On Oct. 8, California Governor Gavin Newsom, signed the California Opt Me Out Act (“AB566”) into law. AB566 amends the California Consumer Privacy Act (“CCPA”) by requiring companies that develop or maintain internet browsers to create an opt-out preference signal (“OOPS”) that will allow consumers to configure it to opt-out of the sale or sharing of their personal information. The intent of the new law is to allow consumers to use the OOPS to communicate their preferences without having to do so on every website they visit.
In a statement released by the California Privacy Protection Agency (“CPPA”), Deputy Director of Policy & Legislation, Maureen Mahoney, said “This law recognizes that privacy rights are meaningless it they’re to difficult to use.” This clearly shows that the privacy regulators in California are intent on making sure the privacy protections afforded California residents are meaningful in practice and application.
The question is how will this new law work in practice when it goes into effect on January 1, 2027?
The CCPA only applies to businesses that are collecting information about California residents and that meet certain thresholds established under the CCPA. One of the requirements under the CCPA, for those businesses to which it applies, is to allow California residents to opt-out of the sale or sharing of their personal information, and to honor such requests. The new law will make it presumably easier, as outlined below, for California consumers to send businesses their preferences regarding opt-outs. This will require business to do two things 1) configure their website to accept such OOPS, and 2) track and honor such requests. As stated before, this is already required but not on the scale that an automated OOPS will potentially entail.
Of course, all of this will rely on how browser companies design and configure their OOPS capabilities. There are open questions regarding whether or not such OOPS will default to being enabled, or how user friendly configuring the OOPS will be. There is also a consideration on whether or not a functionality will be developed to deactivate the OOPS for non-residents of California, or if it will be enabled at all times. This question alone could greatly impact the number of requests that a business will have to handle.
Either way, the new law has the potential to severely impact the amount of data that a company, whether or not in California or just doing business there, is able to collect from consumers and use for advertising or other purposes. There is also a possibility that the new law will have a far-reaching impact beyond California as the major browser providers are used internationally.
AB566 also gives the CPPA authority to draft and adopt regulations to implement and administer the new law. We will have to wait and see if a standard emerges for the newly required OOPS or what form the OOPS will take. Hopefully any such standard makes it easier for both businesses and consumers to take advantage of the new requirements.
