California Consumer Privacy Act of 2018: opt-out preference signal.

Assembly Member Lowenthal, joined by Senator Stern as principal coauthor and Senator Wahab as a coauthor, advances a browser-centered privacy measure that would embed a consumer-configurable opt-out signal into the way browsers interact with the online world, tying this mechanism to the state’s California Privacy Rights Act framework. The core aim is to give individuals a direct, observable channel to convey opt-out preferences as they navigate websites through the browser itself.

The bill adds a new Civil Code provision establishing several key requirements. It would prohibit a business from developing or maintaining a browser that lacks functionality configurable by a consumer to send an opt-out preference signal to businesses encountered through the browser. The required functionality must be easy for a reasonable person to locate and configure. Public disclosures by the browser developer must explain how the opt-out signal works and its intended effect. The California Privacy Protection Agency may adopt regulations to implement and administer the section. The sender browser would receive immunity from liability for a violation of this title by a downstream business that receives the opt-out signal. The act defines “browser” as an interactive software application used to locate, access, and navigate internet websites, and defines “opt-out preference signal” as a signal that communicates the consumer’s choice to opt out of the sale and sharing of personal information. The operative date is January 1, 2027.

The measure positions the new provision within the broader CPRA/CCPA framework, clarifying that enforcement potential would follow existing channels and regulatory guidance while leaving technical specifics to agency regulations. It does not itself create penalties or a private right of action beyond the immunity described for senders, and it does not amend other substantive privacy rights. The bill invites regulatory detail on signal format, transmission, persistence, revocation, and disclosure content, with CPPA rulemaking anticipated to determine practical standards and enforcement procedures in conjunction with the current privacy regime.

Implementation timelines and stakeholder implications center on a two-year lead time before operative effect, allowing browser developers to build the feature and CPPA to establish specifications through regulations. The proposal outlines potential costs to developers for integration and disclosures, and potential administrative costs for CPPA related to rulemaking and oversight. It also raises questions about interoperability, interaction with existing do-not-sell signals, and downstream compliance obligations for businesses that receive opt-out signals, all of which would be further clarified through forthcoming regulatory guidance.