California's AB 3048: New law mandates privacy opt-out in Browsers and Phones
Assembly Bill 3048 requires web browsers and mobile OS to include easy opt-out settings for data sharing by 2026.
California is poised to strengthen consumer privacy protections with a new law requiring web browsers and mobile operating systems to include opt-out settings for data sharing. Assembly Bill 3048 (AB 3048), passed by the California legislature on August 28, 2024, now awaits Governor Gavin Newsom's signature. If signed, the law would take effect on January 1, 2026, mandating easier ways for consumers to control how their personal information is collected and shared online.
The bill, introduced by Assembly Member Lowenthal on February 16, 2024, amends the California Consumer Privacy Act of 2018 (CCPA) with several key provisions:
- Web browsers must include a setting that enables consumers to send an opt-out preference signal to businesses they interact with through the browser.
- Mobile operating systems must incorporate a similar opt-out setting within six months after the California Privacy Protection Agency adopts relevant regulations.
- These opt-out settings must be easy for a reasonable person to locate and configure.
- The California Privacy Protection Agency is authorized to adopt regulations to implement and administer these provisions, including updating definitions to address technological changes and privacy concerns.
If enacted, AB 3048 would significantly simplify the process for consumers to exercise their privacy rights under existing California law. Currently, while consumers have the right to opt out of data sharing, the process can be cumbersome, often requiring navigation through complex opt-out forms on individual websites.
For businesses, particularly tech companies like Google and Apple, the law would necessitate updates to their browser and operating system designs. Smaller businesses that rely on targeted advertising may also feel the impact if more consumers choose to opt out of data sharing.
Timeline and implementation
The bill sets a clear timeline for implementation:
- August 31, 2024: AB 3048 was enrolled after passing both the Senate and Assembly.
- September 30, 2024: Deadline for Governor Newsom to sign or veto the bill.
- January 1, 2026: The law would become operative if signed.
Industry reactions
Reactions to AB 3048 have been mixed. Brave, a privacy-focused web browser, has expressed support for the bill. According to a statement released on August 29, 2024, Brave already implements the Global Privacy Control (GPC) setting by default, which aligns with the bill's requirements.
However, some tech giants have voiced concerns. Google, for instance, has reportedly been sending emails to its users and small business partners, warning about potential negative impacts of the bill. Critics argue that these communications may be misleading, as the bill simply requires the inclusion of an opt-out option that companies are already obligated to honor under existing California law.
The Global Privacy Control is a key component of AB 3048. GPC is a proposed specification that allows users to signal their privacy preferences to websites and services. By requiring browsers to include GPC functionality, AB 3048 aims to standardize and simplify the opt-out process across different platforms.
AB 3048 is part of a broader trend of data privacy legislation in the United States and globally. California has been at the forefront of these efforts, with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) already in effect. These laws grant consumers various rights regarding their personal information, including the right to know what data is being collected about them and the right to request its deletion.
The new bill builds on these existing protections by making it easier for consumers to exercise their rights across multiple platforms and services with a single setting.
While supporters view AB 3048 as a step forward for consumer privacy, the bill may face challenges:
- Implementation Complexity: Browser and operating system developers may need to invest significant resources to comply with the new requirements.
- User Awareness: The effectiveness of the opt-out setting will depend on consumers being aware of its existence and understanding its implications.
- Economic Impact: Some businesses, particularly those relying heavily on targeted advertising, may see reduced revenues if a significant number of consumers opt out of data sharing.
- Potential for Fragmentation: As different states enact varying privacy laws, companies may face a patchwork of regulations across the country.
If signed into law, AB 3048 could set a precedent for other states considering similar legislation. It may also influence federal discussions on comprehensive privacy legislation. As the January 1, 2026 implementation date approaches, consumers, businesses, and privacy advocates will be watching closely to see how this law reshapes the digital privacy landscape in California and beyond.
Key Facts
- Bill Number: AB 3048
- Introduced: February 16, 2024
- Passed Legislature: August 28, 2024
- Governor's Signature Deadline: September 30, 2024
- Operative Date (if signed): January 1, 2026
- Key Requirement: Mandatory opt-out settings in web browsers and mobile operating systems
- Regulatory Authority: California Privacy Protection Agency