A new bill has been enrolled in California, where I live. But how will this affect web browser developers outside of California?
The bill is the California Opt Me Out Act, AB 566. The text of Section 2 of the bill is found at the end of this post. But the two major parts of the bill are as follows:
- Starting in 2027, businesses that create web browsers, regardless of their location, must include “functionality configurable by a consumer that enables the browser to send an opt-out preference signal to businesses.”
- Web browser developers that do this “shall not be liable for a violation of this title by a business that receives the opt-out preference signal.”
The bill doesn’t get any more specific than that; the California Privacy Protection Agency will work out the details.
The part of interest of course, is that happens to businesses that develop web browsers WITHOUT the opt-out functionality. What happens to those non-compliant businesses? What is the liability? Is it civil? Criminal? If Safari doesn’t include easy-to-use opt out functionality, will Tim Cook do time?
This is yet another example of the debate that occurs when one country, or one state, or one county/city enacts a law and expects the rest of the world to comply. In this particular case, the state of California is telling every web browser developer in the entire world how to configure their browsers. The developers have several choices:
- Comply with California law, while simultaneously complying with laws from all other jurisdictions regarding opt out. Including a theoretical business-friendly jurisdiction that prohibits opt out entirely.
- Ignore the California law and see what the California Privacy Protection Agency does, or tries to do. Is Yandex, the Russian developer of the Yandex browser, going to really care about California law?
- Contest the law in court, arguing that it violates the U.S. First Amendment, the U.S. Second Amendment, or whatever.
The ball is now in the hands of the CPPA, which needs to develop the regulations to implement the law, as well as develop the penalties for non-compliant businesses.
Here is the exact text of Section 2.
SEC. 2.
Section 1798.136 is added to the Civil Code, to read:
1798.136.
(a) (1) A business shall not develop or maintain a browser that does not include functionality configurable by a consumer that enables the browser to send an opt-out preference signal to businesses with which the consumer interacts through the browser.
(2) The functionality required by paragraph (1) shall be easy for a reasonable person to locate and configure.
(b) A business that develops or maintains a browser shall make clear to a consumer in its public disclosures how the opt-out preference signal works and the intended effect of the opt-out preference signal.
(c) The California Privacy Protection Agency may adopt regulations as necessary to implement and administer this section.
(d) A business that develops or maintains a browser that includes a functionality that enables the browser to send an opt-out preference signal pursuant to this section shall not be liable for a violation of this title by a business that receives the opt-out preference signal.
(e) As used in this section:
(1) “Browser” means an interactive software application that is used by consumers to locate, access, and navigate internet websites.
(2) “Opt-out preference signal” means a signal that complies with this title and that communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information.
(f) This section shall become operative on January 1, 2027.
Bredemarket 