Data news

California’s CPPA Board Approves Legislative Proposal on Opt-Out Preference Signals

Written by Alex Margau | Dec 22, 2023 2:00:00 PM

The Board of the California Privacy Protection Agency (CPPA) voted unanimously on December 8, 2023, to move forward with a new legislative initiative. The legislative proposal would create an obligation for browser vendors to integrate a feature empowering users to assert their California privacy rights through opt-out preference signals.

Ashkan Soltani, the Executive Director of the California Privacy Protection Agency, commended the Board, stating the following: "We applaud the Board for their leadership in advancing this innovative proposal, which sits at the cutting edge of technology policy. [...] If approved through the California legislative process, this proposal will not only advance Californians' consumer privacy but help incentivize the development of privacy-enhancing technologies."

Same as the California Consumer Privacy Act (CCPA), the proposal will mandate that businesses respect opt-out preference signals as a request to opt-out of the sale or sharing of personal information. These opt-out preference signals provide a simple and user-friendly method for consumers to automatically exercise their right to opt-out of data sale or sharing when interacting with online businesses. Through an opt-out preference signal, a consumer can easily opt-out of the sale and sharing of their personal information across all online interactions without having to submit the same request with each and every business.

Maureen Mahoney, CPPA’s Deputy Director of Policy and Legislation, also lauded the legislative proposal and stressed the importance of opt-out preference signals, saying that "Opt-out preference signals are a powerful tool to help consumers protect their privacy rights. [...] Consumers shouldn't have to submit individual requests at hundreds of sites just to protect their personal information. We look forward to working with California legislators to make it easier for California consumers to exercise their privacy rights."

It is relevant to note that this new legislative proposal seems to also align with the California Delete Act, which has already been signed into law back in October, 2023, and which will become effective as of January 1, 2024. The California Delete Act stands out by establishing a mechanism through which consumers can, in one single request, obtain from all data brokers the deletion of their personal information, as opposed to consumers submitting one such request with each one of the data brokers that has collected and processed the personal information of the consumer. 

Presently, to exercise this right under the CCPA, consumers have to either use a browser that supports an opt-out preference signal, such as Mozilla Firefox, DuckDuckGo, and Brave, or take additional steps to locate and download a browser plugin from third-party developers that adds support for such signals. Browsers that natively support opt-out preference signals account for less than 10% of the global desktop browser market share and none of them come already installed on consumers’ devices by default, posing challenges for consumers to become aware and make use of these privacy protections.

On the other side, more known browsers of major companies, such as Google Chrome, Microsoft Edge, and Apple Safari, which account for over 90% of the desktop browser market share, have not yet adopted these signals, despite the fact they rely on advertising business models. In addition to this, currently, there is no device operating system that has implemented support for opt-out preference signals.

If the legislative proposal voted unanimously by the CPPA Board is approved, the state of  California will become the first state to oblige browser vendors to provide consumers with the option to enable these opt-out preference signals. At this time, seven states, including California, Colorado, Connecticut, Delaware, Montana, Oregon, and Texas, already require businesses to respect browser privacy signals as an opt-out mechanism for the sale of personal data.