If passed, AB 3048 would require browser and mobile OS providers to enable users to send “opt-out preference signals” (OOPS) to businesses. This could significantly impact the advertising ecosystem and data-sharing practices.
On August 27, 2024, the California Senate passed AB 3048, amending the California Consumer Privacy Act to require all browser and mobile operating system providers to enable consumers to send an opt-out preference signal (“OOPS”), like Global Privacy Control to a business with which the consumer interacts. Once passed by the assembly as expected, the bill will go to the governor’s desk, who has until September 30 to veto.
What is an opt-out preference signal?
An OOPS – a “universal opt-out mechanism” – is a user-enabled technical specification that automatically sends a signal to an online site or service that a consumer requests to opt out of the sale or share their personal information. The most widely recognized OOPS is Global Privacy Control. Twelve state privacy laws require an online business to honor a consumer’s opt-out through an OOPS.
After the California Attorney General’s settlement with cosmetics retailer Sephora, businesses began to prioritize OOPS recognition. The AG alleged that Sephora failed to process user requests to opt out of sales signaled by the Global Privacy Control.
Currently, only smaller browsers like DuckDuckGo and Brave offer built-in support for OOPSs, while Chrome, Safari, and Bing do not. Consumers using more popular browsers must rely on extensions to send opt-out signals. On mobile, no operating systems currently offer built-in functionality to opt out of the app’s sale/share of personal information.
Also Read: Google Rethinks Cookie Apocalypse: A New Approach to Online Advertising
What does AB 3048 do?
The bill requires businesses that develop or maintain browsers or mobile operating systems to provide a setting that enables the consumer to send an OOPS. It expands the definition of an OOPS to include a consumer’s request to limit their sensitive personal information use. The law enters into effect on January 1, 2026. Still, the mobile OS provisions will only become operative six months following the adoption of regulations by the CPPA that detail requirements and technical specifications for mobile implementation.
Takeaways
Requiring browsers to integrate opt-out preference signals will considerably impact ad monetization. This will allow consumers to more easily opt out of sales and shares, which could dramatically reduce the effectiveness of advertising campaigns and the ability of businesses to use personal information for secondary purposes. We expect this change will drive businesses to alternative solutions, such as contextual advertising or first-party data.
The added compliance wrinkle for an OOPS to signal a request to limit the use of a consumer’s sensitive personal information – an obligation not previously found in any CCPA regulations but included in the statute – will require revision of current OOPS processes designed to effectuate a request to opt out of sale or sharing only. This raises questions of how online businesses will honor requests to limit in light of California’s expansive and growing definition of sensitive personal information, which includes, among other things, precise geolocation and the content of communications.
The CPPA’s regulations will be key in assessing AB 3048’s impact on the data-sharing ecosystem. OOPS does not currently work in mobile app environments, but the CPPA must adopt regulations outlining the requirements for use by a mobile operating system. The design of choice screens or opt-out pop-ups and how these settings would interplay with Apple’s ATT framework or Google’s Advertising ID program will be fundamental in determining the bill’s impact.
In theory, a browser or mobile operating system could decide to turn OOPS on by default, which would fundamentally disrupt the advertising ecosystem. We find it unlikely, although not impossible, that California would choose such a path, as other states have required OOPS to be off by default.
Also Read: Jonathan Moran on the Future of MarTech: AI, Data Privacy, and Emerging Trends
Based on the rate at which the CPPA promulgates regulations, we do not expect the portions of this bill applying to mobile operating systems to take effect until 2027, giving businesses plenty of lead time to prepare for yet another limitation on targeted advertising. Browser providers will have a shorter runway, with an effective date coming at the beginning of 2026.
