California Governor vetoes privacy bill AB 3048

Governor Newsom rejects legislation mandating opt-out settings in browsers and mobile OS, emphasizing existing options and developer autonomy

California Governor vetoes privacy bill AB 3048
California Legislature

On September 20, 2024, California Governor Gavin Newsom vetoed Assembly Bill 3048 (AB 3048), a proposed law that would have required internet browsers and mobile operating systems to include privacy opt-out settings for California consumers. The bill, which passed the state legislature on August 28, 2024, aimed to enhance consumer privacy by simplifying the process of opting out of personal data collection and sharing.

In his veto message, Governor Newsom explained his decision, stating, "I share the author's desire to enhance consumer privacy. Last year, I signed SB 362 (Becker), which requires the California Privacy Protection Agency to establish an accessible deletion mechanism allowing consumers to request that data brokers delete all of their personal information."

However, the governor expressed concerns about the bill's approach: "I am concerned about placing a mandate on operating system (OS) developers at this time. No major mobile OS incorporates an option for an opt-out signal. By contrast, most internet browsers either include such an option or, if users choose, they can download a plug-in with the same functionality."

AB 3048, introduced by Assembly Member Lowenthal on February 16, 2024, proposed amendments to the California Consumer Privacy Act of 2018 (CCPA). The bill's key provisions included:

  1. Requiring web browsers to include a setting enabling consumers to send an opt-out preference signal to businesses they interact with through the browser.
  2. Mandating mobile operating systems to incorporate a similar opt-out setting within six months after the California Privacy Protection Agency adopts relevant regulations.
  3. Ensuring these opt-out settings are easily locatable and configurable for a reasonable person.
  4. Authorizing the California Privacy Protection Agency to adopt regulations for implementation and administration, including updating definitions to address technological changes and privacy concerns.

The bill set a clear timeline for implementation, with an operative date of January 1, 2026, if signed into law. However, Governor Newsom's veto has halted this process.

In his veto message, the governor emphasized the importance of allowing developers to address design questions: "To ensure the ongoing usability of mobile devices, it's best if design questions are first addressed by developers, rather than by regulators."

The veto has sparked reactions from various stakeholders in the privacy and advertising sectors. Chris Oswald, EVP and Head of Law, Ethics, and Government Relations at the Association of National Advertisers (ANA), expressed support for the governor's decision: "We commend Governor Newsom for addressing the concerns of the advertising community and vetoing this unnecessary, ambiguous, and anti-competitive bill."

Oswald further commented on the existing opt-out options: "As the Governor noted in his veto message, the opt-out functionality mandated by AB 3048 is already widely available through browsers and plug-ins, so all Californians who wish to send that signal already have a broad range of tools to do so."

The debate surrounding AB 3048 reflects the ongoing challenges in balancing consumer privacy rights with technological innovation and business interests. While supporters of the bill argued it would simplify privacy protection for consumers, critics, including some tech companies, raised concerns about potential negative impacts on targeted advertising and small businesses.

California has been at the forefront of data privacy legislation in the United States, with laws such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) already in effect. These existing laws grant consumers various rights regarding their personal information, including the right to know what data is being collected about them and the right to request its deletion.

The veto of AB 3048 does not diminish these existing protections but maintains the status quo in terms of how consumers can exercise their opt-out rights. Currently, while many web browsers offer built-in privacy controls or support for privacy-enhancing extensions, mobile operating systems generally do not include system-wide opt-out settings for data sharing.

As the debate over digital privacy continues, it remains to be seen whether similar legislation will be proposed in California or other states, and how the balance between consumer rights, technological innovation, and business interests will evolve.

Key facts about AB 3048 and its veto

  • Bill Number: AB 3048
  • Introduced: February 16, 2024
  • Passed Legislature: August 28, 2024
  • Vetoed by Governor: September 20, 2024
  • Proposed Operative Date (if signed): January 1, 2026
  • Key Requirement: Mandatory opt-out settings in web browsers and mobile operating systems
  • Regulatory Authority: California Privacy Protection Agency

Subscribe to our free weekly LinkedIn newsletter for a weekend roundup, or upgrade to our real-time updates for just $10/year. Get the latest marketing news and insights delivered straight to your inbox.