Calif. Gov. vetoes attempt to require new privacy option in browsers and OSes


A closeup photo of California Governor Gavin Newsom's face
Enlarge / California Governor Gavin Newsom at a press conference in San Francisco on September 19, 2024.

Getty Images | Anadolu

California Gov. Gavin Newsom vetoed a bill that would have required makers of web browsers and mobile operating systems to let consumers send opt-out preference signals that could limit businesses’ use of personal information.

The bill approved by the State Legislature last month would have required an opt-out signal “that communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information or to limit the use of the consumer’s sensitive personal information.” It would have made it illegal for a business to offer a web browser or mobile operating system without a setting that lets consumers “send an opt-out preference signal to businesses with which the consumer interacts.”

In a veto message sent to the Legislature Friday, Newsom said he would not sign the bill. Newsom wrote that he shares the “desire to enhance consumer privacy,” noting that he previously signed a bill “requir[ing] the California Privacy Protection Agency to establish an accessible deletion mechanism allowing consumers to request that data brokers delete all of their personal information.”

But Newsom said he is opposed to the new bill’s mandate on operating systems. “I am concerned, however, about placing a mandate on operating system (OS) developers at this time,” the governor wrote. “No major mobile OS incorporates an option for an opt-out signal. By contrast, most Internet browsers either include such an option or, if users choose, they can download a plug-in with the same functionality. To ensure the ongoing usability of mobile devices, it’s best if design questions are first addressed by developers, rather than by regulators. For this reason, I cannot sign this bill.”

Vetoes can be overridden with a two-thirds vote in each chamber. The bill was approved 59–12 in the Assembly and 31–7 in the Senate. But the State Legislature hasn’t overridden a veto in decades.

“Industry worked overtime to squash bill”

The opt-out bill would have built on the California Consumer Privacy Act (CCPA) of 2018 and California Privacy Rights Act of 2020. Google, which recently nixed a plan to turn off tracking cookies by default in Chrome, urged Newsom to veto the bill, reports by Bloomberg and Politico said.

“It’s troubling the power that companies such as Google appear to have over the Governor’s office,” said Justin Kloczko, tech and privacy advocate for Consumer Watchdog, a nonprofit group in California. “What the governor didn’t mention is that Google Chrome, Apple Safari and Microsoft Edge don’t offer a global opt-out and they make up for nearly 90 percent of the browser market share. That’s what matters. And people don’t want to install plug-ins. Safari, which is the default browsers on iPhones, doesn’t even accept a plug-in.”

Consumer Reports Policy Analyst Matt Schwartz said that “industry worked overtime to squash this bill, as it empowered Californians to better protect their privacy, undermining the commercial surveillance business model of these tech companies. We strongly disagree with the idea expressed in the governor’s veto statement that it should be left to operating systems to provide privacy choices for consumers. They’ve shown time and again they won’t meaningfully do so until forced.”

Consumer Reports is one of the groups behind Global Privacy Control (GPC), an opt-out signal that creators hope will become legally binding under the CCPA or other privacy laws. Makers of Global Privacy Control say it is superior to the older Do Not Track (DNT) signal because the California attorney general “determined that the AG could not require businesses to comply with DNT requests because the requests do not clearly convey users’ intent to opt out of the sale of their data.”

“The California AG has determined that businesses must honor two methods of submitting opt-outs. GPC is meant to provide users with an additional option for objecting to the sale of their data, and it functions identically to clicking a ‘Do Not Sell My Personal Information’ link provided by a business,” the GPC website says.

GPC is available on Firefox, Brave, DuckDuckGo, and several other browsers, but not Google’s Chrome, Microsoft’s Edge, and Apple’s Safari. The Do Not Track signal is still an option in Chrome and Edge. Chrome, Edge, and Safari also each have features that limit websites’ ability to track users.

Leave a Reply

Your email address will not be published. Required fields are marked *