Newsom Signs Global Opt-Out Bill; CPPA Head Urges Businesses to Get Ready
Businesses should expect an increase in universal opt-out preference signals (OOPS) after California Gov. Gavin Newsom (D) signed a bill Wednesday that requires all web browsers to support the functionality (see 2510080036), said Tom Kemp, California Privacy Protection Agency executive director. The CPPA and regulators in other states are checking if companies are honoring such requests, Kemp warned in an interview Wednesday. Newsom signed AB-566 and two other privacy bills earlier in the day.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
AB-566 will require all web browsers to include the functionality that lets users automatically opt out of selling or sharing personal information across the web. The bill from Assemblymember Josh Lowenthal (D), which received support from the CPPA and California AG Rob Bonta (D), passed the legislature on Sept. 11 (see 2509110066).
AB-566 requires browsers to implement OOPS by Jan. 1, 2027. Browser companies that do so will gain immunity from liability in California for violations by businesses receiving the signals (see 2509080005). Currently, only some browsers, such as Brave and Mozilla Firefox, let users activate the signals. Google Chrome and Microsoft Edge users can send the signals if they download a third-party extension.
Kemp told Privacy Daily that the new law will give consumers “confidence” that they will automatically be opted out on every website they visit, without having to opt out on individual websites every time they visit. In a CPPA press release, Maureen Mahoney, deputy director of policy & legislation, added that the new “law recognizes that privacy rights are meaningless if they’re too difficult to use.”
However, some have warned that making universal opt-outs easier for consumers could lead to many more opt-out requests that businesses would have to honor (see 2509240013).
Kemp agreed that, over the next year and a half before the law takes effect, “you will see increased signals being sent to businesses … so now is a great time for businesses to thoroughly support that.” The CPPA’s recent Tractor Supply Co. enforcement action (see 2510030028 and 2509300010) made “clear that you actually have to support it and make sure that the opt-out signal and the corresponding request applies to all technologies that you may have implemented and integrated into your website,” he said.
California’s law could have an impact beyond the state’s borders. “I expect, but it's not required, that most browser vendors will just make this a universal capability, and they won't have a separate California install versus a rest-of-U.S.” version of their browser, said Kemp.
He noted that several other states also require businesses to honor universal opt-out signals, and that California and two other states are currently sweeping for noncompliance with the Global Privacy Control, a leading type of OOPS (see 2509090045). “This probably will lead to GPC being a standard across the United States,” he added.
Last year, Newsom vetoed similar legislation that had additionally proposed requiring mobile operating systems to implement OOPS. But this year, apparently in response to the governor’s concerns, the measure’s scope was narrowed to browsers.
Kemp clarified that AB-566 will cover web browsers that run on any platform, including Google Android or Apple iOS devices. While it would have been “nice” to additionally require OOPS as a mobile OS setting, the new law still marks “a major step forward,” said the CPPA head. “Down the road,” he said, “it may be nice to add … mobile apps into the mix as well.”
Consumer advocates applauded the signing. AB-566 “makes it easy for Californians to tell companies what they want to happen with their own information,” said Hayley Tsukayama, Electronic Frontier Foundation associate director of legislative activism, in a written statement. “Giving people the option for an easier way to communicate how they want companies to treat their personal information helps rebalance the often-lopsided relationship between the two -- the easier it is to exercise your rights, the more power you have.”
Matt Schwartz, policy analyst for Consumer Reports, said in a statement, “For too long, opting out has been a confusing and time intensive process, and many people might not have even realized they can universally opt out. This law will help people protect their personal data by allowing them to simply switch a toggle that tells businesses they can’t sell or share it.”
The Network Advertising Initiative had asked Newsom to veto the 2025 bill. The ad-tech group, which includes Google, Microsoft and smaller ad networks as members, argued that the legislation didn’t include adequate safeguards to ensure that an opt-out preference signal coming from browsers truly represents a consumers’ choice (see 2509250043).
"We believe that it is premature to require browsers to provide OOPS without also requiring the CPPA to meet existing statutory requirements to guide the implementation and ensure that these signals are not on by default," David LeDuc, NAI vice president of public policy, emailed us. "To date, they have not met these requirements."
History shows that "developers of widely used browsers are often conflicted and may constrain or presuppose a consumer’s intent in a way that significantly disadvantages smaller businesses from competing, such as the ability for small publishers to rely on tailored advertising to generate revenue," added LeDuc. "So, while the outcome will not be known for years to come, we’re concerned that California’s new law may lead to a proliferation of OOPS that presuppose a user’s intent, [which] could lead to confusion across the marketplace and a lack of trust in all signals."
Social Media, Data Broker Bills Signed
Also Wednesday, Newsom signed a social media deletion bill (AB-656) by Assemblymember Pilar Schiavo (D). In addition to governing how users may delete their accounts, the legislation requires platforms to treat such cancellations as California Consumer Privacy Act requests to delete users’ personal information (see 2509050003).
“It shouldn’t be hard to delete social media accounts, and it shouldn’t be even harder to take back control of personal data,” Newsom said in a news release. “Social media users can be assured that when they delete their accounts, they do not leave their data behind.”
Schiavo said in the same release, “Social media users deserve to have the confidence that they can easily delete their account and when they do that their personal information is deleted too.”
The third piece of legislation signed into law Wednesday was SB-361, a bill by Sen. Josh Becker (D) that requires data brokers to disclose to the CPPA more types of personal information in their state registrations than they do now (see 2508270041).