Private lawsuits under the CCPA may become more common. Find out how courts have been interpreting a key provision of California's privacy law.
Update: California Governor Gavin Newsom has since vetoed this legislation and it will not become law.
In a long-anticipated update to the California Consumer Privacy Act (CCPA), state lawmakers passed AB 3048, which requires web browsers and mobile operating systems to include an opt-out preference signal in their settings.
Opt-out preference signals, sometimes called universal opt-out mechanisms, are a prominent feature of the CCPA, as well as many other U.S. state privacy laws. In theory, a consumer can enable the signal in their browser or mobile OS, and businesses must interpret the signal as an opt-out request.
In direct response to these privacy laws, web developers created the Global Privacy Control (GPC) standard, which offers a simple way to send and receive an opt-out preference signal. The big problem was that only Mozilla Firefox and a few other privacy-focused browsers like Brave and DuckDuckGo offered native support for GPC.
Google’s Chrome browser and Apple’s Safari account for roughly 80-85% of the browser market; Android and iOS are virtually unchallenged in their dominance of mobile operating systems. However, none of these systems offered native support for GPC or any other type of opt-out signal, and they had little reason to do so.
The new law requires browsers and mobile operating systems to include an opt-out preference signal in their settings options, making it much easier for consumers to find and enable that setting. Apple and Google are not necessarily required to adopt GPC as the standard, so it will be interesting to see if they develop their own opt-out signals instead. Either way, businesses should expect to see a massive increase in this type of opt-out once consumers have access to this tool.
AB 3048 will take effect on January 1, 2026. The requirement for mobile operating systems will become active six months after the California Privacy Protection Agency adopts regulations outlining the requirements and technical specifications for the OS signal.
To get your business privacy compliant and painlessly integrate Global Privacy Control into your website, contact the TrueVault team.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.