California Assembly Bill AB-566, passed in the State's Assembly and Senate 2 weeks ago has been given to Governor Newsom for signing, and, unless he caves to lobbying from the behavioral advertising industry and big tech, could soon become law.
If it happens, this will mean that companies than develop or maintain browsers, i.e. any "interactive software application that is used by consumers to locate, access, and navigate internet websites", must:
- include functionality configurable by a consumer that enables the sending of an opt-out preference signal to businesses with which the consumer interacts through the browser.
-
make functionality easy for a reasonable person to locate and configure.
-
make clear to consumers in its public disclosures how the opt-out preference signal works and the intended effect of the opt-out preference signal.
Although it will not become operative till Jan 1st 2027, browser companies will now either implement the Global Privacy Control (Sec-GPC) signal or declare that the opt-out version of the Do Not Track signal (DNT:1), which most browsers already implement, also "communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information". California law does not specify what the signal is, only that there should be one.
This law moves US regulations closer to those in Europe, where the default is that consumers cannot be tracked online without their consent.
In the US anyone who configures their browser to send an opt-out signal will effectively have the same protection, althought he US law is worded differently, as it relates to protection from tracking by third-party companies not the company that controls the website. Its effect will be the same - as tracking always involves third-parties.
There is currently a process aimed at "improving" European privacy law. As usual there have been attempts by big tech lobbyists to undermine the well-crafted parts of ePrivacy or the GDPR that protect privacy rights, but this could be an opportunity to introduce some of the provisions in California law reinforcing existing protections while improving the user interface.
Lobbyists pretend that the bombarding of users with intrusive "consent banners" directly resulted from the ePrivacy Directive, when in fact it was big tech implementations that did this - in order to create "consent fatigue" - part of their plan to change the law in their favour..
So-called "consent fatigue" was recognised as an issue by the legislators who drafted the California law and added provisions to encourage the response to universal opt-out signals in a "frictionless" manner. This would mean that websites could not "display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content" in response to the opt-out preference signal See CCPA regulations § 7025 (f)3 page 39.
Europe could co-opt the browser generated opt-out signal, which would otherwise be irrelevent under European ePrivacy, to also signal the user's preference for a "frictionless" approach, i.e. not see an intrusive banner requesting they give consent, but only an unobtrusive but easily identifiable "consent" or "change preference" button in an expected location such as a footer.
What is missing from the California law is provision for a "consent" or "opt-in" signal. This could create confusion and inhibit enforcement because companies could say that users can override their general opt-out with an unspecified & therefore undetectable opt-in.
This was anticipated during the development of the W3C Do Not Track standard which introduced the DNT:0 option to signal consent, or as an opt-in exception for a particular website to countermand a previously-given, or more general, opt-out.
We have been developing privacy protecting and compliance technology since 2010, were actively involved in the development of the Do Not Track standard, as well as both the GDPR and ePrivacy Regulations..
We also created the very first consent platform, still the only one that fully implements the legal requirements, stops malware, consent-enables YouTube and other third-party tracking content, and introduced the first implementation (compliance jurisdiction dependent on source IP address) of a GPC and DNT compliant US version in 2020, in a fully "frictionless" manner.
For help with any of this, get in touch!
We have suggested the following improvements to the European laws on cookies:
- Call on the EDPB to specify a browser generated consent signal, which could be a request header (like DNT:0) or simply a low-entropy limited-duration cookie with a well-known name, together with:
- Amended legislation forbidding the creation of a consent signal without first obtaining informed consent, and:
- a duty on software providers (browsers et al) to enforce users' privacy e.g. by blocking high-entropy persistent cookies/storage unless the consent signal exists (partly covered in the now abandoned ePrivacy Regulation), and
- forbid the bombardment with consent-entreating pop-up if any recognised opt-out signal is present. See for example the description of the "frictionless" response to an opt-out in California's CCPA regulations.