisions where consumers could benefit from a similar proposal, and it’s not a stretch to assume that’s a battle they’d like to avoid. So, that they’ve dredged up as many concerns as possible at the 11th hour — regardless of their connection with reality — is entirely unsurprising. It’s a playbook that has worked for them in other contexts, so one can’t really blame them for trying again here.
So, What Comes Next?
Governor Newsom should ignore industry’s attempts to sow fear, uncertainty, and doubt and sign this bill, continuing his legacy of supporting groundbreaking California legislation that has made it a national leader on privacy. Contrary to industry’s attempts to muddle things, A.B. 3048 is a simple bill with a simple premise: it should be easy to opt-out. Let’s get it done.
